Setting Up Zend Optimizer Tutorial Published: Oct 02, 2004
  • Rating

    3/5

A lot of sites talk about securing PHP but just refer to different compiling options. I don't care about those, I want to secure php.ini itself so you don't have to recompile PHP to help make it more secure.

Securing PHP

Well PHP is one of the most popular applications that run on Linux and Windows servers today. It's also one of the main sources for servers and user accounts getting compromised. I want to go over some of the things you can do to help lock down PHP, securing php and securing php.ini

First off you want to figure out how you can edit php.ini This is the main configuration file for PHP. You can find it by logging into shell and typing in the following:

# php -i |grep php.ini

Turn on safe_mode


Safe mode is an easy way to lock down the security and functions you can use. PHP.net explains php safe_mode as, "The PHP safe mode is an attempt to solve the shared-server security problem. It is architecturally incorrect to try to solve this problem at the PHP level, but since the alternatives at the web server and OS levels aren't very realistic, many people, especially ISP's, use safe mode for now."

I highly recommend you enable safe_mode on production servers, especially in shared environments. This will stop exec functions and others that can easily prevent a security breach.

See our article on Customizing PHP Safe Mode


Disable Dangerous PHP Functions

PHP has a lot of potential to mess up your server and hack user accounts and even get root. I've seen many times where users use an insecure PHP script as an entry point to a server to start unleashing dangerous commands and taking control.

Search the php.ini file for:
disable_functions =

Add the following:

disable_functions = dl,system,exec,passthru,shell_exec


Turn off Register Globals

Register_globals will inject your scripts with all sorts of variables, like request variables from HTML forms. This coupled with the fact that PHP doesn't require variable initialization means writing insecure code is that much easier.
See http://us2.php.net/register_globals

register_globals = On

Replace it with

register_globals = Off

Run PHP through PHPsuexec Preventing Nobody Access

The biggest problem with PHP is that on cPanel servers is that PHP will run as nobody. When someone sets a script to 777 access that means the nobody user has write access to that file. So if someone on the same shared server wrote a script to search the system for 777 files they could inject anything they wanted, compromising the unsuspecting users account.

PHPsuexec makes PHP run as the user so 777 permissions are not allowed. There are a few downfalls to PHPsuexec but I think it's required on a shared environment for the security of everyone.  Safe_mode doesn't prevent you from compromising other users files. This is where PHPsuexec comes in, it stops the user from being able to read another users files. It also makes it easier for you, the administrator, to track PHP mail function spamming and lots of other issues caused by PHP scripts because now you can easily track it ot the users account responsible.

For this you will need to recompile PHP with suexec. On cPanel /scripts/easyapach has this build in.


I hope this has summed up some of the things you can do to help secure PHP on your server. There's also open_base protection which you can use to prevent users from reading other users files.

About the Author:
Steven Leggett is the editor of the server resource and hosting tutorial site, www.webhostgear.com and specializes in system administration and web development.

  • Rating

    3/5

Related Articles

Comments (18)

