[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Setting up a secure Debian apache server



On Thu, Oct 27, 2005 at 11:04:34PM -0400, Steve Dondley wrote:
> I'm setting up a server that will host many web sites on my Debian
> Sarge machine.  Each site will be administered by a different user. 
> Each site will give users SFTP access, access to the cgi-bin, and to
> PHP (with mod_php installed).  I'm not very worried about my users
> doing anything malicious.  However, if a hacker ever obtained a
> password from one of my users, they'd essentially have free reign on
> my server to run any kind of perl/php script they wanted.
> 
If the server is beefy enough, consider using libapache{,2}-mod-suphp.
IIRC, it requires that PHP be run as a CGI instead of a mod, hence the
performance hit, but it is much more secure where you cannot control the
scripts written by your users.  Also, consider setting low resource
limits on PHP scripts.

> So assuming a hacker did get access to a user's web space, what can I
> do to limit the damage?  I'm having trouble tracking down a document
> that will give me a good overview some basic precautions.  Here's some
> specific questions:
> 

Two packages you will want to consider:

rssh - Restricted shell allowing only scp, sftp, cvs, rsync and/or rdist
scponly - Restricts the commands available to scp- and sftp-users

> Must I abandon mod_php?  Is fastcgi the way to go?
> If permissions on my files are set properly, is it really necessary to
> chroot apache?
> What's this v-host (virtual host?) someone mentioned to me?  Is this
> like giving each user their own chrooted apache server environment?
> I use webmin to help create sites quickly and easily.  Must I abandon it?
> 

Unfortunately, the rest is beyond my expertise.  Maybe others can help.

-Roberto

-- 
Roberto C. Sanchez
http://familiasanchez.net/~roberto

Attachment: pgp_It8TSpTFS.pgp
Description: PGP signature


Reply to: