Date: Wed, 17 Jul 2013 23:38:51 +0200 From: "Julian H. Stacey" <jhs@berklix.com> To: Andy Wodfer <wodfer@gmail.com> Cc: freebsd-questions <freebsd-questions@freebsd.org> Subject: Re: Help to secure my FreeBSD/Apache installation Message-ID: <201307172139.r6HLcpPf016224@fire.js.berklix.net> In-Reply-To: Your message "Wed, 17 Jul 2013 23:11:27 %2B0200." <CABgB0xSMTOTz489GZqmGPBmuV08b_GzRsDgFoafkKvrdqXz=og@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi, Reference: > From: Andy Wodfer <wodfer@gmail.com> > Date: Wed, 17 Jul 2013 23:11:27 +0200 Andy Wodfer wrote: > Hi everybody! > > I'm running a server on FreeBSD 8.1 STABLE (apache 2.2.16, mysql 5.1.50, To quote front page of http://www.freebsd.org: * Production: 9.1 * Legacy: 8.4 My net. con. is too slow right now to check this for you, but look yourself, I bet FreeBSD-8.1 was long ago declared by security-officer@ as not supported as too old, > php 5.3.3) and I server some websites from it, most of them using Joomla or > Wordpress CMS. > > I recently had a security breach where someone used a hole in an older > Joomla version and was able to install a php script called webadmin.php. > From that the person was able to browse all folders and view all files - > and change them... not nice! > > Apache runs using the www user (std installation) and all virtualhosts > share the same user, but are placed in different directories. > > I need some help and pointers to what I can do to strengthen security and > to atleast prevent someone from writing to the filesystem and browse all > directories and files. (allthough joomla needs some folders to be chmod 777) > > I'm thinking about installing apache2-mpm-itk or similare to jail each site > into its own directory and run each virtualhost as its own user. Is this a > good idea? > > Thankful for answers and pointers! > > All the best - > Andy Upgrade to 8.4 or 9.1, Reinstall new versions of all ports, cd /usr/ports/ports-mgmt/portaudit ; make install ; rehash ; portaudit ; # (Which is in 9.1 & not in 8.2) port-audit Cheers, Julian -- Julian Stacey, BSD Unix Linux C Sys Eng Consultant, Munich http://berklix.com Reply below not above, like a play script. Indent old text with "> ". Send plain text. No quoted-printable, HTML, base64, multipart/alternative.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201307172139.r6HLcpPf016224>