Re: Keeping the webserver safe

To: debian-security@lists.debian.org
Subject: Re: Keeping the webserver safe
From: Kovács Zoltán <z_kovacs@elender.hu>
Date: Wed, 08 Oct 2008 10:25:35 +0200
Message-id: <[🔎] 48EC6E7F.2070306@elender.hu>
In-reply-to: <[🔎] 20081005202708.58cac505.coolzone@it.dk>
References: <[🔎] 20081005202708.58cac505.coolzone@it.dk>

Hi,

> I have a webserver running with a couple of users as virtual hosts in
> Apache. 
[...]
> What is the best and correct way to protect the server from users who
> might upload such a script on their web directory?
[...]
> I don't want to run Apache in a chroot.

I would call the attention to my contributed work, a Wiki at
http://free.coedu.hu/ describing a step-by-step install procedure making
a (relatively) safe Debian Etch LAMP server. The procedure contains:

* safe partition mounting (non exec /var, read only /usr etc);
* minimal package using (avoiding tasksel);
* custom kernel with GRSecurity patch and ACL;
* disabling root login via ssh, using keys, hardening su;
* hardening umask with PAM, hardening file permissions;
* Debian update notifications via cron-apt;
* packet filter firewalling with Shorewall;
* logging with syslog-ng and automatic alerts via logcheck;
* periodical security "audit" via Tiger;
* monitoring hardware using smartmontools, lm-sensors;
* monitoring services and hardware via Munin;
* using Intel chipset sw watchdog (if available)

for a generic Debian server, added web services:

* Apache (actually 1.3.x) with mod-security
** http for visitors
** https/DAV for developers
** per-vhost Apache user and usergroup handling (not Linux, but basic
auth users)
** per-vhost logs visible for authenticated developers via https
** AwStats integration, a daily-refreshed statistics visible for
authenticated auditors via https

* MySQL 5.x
** per-vhost database users and databases;
** key-autheniticated, SSH-tunneled MySQL access for developers;
** periodic (daily) dumps for backup

* PHP 5.x
** paranoid configuration (GID safe mode, open_basedir,
disable_functions, etc.);
** per-vhost logs visible for authenticated developers via https

Provided also a small toolkit named wsm (website-manager) with functions:

* creating a website from command line (wsm --createweb www.example.com)
** docroot and a default directory structure with paranoid file system
permissions;
** apache and apache-ssl configuration from templates;
** AwStats configuration
** automatic halfhourly URL checking and alert sending;

* saving all relevant files according to a website (docroot, configs,
Apache users, logs - but no database, if any) from command line (wsm
--saveweb www.example.com) - useful to backup or migrate;

* Apache user and group handling from command line (a small frontend to
htpasswd)

All work is free stuff, licensed under CCL 2.5 (see website).

Naturally isn't perfect, but working - maybe a good starting point.
Unfortunately is available in Hungarian language only :-(, but lot of
(self-explanatory, I hope) config file fragments are included.

Any comments are welcome - and sorry about my terrible English.

Regards:
-- 
Zoltán KOVÁCS
z_kovacs@elender.hu

Reply to:

Follow-Ups:
- Re: Keeping the webserver safe
  - From: Holger Levsen <holger@layer-acht.org>

References:
- Keeping the webserver safe
  - From: Rico Secada <coolzone@it.dk>

Prev by Date: Re: antivirus for webserver
Next by Date: Re: Keeping the webserver safe
Previous by thread: Re: Keeping the webserver safe
Next by thread: Re: Keeping the webserver safe
Index(es):
- Date
- Thread