Additional PHP modules:
php5-mcryptphp5-gdphp5-cliphp5-suhosin
/etc/php5/apache2/php.ini:
output_buffering = 4096 zlib.output_compression = Off allow_call_time_pass_reference = Off open_basedir = /var/DocRoot/ disable_functions = dl,exec,shell_exec,system,passthru,popen,pclose,proc_open,proc_nice,proc_terminate,proc_get_status,proc_close,pfsockopen,leak,apache_child_terminate,posix_kill,posix_mkfifo,posix_setpgid,posix_setsid,posix_setuid expose_php = Off max_input_time = 30 memory_limit = 8M display_errors = Off log_errors = On ignore_repeated_errors = On html_errors = Off error_log = /var/log/php.log register_argc_argv = Off magic_quotes_gpc = Off upload_tmp_dir = /upload allow_url_fopen = Off mysql.default_socket = /var/run/mysqld/mysqld.sock session.save_path = /sessions session.name = XID session.gc_maxlifetime = 7200
Fortunatelly the Suhosin Patch already added to PHP engine so you only have to add some lines to php.ini:
; Suhosin Patch suhosin.log.syslog = 511 suhosin.log.syslog.facility = 9 suhosin.log.syslog.priority = 1 suhosin.log.sapi = 511 suhosin.log.script = 0 suhosin.log.phpscript = 0 ;suhosin.log.script.name = ;suhosin.log.phpscript.name = suhosin.log.use-x-forwarded-for = On
For mail sending need some external program in the chroot:
cd /usr/local/chroot.web/bin/ ln -s /bin/bash-static ln -s ./bash-static sh
You need to install a minimal sendmail, and put it into the chroot.
ln -s /usr/local/sbin/mini_sendmail /usr/local/chroot.web/usr/sbin/sendmail
/etc/cron.d/php5
09,39 * * * * root [ -x /usr/lib/php5/maxlifetime ] && [ -d /var/www/sessions ] && find /var/www/sessions/ -type f -cmin +$(/usr/lib/php5/maxlifetime) -print0 | xargs -r -0 rm
/etc/php5/conf.d/suhosin.ini
suhosin.mail.protect = 1
