Permissions, users and security with Apache, suPHP and vsftpd and on vps
I've just got my hands on a vps with centos 5.5 and have been having a lot of fun configuring it. I'll give a bullet pointed list of what I want to do, what I have and what restrictions I'm facing:
I want to isolate and secure each virtual host as much as possible and I was trying to figure out the best way to do this. So far the security measures I've been considering are:
I know that these are not all compatible with one another, and some will be much more effective than others. I was hoping for some guidance as to the most sensible way to go about securing my VPS, whilst at the same time allowing the functionality I need to provide. I know that this issue has been covered countless times on this forum and others, but I'm having trouble assimilating all this information into a best practice that I will implement. Thanks |
Quote:
display_errors = On allow_url_fopen = On allow_url_include = On max_execution_time = (set this as low as you can). Hide the webserver name and version in apache settings. If you are using SuExec then make sure the user (for webserver / php) under which website or php will run do not have write access to any of your files inside or outside of your sites DocumentRoot. (except session path) Few web application really need safe_mode Off to function properly. So try to make a work around if you setting this On. Few most voulnarable php funtions which should be disabled that could be used against the site. phpinfo - shows information about php settings. shell_exec - execute command via shell and return the complete output as a string exec - It executes an external command. system - It executes an external program and display the result. ftp_connect- Opens an FTP connection ftp_login- Logs in to an FTP connection ftp_exec- Requests execution of a command on the FTP server ftp_put- Uploads a file to the FTP server ftp_get- Downloads a file from the FTP server Refer this URl for more |
Hi thanks for the response, you've raised some points that I will certainly look into. However your answer seems to focus on securing php, rather than the server itself.
Quote:
Quote:
Of course I will seriously consider disabling dangerous functions that I don't need, but I want to tackle security on an OS/web server level, rather than script level. |
Hi all
first thanks, I didn't know about ftp_* php functions. I am running vsftp on a LAMP The server runs many websites (cms like Typo3) and for each instance I have to crate an FTP account: so I added the user to the group www-data (ubuntu) and I changed the permissions as follows: find /var/www/theinstance/ -type f -exec chmod 664 {} \; find /var/www/theinstance/ -type d -exec chmod 775 {} \; The problem is now that if a customer creates a file over Typo3 (or any CMS) the file's permissions will change to 644 for files and 755 for directories. The ftp user is now not able to edit those files. I changed the umask /etc/profiles to 002. I did solve the problem! I am a little concerned about security. Could I cause some security issue with the permission configuration I made? Thanks for any suggestion. |
You should run apache with suExec and FastCGI, that way permissions on files for each virtual host stay as the user they belong to. This also integrates well with FTP, but make sure FTP is set up securely.
http://linux-101.org/howto/apache-vi...cgi-and-suexec |
Thank you (=AA=)
nice hint, FastCGI is up an running, you saved me! FTP at the moment is not a big issue for me. I have just some IP's that I have to allow on FTP for now. But it is secure anyway (at least I think so)... |
All times are GMT -5. The time now is 01:26 AM. |