[grniyce]

I don't give anyone CGI access unless they request it for special reasons.

Note: A common misbelief is that VPS already have CGI safe-moded, but in reality it depends upon the actual setup they have. Most can be circumvented and end up rooting the entire box, hence wiping out your VPS and the rest of the raid storage; thus putting you at financial responsibility for the damage caused if it happens. You can Google 'safe mode cgi' and see the supply of workarounds.

Now as far as the protection part, well I can only offer enough knowledge to show what I did, and I use WHM/cPanel. So here are my steps I took, which I assume should exist in other Admin Panels.


Click Basic cPanel/WHM Setup and scroll to the CGI Access option and put a n there instead of a y.




Now whenever you create any new packages the CGI Access option will be unselected automatically; however, if you have already created some packages, you should edit each package and unselect CGI Access.




Now when I built Apache I chose these options by doing the exhaustive list of options and selecting all of the below. You will see the option for Safe PHP CGI.



I have also attached my default build to this post, as you can use that too, but be prepared to make some Suhosin edits in the php.ini if you run certain content. Usually just having this pasted at the bottom of the php.ini once everything is built will solve any issues associated with running Suhosin in environments such as bulletin boards.

Code:

[suhosin]
suhosin.post.max_vars = 2048
suhosin.request.max_vars = 10000
suhosin.cookie.encrypt = Off
suhosin.session.encrypt = Off
suhosin.log.sapi = 511
suhosin.get.max_value_length = 1024extension="ixed.5.2.lin"