Now that the basic Apache configuration is working, let’s take some time to harden the installation. The module mod_security is really handy for this task. It is an application level firewall meaning that it will inspect incoming requests to the webserver and try to identify possible attacks like code injection, SQL injection and cross-site-scripting. As handy as this tool might be, it is not meant as a substitute for a secure PHP or Apache configuration, so you still need to take care not to open potential security holes there. If you followed my basic Apache and PHP setup you should be on the safe side, as the most exploited security holes have already been closed.

Continue reading →