Help to secure my FreeBSD/Apache installation
Hi everybody! I'm running a server on FreeBSD 8.1 STABLE (apache 2.2.16, mysql 5.1.50, php 5.3.3) and I server some websites from it, most of them using Joomla or Wordpress CMS. I recently had a security breach where someone used a hole in an older Joomla version and was able to install a php script called webadmin.php. From that the person was able to browse all folders and view all files - and change them... not nice! Apache runs using the www user (std installation) and all virtualhosts share the same user, but are placed in different directories. I need some help and pointers to what I can do to strengthen security and to atleast prevent someone from writing to the filesystem and browse all directories and files. (allthough joomla needs some folders to be chmod 777) I'm thinking about installing apache2-mpm-itk or similare to jail each site into its own directory and run each virtualhost as its own user. Is this a good idea? Thankful for answers and pointers! All the best - Andy ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Help to secure my FreeBSD/Apache installation
Hi, Reference: From: Andy Wodfer wod...@gmail.com Date: Wed, 17 Jul 2013 23:11:27 +0200 Andy Wodfer wrote: Hi everybody! I'm running a server on FreeBSD 8.1 STABLE (apache 2.2.16, mysql 5.1.50, To quote front page of http://www.freebsd.org: * Production: 9.1 * Legacy: 8.4 My net. con. is too slow right now to check this for you, but look yourself, I bet FreeBSD-8.1 was long ago declared by security-officer@ as not supported as too old, php 5.3.3) and I server some websites from it, most of them using Joomla or Wordpress CMS. I recently had a security breach where someone used a hole in an older Joomla version and was able to install a php script called webadmin.php. From that the person was able to browse all folders and view all files - and change them... not nice! Apache runs using the www user (std installation) and all virtualhosts share the same user, but are placed in different directories. I need some help and pointers to what I can do to strengthen security and to atleast prevent someone from writing to the filesystem and browse all directories and files. (allthough joomla needs some folders to be chmod 777) I'm thinking about installing apache2-mpm-itk or similare to jail each site into its own directory and run each virtualhost as its own user. Is this a good idea? Thankful for answers and pointers! All the best - Andy Upgrade to 8.4 or 9.1, Reinstall new versions of all ports, cd /usr/ports/ports-mgmt/portaudit ; make install ; rehash ; portaudit ; # (Which is in 9.1 not in 8.2) port-audit Cheers, Julian -- Julian Stacey, BSD Unix Linux C Sys Eng Consultant, Munich http://berklix.com Reply below not above, like a play script. Indent old text with . Send plain text. No quoted-printable, HTML, base64, multipart/alternative. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Help to secure my FreeBSD/Apache installation
Hi, Reference: From: Julian H. Stacey j...@berklix.com Date: Wed, 17 Jul 2013 23:38:51 +0200 Julian H. Stacey wrote: Hi, Reference: From: Andy Wodfer wod...@gmail.com Date: Wed, 17 Jul 2013 23:11:27 +0200 Andy Wodfer wrote: Hi everybody! I'm running a server on FreeBSD 8.1 STABLE (apache 2.2.16, mysql 5.1.50, To quote front page of http://www.freebsd.org: * Production: 9.1 * Legacy: 8.4 My net. con. is too slow right now to check this for you, but look yourself, I bet FreeBSD-8.1 was long ago declared by security-officer@ as not supported as too old, Re version numbers: Your 8.1 STABLE does not exist ! Only 8 Stable, 8.1-RELEASE, 8.2-RELEASE, etc. http://www.freebsd.org/security/unsupported.html 8.1 8.2 not supported. http://www.freebsd.org/security/index.html#sup 9.1-RELEASE has /usr/ports/www/apache22/work/httpd-2.2.23 Upgrade to 8.4 or 9.1, Reinstall new versions of all ports, cd /usr/ports/ports-mgmt/portaudit ; make install ; rehash ; portaudit ; # (Which is in 9.1 not in 8.2) port-audit Cheers, Julian -- Julian Stacey, BSD Unix Linux C Sys Eng Consultant, Munich http://berklix.com Reply below not above, like a play script. Indent old text with . Send plain text. No quoted-printable, HTML, base64, multipart/alternative. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Help to secure my FreeBSD/Apache installation
On Wed, 17 Jul 2013 23:11:27 +0200, Andy Wodfer wrote: Hi everybody! I'm running a server on FreeBSD 8.1 STABLE (apache 2.2.16, mysql 5.1.50, php 5.3.3) and I server some websites from it, most of them using Joomla or Wordpress CMS. Those are typical (and known) attack vectors. Make sure you're always up to date regarding fixes! I recently had a security breach where someone used a hole in an older Joomla version and was able to install a php script called webadmin.php. From that the person was able to browse all folders and view all files - and change them... not nice! This implies you cannot know in how far your system has been compromized. I'd suggest a new installation. Make backups of user files and configurations. Make sure you audit them (so you won't re-install a possible backdoor after a clean install). I need some help and pointers to what I can do to strengthen security and to atleast prevent someone from writing to the filesystem and browse all directories and files. (allthough joomla needs some folders to be chmod 777) I'm thinking about installing apache2-mpm-itk or similare to jail each site into its own directory and run each virtualhost as its own user. Is this a good idea? At least it is a _working_ idea. If it is actually a good idea depends on many different factors. Jails are a good means of separation. Sometimes, using simple user accounts is sufficient, but especially regarding complex web content (such as CMS, stuff that involves PHP and whatnot) the more security you can add, the better it is. Also install portaudit to check for security fixes that have been made available for the software you're running. Apply restrictions as hard as possible. If programs want write access to specific directories, try to make then writable per uer accounts, not within the global tree structure (or even within system directories). The nobody user can also be helpful (regarding on what you are running). If you can separate the different CMSs and sites, a possible security breach will be restricted to that only instance. It can be taken down without affecting the other sites. But also: Educate your users. In order to do that, use money. Make them pay. ;-) PS. Allow me a short addition, I know people will beat me with a pointed stick for mentioning it, but: There are no folders. This term is wrong. What you mean are called directories. A folder is the name of one visual representation (among others) of a directory in a graphical user interface. It _is_ not a directory and it is not similar to one. It's comparable to the relation of the handbrake light in your car's dashboard vs. the real handbrake. Don't claim your handbrake light isn't working when in fact your handbrake is broken. :-) Bottom line: Directory correct, folder plain wrong. You don't call files sheets of paper either. :-) -- Polytropon Magdeburg, Germany Happy FreeBSD user since 4.0 Andra moi ennepe, Mousa, ... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
