Re: Setting up a secure Debian apache server

To: "Roberto C. Sanchez" <roberto@familiasanchez.net>, Steve Dondley <sdondley@dondley.com>, debian-user@lists.debian.org
Subject: Re: Setting up a secure Debian apache server
From: Steve Dondley <sdondley@gmail.com>
Date: Fri, 28 Oct 2005 12:56:21 -0400
Message-id: <[🔎] 36b9121d0510280956v481e67f6m5641aec4a45ae7d6@mail.gmail.com>
Reply-to: s@dondley.com
In-reply-to: <[🔎] 20051028105905.GA19110@miami.familiasanchez.net>
References: <[🔎] 36b9121d0510272004p39d41f85pa794b5fcdea6838f@mail.gmail.com> <[🔎] 20051028105905.GA19110@miami.familiasanchez.net>

OK, thanks.  Gives me more food for thought.

On 10/28/05, Roberto C. Sanchez <roberto@familiasanchez.net> wrote:
> On Thu, Oct 27, 2005 at 11:04:34PM -0400, Steve Dondley wrote:
> > I'm setting up a server that will host many web sites on my Debian
> > Sarge machine.  Each site will be administered by a different user.
> > Each site will give users SFTP access, access to the cgi-bin, and to
> > PHP (with mod_php installed).  I'm not very worried about my users
> > doing anything malicious.  However, if a hacker ever obtained a
> > password from one of my users, they'd essentially have free reign on
> > my server to run any kind of perl/php script they wanted.
> >
> If the server is beefy enough, consider using libapache{,2}-mod-suphp.
> IIRC, it requires that PHP be run as a CGI instead of a mod, hence the
> performance hit, but it is much more secure where you cannot control the
> scripts written by your users.  Also, consider setting low resource
> limits on PHP scripts.
>
> > So assuming a hacker did get access to a user's web space, what can I
> > do to limit the damage?  I'm having trouble tracking down a document
> > that will give me a good overview some basic precautions.  Here's some
> > specific questions:
> >
>
> Two packages you will want to consider:
>
> rssh - Restricted shell allowing only scp, sftp, cvs, rsync and/or rdist
> scponly - Restricts the commands available to scp- and sftp-users
>
> > Must I abandon mod_php?  Is fastcgi the way to go?
> > If permissions on my files are set properly, is it really necessary to
> > chroot apache?
> > What's this v-host (virtual host?) someone mentioned to me?  Is this
> > like giving each user their own chrooted apache server environment?
> > I use webmin to help create sites quickly and easily.  Must I abandon it?
> >
>
> Unfortunately, the rest is beyond my expertise.  Maybe others can help.
>
> -Roberto
>
> --
> Roberto C. Sanchez
> http://familiasanchez.net/~roberto
>
>
>


--
Dondley Communications
http://www.dondleycommunications.com

Communicate or Die: American Labor Unions and the Internet
http://www.communicateordie.com

Reply to:

References:
- Setting up a secure Debian apache server
  - From: Steve Dondley <sdondley@dondley.com>
- Re: Setting up a secure Debian apache server
  - From: "Roberto C. Sanchez" <roberto@familiasanchez.net>

Prev by Date: kernel upgrade - agpgart error
Next by Date: Re: Writing technical text
Previous by thread: Re: Setting up a secure Debian apache server
Next by thread: Adding new hardware after installation
Index(es):
- Date
- Thread