New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
If you want it easy and out of the box - Cloud Linux. If you want to tinker - figure out own solution for containerisation or chrooting of users
I moved most of my stuff to BSD but for linux (Debian and Ubuntu) here is what I do for my Wordpress sites:
For each site (domain1.com) create a new user and group for that website (with no login permissions so /bin/false ) so their folders and files can be chowned as domain1.com:domain1.com
Setup a PHP-FPM pool for each website and have it running as that website's user:group and set openbasedir for that website's directory.
Setup systemd services files for mysql, nginx, php-fpm with security settings such as:
PrivateTmp=true PrivateDevices=true NoNewPrivileges=true ProtectSystem=full ProtectHome=true
That's worked well for me on my linux boxes. There's tutorials out that will run you through the detailed steps.
Well, vesta supports php-fpm? If yes, you can use fpm/pool.d/site.conf to start php process using separate linux user for each website.
You can disable functions like system(),etc and in this way you need to understand how permissions works to see if you're hacked what attacker can read on your system using current user/group permissions.
I spent 15 minutes looking at this picture trying to figure out what was going on. My eyes hurt...
Ya know, for the number of folks who are rightfully suggesting "BSD Jails", why are all of the providers who once offered them now gone, or offering KVM instead?
Because Linux.
I mean I could write more but that's really the answer.