httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Leif W" <warp-...@usa.net>
Subject Re: [users@httpd] Basic Security upgrades
Date Mon, 18 Aug 2003 21:53:00 GMT
Please post in plain text format (when composing or responding, ensure that
Format -> Plain Text is selected).

> ----- Original Message ----- 
> From: Jeff Lee
> To: users@httpd.apache.org
> Sent: Monday, August 18, 2003 7:08 PM
> Subject: [users@httpd] Basic Security upgrades
>
>
> I am looking to increase the security of my server and I was wondering if
someone could help me with basic security issues.

I'm not sure of things to do in Apache as far as compilation options,
configuring, etc.  If there's more to add or correct, someone please chime
in.  This response is not exhaustive of all things to secure.  Some parts of
this response are probably swaying off-topic.

> I am not using cgiwrap,

I've still got to learn about suexec and cgiwrap, what they do, when to use,
etc. so I can't comment.  Oh wait I just did...

> but I do not have outside users putting cgi scripts on the server.

None that you're aware of anyways.  ;-)

> I am mainly looking at permissions on the web directories.

Ensure stuff like ssl keys/csrs/certs, htpasswd files, are not in the web
directories.  These should be placed outside, to prevent accidental using.
Something like /web/site1 (this is where the FTP would point to, i.e. users
homedir), /web/site1/public_html (for website), /web/site1/private (for
htpasswd files), /web/site1/ssl (for ssl keys, csrs, and certs, chown
root.root ssl/*; chmod 700 ssl; chmod 400 ssl/*; so the clients don't
accidentally clobber them, also prevent accidental change of permissions by
user).  Anything that people NEED to view, chmod 644.  Any directory they
NEED access to or script to be executed, chmod 755.  Make sure the owner and
group are set appropriately (i.e. usually the same as the username).  Other
stuff should probably be outside the web folders if you don't want people
accessing them.

> Also I want the owner of each domain to beable to ftp to the
> sites directory (/www/site) so that they can make changes.
> But I would like this to be as secure as possible.

SFTP, secure FTP.  Not sure how to set this up, never did it.  Basic concept
of SSH, except it allows only FTP access.  If you are allowing regular FTP
access then each time the username and password is sent, they're sent in
clear text over the internet, and could be intercepted at any compromised
system in between your clients and your server.

> I currently use SSH to connect and I also wanted to know
> if there was a way to increase security for that.

Do NOT allow root to login via SSH.  You log in as a regular user and then
run 'su' over the secure connection.  It's advisable NOT to give shell
access to anyone by default, and then only if they really need it (i.e.,
they're a big customer, they have a special application they'd like to
compile on the server from C/C++ sources and they don't have the exact same
platform to compile it themselves, etc.).  If people are using scp (secure
cp {copy}) to upload files securely, this requires a shell account, as it's
basically like an SSH connection, just "headless", but they shouldn't be
doing this, they should use SFTP, and so not require a shell.  That's
probably the biggest combination of security holes, having people send
username and password in cleartext via FTP, and all these accounts have
shell access that Joe Random can just waltz into and start prodding your
system for holes and leave backdoors.

> I also want to beable to find out, from root, who is logged
>  in and what they are doing. There ip address etc.

There's probably programs that let you watch the other person's terminal, or
you can try the standard UNIX command 'w'.

> and I want to beable to kick them off of the server if I need to.

Run the standard UNIX command 'ps' to get their process ID and command line.

ps auxwwf | less

Run the standard UNIX command 'kill' to kill the process.

kill 1234

Or for stubborn buggers who don't die with a regular SIGTERM, send a
SIGKILL.

kill -9 1234

> I realize that some of this is not apache specific but I figured
> that most people here have these measures in place and are
> knowledgeable in these areas.


That'll be $20 or a gift certificate to SubWay.

> Thanks in advance,
> Jeff Lee




---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message