Hi, > I have a webserver running with a couple of users as virtual hosts in > Apache. [...] > What is the best and correct way to protect the server from users who > might upload such a script on their web directory? [...] > I don't want to run Apache in a chroot.
I would call the attention to my contributed work, a Wiki at http://free.coedu.hu/ describing a step-by-step install procedure making a (relatively) safe Debian Etch LAMP server. The procedure contains: * safe partition mounting (non exec /var, read only /usr etc); * minimal package using (avoiding tasksel); * custom kernel with GRSecurity patch and ACL; * disabling root login via ssh, using keys, hardening su; * hardening umask with PAM, hardening file permissions; * Debian update notifications via cron-apt; * packet filter firewalling with Shorewall; * logging with syslog-ng and automatic alerts via logcheck; * periodical security "audit" via Tiger; * monitoring hardware using smartmontools, lm-sensors; * monitoring services and hardware via Munin; * using Intel chipset sw watchdog (if available) for a generic Debian server, added web services: * Apache (actually 1.3.x) with mod-security ** http for visitors ** https/DAV for developers ** per-vhost Apache user and usergroup handling (not Linux, but basic auth users) ** per-vhost logs visible for authenticated developers via https ** AwStats integration, a daily-refreshed statistics visible for authenticated auditors via https * MySQL 5.x ** per-vhost database users and databases; ** key-autheniticated, SSH-tunneled MySQL access for developers; ** periodic (daily) dumps for backup * PHP 5.x ** paranoid configuration (GID safe mode, open_basedir, disable_functions, etc.); ** per-vhost logs visible for authenticated developers via https Provided also a small toolkit named wsm (website-manager) with functions: * creating a website from command line (wsm --createweb www.example.com) ** docroot and a default directory structure with paranoid file system permissions; ** apache and apache-ssl configuration from templates; ** AwStats configuration ** automatic halfhourly URL checking and alert sending; * saving all relevant files according to a website (docroot, configs, Apache users, logs - but no database, if any) from command line (wsm --saveweb www.example.com) - useful to backup or migrate; * Apache user and group handling from command line (a small frontend to htpasswd) All work is free stuff, licensed under CCL 2.5 (see website). Naturally isn't perfect, but working - maybe a good starting point. Unfortunately is available in Hungarian language only :-(, but lot of (self-explanatory, I hope) config file fragments are included. Any comments are welcome - and sorry about my terrible English. Regards: -- Zoltán KOVÁCS [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
