On Fri, 24 May 2002, Chand wrote:
> hi all,
>
> As some of you know, i work for Lycos Europe somewhat in charge of the php4U Service
>which is php and Mysql for all free/paid members.
> For security reasons, we have disabled functions on the platform among which are all
>socket functions.
>
> Although we remain on our choice for the free platform, i'd like to offer the socket
>functions to our paid clients. But apart from security, we have a responsibility
>towards ourselves and the others. Let me explain. Socket functions could be used to
>hack/ddos/ping flood any other hosts either straightforwardly or by using a newly
>found bug etc, i think you get the jist of it. Plus, since the machines serving php
>are on the inside of our firewall (even though they're on the DMZ), they could be
>used to attack our own servers.
>
> To "solve" in a way those two dilemmas we should have two things :
> - a way to log socket activity (src host, dest host, ips, user, script doing
>the 'attack', etc)
> - a way to blacklist ips (in a host.deny way) in the php.ini for example
Why not log and blacklist IP:s on the whole system with a firewall?
I'm quite sure this task is more suitable for a firewall than for
PHP... :-)
It can be done with iptables on Linux so I suppose there are corresponding
possibilities on *BSD, BSD/OS, Solaris, etc...
Regards,
-\- David Eriksson -/-
"I personally refuse to use inferior tools because of ideology."
- Linus Torvalds
--
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, visit: http://www.php.net/unsub.php
