Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

How to safe the website from attacks despite write permission

Posted on 2007-11-27
2
232 Views
Last Modified: 2010-04-22
I have installes a CMS on a webpage which is been hosted on a:
Apache/2.2.6 (Unix) PHP/5.2.4 with Suhosin-Patch mod_ssl/2.2.6 OpenSSL/0.9.7m mod_apreq2-20051231/2.6.0 mod_perl/2.0.3 Perl/v5.8.7 wenserver.

This CMS needs Create/Write/Delete permissions "770" on all folders and all subfolders. The hosting provider comments:
No possible to grant such permissions on our webserver. Earlier as we did so, we had every day lots of attacks with PHP on our server. and he asks what to do now?

I think he shouldn't have a good knowledge and I also don't know if there is a solution for this issue in the world? May you please help us?
Thanks in advance
0
Comment
Question by:Shareece
2 Comments
 
LVL 11

Expert Comment

by:tvman_od
ID: 20362875
Normally your hosting should provide you with its CMS.
If it's possible, run a separate web server (process, not hardware) on non-standard port with limited access from trusted networks just for CMS.

In most cases popular CMS have well known security issues, so attackers can find it relatively fast.
0
 
LVL 16

Accepted Solution

by:
Blaz earned 500 total points
ID: 20363811
The permissions Create/Write/Delete permissions are probabaly related only to the folders in your web, not the whole system right?

Note that CreateWrite/Delete permissions for files are 660 and not 770. But folders must have 770 permissions. I would guess that permissions on the files only need to be 600 if the owner of the file is correctly set.

Also for the file with 770 (or 660 or 600) no access is allowed to "all users" - only to file owner and owner group. So in order to access and change the files whatever way you need to have a 600 permission to some user. The cruical question (security wise) is what user are you giving access to - and the answer is probably apache user.

0

Featured Post

The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
linux redhat 7.2 10 88
Can't ping New Linux Servers 40 89
Linux Samba using Kerberos to Auth from Active Directory 9 70
Samba 4, Users Permission, 5 44
It’s 2016. Password authentication should be dead — or at least close to dying. But, unfortunately, it has not traversed Quagga stage yet. Using password authentication is like laundering hotel guest linens with a washboard — it’s Passé.
Fine Tune your automatic Updates for Ubuntu / Debian
Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

789 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question