  • Gravatar - Danny Medina
    Danny Medina 17:34, April 24, 2005
    Excellent Zend setup tutorial. It worked beautiful. Thanks :)
  • Gravatar - Alberto Marlboro
    Alberto Marlboro 01:31, June 1, 2005
    Good Ideia of Zend.(?!?!@)<br />
    <br />
    Gives Zend Optimizer for FREE...(ohh) and CHARGES you 960 U$ for the encoder.<br />
    <br />
    Let me know if Im wrong.
  • Gravatar - Petter Rogstad
    Petter Rogstad 15:45, September 9, 2005
    When I try to run install.sh (from the browser?) - it can not be found.<br />
    <br />
    An other question - can you uncompress after you have uploaded the file?<br />
    <br />
  • Gravatar - John barnes
    John barnes 07:26, November 16, 2005
    I am trying to get my OS Commerce powered system listed on the internet. I am not tech savy. Will the zend optimizer allow me to do that particular procedure?
  • Gravatar - Worked
    Worked 03:35, February 14, 2006
    Awesome guide, worked flawlessly
  • Gravatar - Sib
    Sib 18:08, May 25, 2006
    This is the best tutorial I have seen until now. Very hard to find this especialy for noobs like me. But still i'm looking for answers.<br />
    My serever is running whit plesk 7.5 and not cpanel;<br />
    my OS is FedoraCore 2 - linux 2.6.5-1.358; <br />
    Do i upload in binary or acsii mode;<br />
    When you talk about uncompress.. install.... is it still via ftp or is it SSH that I recently discovered; <br />
    in wich folder schould i install....<br />
    <br />
    Well in case of reply thank you for you'r time?<br />
    Sib.
  • Gravatar - Ray Bridges
    Ray Bridges 18:13, May 25, 2006
    Great Tutorial. I'm getting pretty good with the CL thanks to online Tutorials like this. Pretty soon I'll have some real skills.
  • Gravatar - sib
    sib 18:35, May 25, 2006
    This is the best tutorial I have seen until now. Very hard to find this especialy for noobs like me. But still i'm looking for answers.<br />
    My serever is running whit plesk 7.5 and not cpanel;<br />
    my OS is FedoraCore 2 - linux 2.6.5-1.358; <br />
    Do i upload in binary or acsii mode;<br />
    When you talk about uncompress.. install.... is it still via ftp or is it SSH that I recently discovered; <br />
    in wich folder schould i install....<br />
    <br />
    Well in case of reply thank you for you'r time?<br />
    Sib.
  • Gravatar - insight
    insight 14:34, July 12, 2006
    This is really easy, just log into your Linux server as root and type this in the comand line<br />
    <br />
    /scripts/installzendopt<br />
    <br />
    and now just follow the prompts !
  • Gravatar - user
    user 22:09, December 11, 2006
    dont work.
  • Gravatar - Ash
    Ash 17:48, March 19, 2007
    @insight : that only works if you have Cpanel/WHM installed on your server.
  • Gravatar - Gaurav Mudgil
    Gaurav Mudgil 09:56, April 17, 2007
    Hi i followed your tutorial to install the zend optamizer .But when it ask me to restart the web server i press yes and after some time it gives me the msg "Installation failed to restart please restart it manually"<br />
    <br />
    then i restart my web server.<br />
    <br />
    but when i type php -v it gives the following message<br />
    <br />
    PHP Warning: Unknown(): Unable to load dynamic library '/usr/lib/php4/php4_cybersource.so' - libstdc++.so.4: cannot open shared object file: No such file or directory in Unknown on line 0<br />
    PHP 4.3.10 (cgi) (built: Dec 21 2004 10:27:48)<br />
    Copyright 1997-2004 The PHP Group<br />
    Zend Engine v1.3.0, Copyright 1998-2004 Zend Technologies<br />
    with Zend Extension Manager v1.2.0, Copyright 2003-2007, by Zend Technologies<br />
    with Zend Optimizer v3.2.6, Copyright 1998-2007, by Zend Technologies<br />
    <br />
    After that when i go to install my hotel reservation system and open it's index.php it gives the parse error of unexpected T_STRING.<br />
    <br />
    So plz help me out to solve this problem.<br />
    <br />
    With Regards<br />
    Gaurav Mudgil<br />
    <br />
