[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Keeping the webserver safe


> I have a webserver running with a couple of users as virtual hosts in
> Apache. 
> What is the best and correct way to protect the server from users who
> might upload such a script on their web directory?
> I don't want to run Apache in a chroot.

I would call the attention to my contributed work, a Wiki at
http://free.coedu.hu/ describing a step-by-step install procedure making
a (relatively) safe Debian Etch LAMP server. The procedure contains:

* safe partition mounting (non exec /var, read only /usr etc);
* minimal package using (avoiding tasksel);
* custom kernel with GRSecurity patch and ACL;
* disabling root login via ssh, using keys, hardening su;
* hardening umask with PAM, hardening file permissions;
* Debian update notifications via cron-apt;
* packet filter firewalling with Shorewall;
* logging with syslog-ng and automatic alerts via logcheck;
* periodical security "audit" via Tiger;
* monitoring hardware using smartmontools, lm-sensors;
* monitoring services and hardware via Munin;
* using Intel chipset sw watchdog (if available)

for a generic Debian server, added web services:

* Apache (actually 1.3.x) with mod-security
** http for visitors
** https/DAV for developers
** per-vhost Apache user and usergroup handling (not Linux, but basic
auth users)
** per-vhost logs visible for authenticated developers via https
** AwStats integration, a daily-refreshed statistics visible for
authenticated auditors via https

* MySQL 5.x
** per-vhost database users and databases;
** key-autheniticated, SSH-tunneled MySQL access for developers;
** periodic (daily) dumps for backup

* PHP 5.x
** paranoid configuration (GID safe mode, open_basedir,
disable_functions, etc.);
** per-vhost logs visible for authenticated developers via https

Provided also a small toolkit named wsm (website-manager) with functions:

* creating a website from command line (wsm --createweb www.example.com)
** docroot and a default directory structure with paranoid file system
** apache and apache-ssl configuration from templates;
** AwStats configuration
** automatic halfhourly URL checking and alert sending;

* saving all relevant files according to a website (docroot, configs,
Apache users, logs - but no database, if any) from command line (wsm
--saveweb www.example.com) - useful to backup or migrate;

* Apache user and group handling from command line (a small frontend to

All work is free stuff, licensed under CCL 2.5 (see website).

Naturally isn't perfect, but working - maybe a good starting point.
Unfortunately is available in Hungarian language only :-(, but lot of
(self-explanatory, I hope) config file fragments are included.

Any comments are welcome - and sorry about my terrible English.


Reply to: