Help to secure my FreeBSD/Apache installation
Hi everybody! I'm running a server on FreeBSD 8.1 STABLE (apache 2.2.16, mysql 5.1.50, php 5.3.3) and I server some websites from it, most of them using Joomla or Wordpress CMS. I recently had a security breach where someone used a hole in an older Joomla version and was able to install a php script called webadmin.php. From that the person was able to browse all folders and view all files - and change them... not nice! Apache runs using the www user (std installation) and all virtualhosts share the same user, but are placed in different directories. I need some help and pointers to what I can do to strengthen security and to atleast prevent someone from writing to the filesystem and browse all directories and files. (allthough joomla needs some folders to be chmod 777) I'm thinking about installing apache2-mpm-itk or similare to jail each site into its own directory and run each virtualhost as its own user. Is this a good idea? Thankful for answers and pointers! All the best - Andy ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Help to secure my FreeBSD/Apache installation
Hi, Reference: From: Andy Wodfer wod...@gmail.com Date: Wed, 17 Jul 2013 23:11:27 +0200 Andy Wodfer wrote: Hi everybody! I'm running a server on FreeBSD 8.1 STABLE (apache 2.2.16, mysql 5.1.50, To quote front page of http://www.freebsd.org: * Production: 9.1 * Legacy: 8.4 My net. con. is too slow right now to check this for you, but look yourself, I bet FreeBSD-8.1 was long ago declared by security-officer@ as not supported as too old, php 5.3.3) and I server some websites from it, most of them using Joomla or Wordpress CMS. I recently had a security breach where someone used a hole in an older Joomla version and was able to install a php script called webadmin.php. From that the person was able to browse all folders and view all files - and change them... not nice! Apache runs using the www user (std installation) and all virtualhosts share the same user, but are placed in different directories. I need some help and pointers to what I can do to strengthen security and to atleast prevent someone from writing to the filesystem and browse all directories and files. (allthough joomla needs some folders to be chmod 777) I'm thinking about installing apache2-mpm-itk or similare to jail each site into its own directory and run each virtualhost as its own user. Is this a good idea? Thankful for answers and pointers! All the best - Andy Upgrade to 8.4 or 9.1, Reinstall new versions of all ports, cd /usr/ports/ports-mgmt/portaudit ; make install ; rehash ; portaudit ; # (Which is in 9.1 not in 8.2) port-audit Cheers, Julian -- Julian Stacey, BSD Unix Linux C Sys Eng Consultant, Munich http://berklix.com Reply below not above, like a play script. Indent old text with . Send plain text. No quoted-printable, HTML, base64, multipart/alternative. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Help to secure my FreeBSD/Apache installation
Hi, Reference: From: Julian H. Stacey j...@berklix.com Date: Wed, 17 Jul 2013 23:38:51 +0200 Julian H. Stacey wrote: Hi, Reference: From: Andy Wodfer wod...@gmail.com Date: Wed, 17 Jul 2013 23:11:27 +0200 Andy Wodfer wrote: Hi everybody! I'm running a server on FreeBSD 8.1 STABLE (apache 2.2.16, mysql 5.1.50, To quote front page of http://www.freebsd.org: * Production: 9.1 * Legacy: 8.4 My net. con. is too slow right now to check this for you, but look yourself, I bet FreeBSD-8.1 was long ago declared by security-officer@ as not supported as too old, Re version numbers: Your 8.1 STABLE does not exist ! Only 8 Stable, 8.1-RELEASE, 8.2-RELEASE, etc. http://www.freebsd.org/security/unsupported.html 8.1 8.2 not supported. http://www.freebsd.org/security/index.html#sup 9.1-RELEASE has /usr/ports/www/apache22/work/httpd-2.2.23 Upgrade to 8.4 or 9.1, Reinstall new versions of all ports, cd /usr/ports/ports-mgmt/portaudit ; make install ; rehash ; portaudit ; # (Which is in 9.1 not in 8.2) port-audit Cheers, Julian -- Julian Stacey, BSD Unix Linux C Sys Eng Consultant, Munich http://berklix.com Reply below not above, like a play script. Indent old text with . Send plain text. No quoted-printable, HTML, base64, multipart/alternative. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Help to secure my FreeBSD/Apache installation
On Wed, 17 Jul 2013 23:11:27 +0200, Andy Wodfer wrote: Hi everybody! I'm running a server on FreeBSD 8.1 STABLE (apache 2.2.16, mysql 5.1.50, php 5.3.3) and I server some websites from it, most of them using Joomla or Wordpress CMS. Those are typical (and known) attack vectors. Make sure you're always up to date regarding fixes! I recently had a security breach where someone used a hole in an older Joomla version and was able to install a php script called webadmin.php. From that the person was able to browse all folders and view all files - and change them... not nice! This implies you cannot know in how far your system has been compromized. I'd suggest a new installation. Make backups of user files and configurations. Make sure you audit them (so you won't re-install a possible backdoor after a clean install). I need some help and pointers to what I can do to strengthen security and to atleast prevent someone from writing to the filesystem and browse all directories and files. (allthough joomla needs some folders to be chmod 777) I'm thinking about installing apache2-mpm-itk or similare to jail each site into its own directory and run each virtualhost as its own user. Is this a good idea? At least it is a _working_ idea. If it is actually a good idea depends on many different factors. Jails are a good means of separation. Sometimes, using simple user accounts is sufficient, but especially regarding complex web content (such as CMS, stuff that involves PHP and whatnot) the more security you can add, the better it is. Also install portaudit to check for security fixes that have been made available for the software you're running. Apply restrictions as hard as possible. If programs want write access to specific directories, try to make then writable per uer accounts, not within the global tree structure (or even within system directories). The nobody user can also be helpful (regarding on what you are running). If you can separate the different CMSs and sites, a possible security breach will be restricted to that only instance. It can be taken down without affecting the other sites. But also: Educate your users. In order to do that, use money. Make them pay. ;-) PS. Allow me a short addition, I know people will beat me with a pointed stick for mentioning it, but: There are no folders. This term is wrong. What you mean are called directories. A folder is the name of one visual representation (among others) of a directory in a graphical user interface. It _is_ not a directory and it is not similar to one. It's comparable to the relation of the handbrake light in your car's dashboard vs. the real handbrake. Don't claim your handbrake light isn't working when in fact your handbrake is broken. :-) Bottom line: Directory correct, folder plain wrong. You don't call files sheets of paper either. :-) -- Polytropon Magdeburg, Germany Happy FreeBSD user since 4.0 Andra moi ennepe, Mousa, ... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Apache Installation
Hey I am a novice at FreeBSD! I want to install apache v 1.3.28 in my FreeBSD 5.21. Can u guys help me? How to proceed? -macuser ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Apache Installation
Hey, It's very simple! Assuming you have an updated ports tree, just do this as root: cd /usr/ports/www/apache13 make install clean Hey I am a novice at FreeBSD! I want to install apache v 1.3.28 in my FreeBSD 5.21. Can u guys help me? How to proceed? -macuser ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] -- www.6s-gaming.com ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Apache Installation
This is valid advice. However, since you say your are new to FreeBSD (and, perhaps, *nix?), I would break the process down like this. Use a terminal (xterm) to do run these commands. Otherwise, excuse the simplicity. I'll assume you're using sudo for root privilege. 1. It's easiest to use the ports tree (/usr/ports). Apache is in the www directory under /usr/ports. So, go there. cd /usr/ports/www There are a few versions you could install when it comes to Apache. You can see them with ls -d apache* 'apache13' is the most straight forward to start with. So, go into this directory, cd apache13 2. Fetch, extract, and compile. Check the Makefile for things you can modify to your needs. more Makefile Look for defined(...) or !defined(...). For example, .if (!defined(WITHOUT_APACHE_EXPAT)... In the case of Apache 1.3.x you can specify -DWITHOUT_APACHE_EXPAT. If you're unsure about this, then forget about it. Just compile and install. Or extract, sudo make extract which will usually tell you what you can modify on the command line. Otherwise, sudo make You can do the make and install in one line. sudo make install If your were to exclude expat support, then you would use this sudo make -DWITHOUT_APACHE_EXPAT sudo make install or sudo make -DWITHOUT_APACHE_EXPAT install You can remove the installation and start over by running sudo make deinstall and sudo rm -rf ./work where ./ assumes you are already in /usr/ports/www/apache13/. This gets rid of the work directory that 'make extract' created. You don't have to do it like this all the time. But once you're familiar with the basic process, you will discover your own refined process. Good luck, Alex On Sep 17, 2004, at 3:09 PM, Hugo Silva wrote: Hey, It's very simple! Assuming you have an updated ports tree, just do this as root: cd /usr/ports/www/apache13 make install clean Hey I am a novice at FreeBSD! I want to install apache v 1.3.28 in my FreeBSD 5.21. Can u guys help me? How to proceed? -macuser ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] -- www.6s-gaming.com ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Alexander Sendzimir (owner)802 863 5502 MacTutor: Apple Mac OS X Consulting [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Apache Installation
digish reshamwala wrote: Hey I am a novice at FreeBSD! I want to install apache v 1.3.28 in my FreeBSD 5.21. Can u guys help me? How to proceed? -macuser I see another post in which someone has taken great pains to explain a lot. In a nutshell, though, it's this: *** 1. Make sure you're connected to the Internet. 2. Make sure you have superuser privileges (su to root). 3. Then: #cd /usr/ports/www/apache13 #make install clean *** See the Handbook chapter on installing 3rd party software. Kevin Kinsey ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]