  • Gravatar - khurram
    khurram 18:21, June 24, 2008
    Excellent tutorial......and overall outstanding website with greatly n nicely explained tutorials.......keep it up...<br />
    three cheers for webhostinggear.com
  • Gravatar - arunsv
    arunsv 06:30, October 24, 2008
    Gr8..nice work..excllent tutorials...<br />
    <br />
    Cheers...
  • Gravatar - Charles
    Charles 04:41, December 11, 2008
    Dear Sir,<br />
    <br />
    I am a new user of Dedicated Server, Please help me to install Zend Optimizer, thanks!<br />
    <br />
    1. My system: Fedora Core 6.0<br />
    I should download which Zend Optimizer?<br />
    <br />
    2. How to install<br />
    I should Unzip and upload Zend Optimized to server and which folder?<br />
    <br />
    3. What's my next step?<br />
    <br />
    Regards!<br />
    <br />
    Charles<br />
  • Gravatar - Abhijit
    Abhijit 11:18, September 18, 2009
    Dear Sir i followed your steps but it didnt happen..<br />
    <br />
    I use php4 on godaddy hosting....<br />
    <br />
    i never had an ./install.sh file this is what i get : -<br />
    <br />
    [letsgetjobs@p3nlh192 ~]$ tar xvfz ZendOptimizer-3.3.9-linux-glibc23-i386.tar.gz<br />
    ZendOptimizer-3.3.9-linux-glibc23-i386/<br />
    ZendOptimizer-3.3.9-linux-glibc23-i386/md5<br />
    ZendOptimizer-3.3.9-linux-glibc23-i386/Inventory.xml<br />
    ZendOptimizer-3.3.9-linux-glibc23-i386/EULA-ZendOptimizer<br />
    ZendOptimizer-3.3.9-linux-glibc23-i386/README-ZendOptimizer<br />
    ZendOptimizer-3.3.9-linux-glibc23-i386/LICENSE<br />
    ZendOptimizer-3.3.9-linux-glibc23-i386/data/<br />
    ZendOptimizer-3.3.9-linux-glibc23-i386/data/4_3_x_comp/<br />
    ZendOptimizer-3.3.9-linux-glibc23-i386/data/4_3_x_comp/ZendOptimizer.so<br />
    ZendOptimizer-3.3.9-linux-glibc23-i386/data/5_1_x_comp/<br />
    ZendOptimizer-3.3.9-linux-glibc23-i386/data/5_1_x_comp/ZendOptimizer.so<br />
    ZendOptimizer-3.3.9-linux-glibc23-i386/data/4_2_x_comp/<br />
    ZendOptimizer-3.3.9-linux-glibc23-i386/data/4_2_x_comp/ZendOptimizer.so<br />
    ZendOptimizer-3.3.9-linux-glibc23-i386/data/5_0_x_comp/<br />
    ZendOptimizer-3.3.9-linux-glibc23-i386/data/5_0_x_comp/ZendOptimizer.so<br />
    ZendOptimizer-3.3.9-linux-glibc23-i386/data/4_4_x_comp/<br />
    ZendOptimizer-3.3.9-linux-glibc23-i386/data/4_4_x_comp/ZendOptimizer.so<br />
    ZendOptimizer-3.3.9-linux-glibc23-i386/data/poweredbyoptimizer.gif<br />
    ZendOptimizer-3.3.9-linux-glibc23-i386/data/4_2_0_comp/<br />
    ZendOptimizer-3.3.9-linux-glibc23-i386/data/4_2_0_comp/ZendOptimizer.so<br />
    ZendOptimizer-3.3.9-linux-glibc23-i386/data/5_2_x_comp/<br />
    ZendOptimizer-3.3.9-linux-glibc23-i386/data/5_2_x_comp/ZendOptimizer.so<br />
    [letsgetjobs@p3nlh192 ~]$ cd ZendOptimizer-3.3.9-linux-glibc23-i386<br />
    [letsgetjobs@p3nlh192 ZendOptimizer-3.3.9-linux-glibc23-i386]$ ls -1<br />
    EULA-ZendOptimizer<br />
    Inventory.xml<br />
    LICENSE<br />
    README-ZendOptimizer<br />
    data<br />
    md5<br />
    [letsgetjobs@p3nlh192 ZendOptimizer-3.3.9-linux-glibc23-i386]$<br />
    <br />
    but there is no install.sh file .....<br />
    <br />
    Please help
  • Gravatar - baggins
    baggins 23:05, January 4, 2010
    I have the web program trying to install, it says it is encoded with zend encoder and needs zend optimizer to run the install.<br />
    The server I am going to have the website on is an MTA one, and a windows server using PLESK not C. I down loaded the optimizer (the LINUX and windows), uploaded the windows one to the server and trying to install it there, but it wont install or even go to the install wizard. <br />
    How do you get this program to install on the server, it will go into the install wizard on my windows computer but not on the server.
  • Gravatar - Linux
    Linux 10:51, November 15, 2010
    I can't find install.sh file when i unzip ZendOptimizer packet :(

Add Your Thoughts

WebHostGear.com is a hosting directory, not a web host.

Copyright © 1998-2018 WebHostGear.com