ClueNet is looking for a new Chief Technical Admin. More information here.

From ClueWiki

[edit] ShellsNet.org Admin checklist for securing Apache

This document is a ROUGH CHECKLIST only. It is not a full guide. YOU must fully understand what each config setting does before you enable it. IF YOU JUST COPY BITS FROM THIS PAGE, YOU ARE LIABLE TO COMPLETELY BREAK YOUR WEBSERVER! There are some things which absolutely MUST be used for your webserver to have any security at all ('basic requirements', below), and then there are lots of other things which you SHOULD set if you want your webserver to run well. Note that this list is NOT comprehensive, it's just a short summary of SOME of the MOST important things that we (SN Admins) have found. This document is no substitute for having detailed knowledge of your webserver config, and TESTING it to make sure it is secure

Basic requirements for a secure web server :

• if you use php : "allow_url_fopen = Off" (stops a vast number of exploits/worms)
• if you use php : Use suphp (stops hacked user scripts doing things as your webserver and leaving no logs)
• if you use php : use open_basedir (stops hacked user scripts modifying /home/user/.ssh/authorized_keys and compromising accounts by stopping them accessing $HOME)
• if you use perl/cgi-bin : Use suexec. (limits damage by hacked perl scripts)
• CHECK that you can find out WHICH USER sent mail via your webserver - this WILL save your ass if a script is exploited or you get an abusive user.
• Have quotas (and preferably noexec) on user diskspace in all user-writable areas of disk, including webdirectories

Slightly more advanced things you should consider :

• php: "safe_mode On"
• Chroot/JAIL apache if possible. If not possible, use open_basedir in all <Directory> statements and vhosts
• use mod_evasive
• use mod_security

[edit] httpd.conf setup

[edit] Performance-related tuning - settings which depend on how busy your webserver is

# Define the serverroot to be the most restrictive dir possible that contains everything relavant to your apache install
ServerRoot "/var/www"
# Allow multiple requests per connection (faster response times)
KeepAlive On
# Allow 100 requests per session.
MaxKeepAliveRequests 100
# Kill idle sessions after 15 seconds
KeepAliveTimeout 15
# Keep at least 3 httpd processes waiting for input at all times
MinSpareServers 3
# and at most 5 processes
MaxSpareServers 5
# start with 3 processes
StartServers 3
# Only allow 150 processes (users of your site) at most.
MaxClients 150
# Each process can only serve 50 requests before dying
MaxRequestsPerChild 50

[edit] General Security Setup - these settings are based on your OS, and you should always set them

# Define the user and group the server runs as (NEVER let this be 'root', it should be 'www-data', 'www' or similar, defined usually by your OS)
User www
Group [[Shellsnet_Backup_Old_UserDir|www

[edit] UserDir]] Setup. This section defines what user's websites can do on your system.

# Define the one place that all user web directories exist, /var/www/htdocs/users/$USERNAME
# This is much better then allowing $HOME/public_html to be the user's website, becuase :
# 1) It allows you to use chroot and open_basedir apache as /var/www, which protects the user's login authorisation files (authorized_keys, anyone?) even if their website is hacked.
# 2) It seperates the user's website quota from their home quota, so it providers the admin more control
# 3) it accords with least necessary privilige.
<Directory /var/www/htdocs/users/*>
        # Set them so they can't override anything really crucial
        AllowOverride FileInfo AuthConfig Limit
        # Limit their use of symlinks and Includes. Allow CGI only if suexec is enabled!
        Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec ExecCGI
        <Limit GET POST OPTIONS PROPFIND>
                Order allow,deny
                Allow from all
        </Limit>
        <Limit PUT DELETE PATCH PROPPATCH MKCOL COPY MOVE LOCK UNLOCK>
                Order deny,allow
                Deny from all
        </Limit>
        # define a limit for php so their scripts are limited as much as possible.
        php_admin_value open_basedir /var/www/htdocs/users
</Directory>

[edit] Apache Security Links

• http://httpd.apache.org/docs/1.3/misc/security_tips.html
• http://www.apachesecurity.net/
• http://www.apacheweek.com/security/

[edit] php.ini

#Report most errors, but log them instead of displaying sensitive info to browsers.
error_reporting = E_ALL & ~E_NOTICE
display_errors = Off
log_errors = On
error_log = syslog

# Use safe_mode to stop scripts accessing sensitive information
safe_mode = On
safe_mode_gid = Off

# Limit all scripts to the webserver's documentroot - after all, they have no reason to go elsewhere!
open_basedir = /var/www

# Limit how much resources scripts can take up (prevents DoS)
max_execution_time = 30    
max_input_time = 60
memory_limit = 8M

# Secure the global variables :
register_globals = Off

# Control file uploads
file_uploads = On
upload_tmp_dir = /tmp
upload_max_filesize = 2M

# STOP PEOPLE REMOTELY RUNNING CODE AS YOUR WEBSERVER!
# THIS IS A VERY IMPORTANT OPTION, allow_url_fopen ***MUST*** be 'Off' or you *will* get hacked!
allow_url_fopen = Off

In this section, the 3 most important things are : allow_url_fopen, safe_mode, and open_basedir. You should configure all of the variables described here, but these 3 in particular are absolutely critical - if you don't set them, expect to get hacked.

[edit] Php Security Links

• http://www.schlossnagle.org/~george/blog/index.php?/archives/27-Why-register_globals-and-remote-includes-are-a-serious-problem-in-PHP.html
• http://www.hardened-php.net

[edit] mod_security.conf

In httpd.conf :

#If mod_security is installed, load its config
<IfModule mod_security.c>
        Include /var/www/conf/mod_security.conf
</IfModule>

In mod_security.conf : [TODO : write a sensible default mod_security.conf]

[edit] mod_evasive

[edit] Links

• http://www.nuclearelephant.com/projects/mod_evasive/

[edit] mod_security Links

• http://www.modsecurity.org/
• http://www.onlamp.com/pub/a/apache/2003/11/26/mod_security.html
• http://www.gotroot.com/tiki-index.php?page=mod_security+rules

[edit] Misc

[edit] Sample php script to test if suphp is enabled

<?php
print "hello world<p>\n";
print "My info<BR> getmyuid : ";
print getmyuid();
print "<BR> posix_geteuid : ";
print posix_geteuid();
print "<BR> posix_getuid : ";
print posix_getuid();

#system("id");
?>

If suphp is running normally, the getmyuid should equal the uid of the owner of the script, but the latter two will be the uid of the webserver user.
If you've modified suphp to be especially secure, then the final posix_getuid should also = the uid of the script owner.