I'm providing a partial web hosting solution where my clients may upload and execute their own php scripts.
Besides the security routine I'll have to check (off topic here) I would like to know whether it is possible for me to prevent my clients to setup an "attack basement" in there?
I believe that I can't do much except making them sign some policy acceptance...
Also, since there's only a few IP shared by all the hosts, would there be a risk of everyone getting banned?
Proper isolation between clients along with some restrict resources limitations would be the answer.
IN/OUTBOUND traffic (as suggested by voretaq7) , CPU, memory, disk usage, and disk IO are of the keys to achieve this. How to do it may vary according to the hosting solution you're using..
If you let people execute arbitrary code in an unrestricted environment there is very little you can do to make it "secure" -- When I worked for an ISP that provided shared hosting with PHP we mitigated this by only selling to companies/individuals we had vetted to some extent to ensure they weren't J. Random. Haxor looking for a platform to launch attacks from, and honestly that's the best solution to this problem.
Beyond that you can restrict outbound network access (either with PHP settings or through a firewall - the latter being preferable).
This may frustrate legitimate users, but it will also prevent malicious users from launching attacks from your server.
Note that this only addresses OUTBOUND attacks - As you noted there are other things you need to consider to adequately protect your server itself. That would be an interesting follow-up question.
