From owner-freebsd-questions@FreeBSD.ORG Wed Jul 17 22:25:26 2013 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id CDE416FC for ; Wed, 17 Jul 2013 22:25:26 +0000 (UTC) (envelope-from freebsd@edvax.de) Received: from mx02.qsc.de (mx02.qsc.de [213.148.130.14]) by mx1.freebsd.org (Postfix) with ESMTP id 7DDE8F72 for ; Wed, 17 Jul 2013 22:25:26 +0000 (UTC) Received: from r56.edvax.de (port-92-195-92-77.dynamic.qsc.de [92.195.92.77]) by mx02.qsc.de (Postfix) with ESMTP id 5D6C124CA9; Thu, 18 Jul 2013 00:17:11 +0200 (CEST) Received: from r56.edvax.de (localhost [127.0.0.1]) by r56.edvax.de (8.14.5/8.14.5) with SMTP id r6HMHGIr002309; Thu, 18 Jul 2013 00:17:16 +0200 (CEST) (envelope-from freebsd@edvax.de) Date: Thu, 18 Jul 2013 00:17:16 +0200 From: Polytropon To: Andy Wodfer Subject: Re: Help to secure my FreeBSD/Apache installation Message-Id: <20130718001716.a5f4994d.freebsd@edvax.de> In-Reply-To: References: Organization: EDVAX X-Mailer: Sylpheed 3.1.1 (GTK+ 2.24.5; i386-portbld-freebsd8.2) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Cc: freebsd-questions X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list Reply-To: Polytropon List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 17 Jul 2013 22:25:27 -0000 On Wed, 17 Jul 2013 23:11:27 +0200, Andy Wodfer wrote: > Hi everybody! > > I'm running a server on FreeBSD 8.1 STABLE (apache 2.2.16, mysql 5.1.50, > php 5.3.3) and I server some websites from it, most of them using Joomla or > Wordpress CMS. Those are typical (and known) attack vectors. Make sure you're always up to date regarding fixes! > I recently had a security breach where someone used a hole in an older > Joomla version and was able to install a php script called webadmin.php. > From that the person was able to browse all folders and view all files - > and change them... not nice! This implies you cannot know in how far your system has been compromized. I'd suggest a new installation. Make backups of user files and configurations. Make sure you audit them (so you won't re-install a possible backdoor after a clean install). > I need some help and pointers to what I can do to strengthen security and > to atleast prevent someone from writing to the filesystem and browse all > directories and files. (allthough joomla needs some folders to be chmod 777) > I'm thinking about installing apache2-mpm-itk or similare to jail each site > into its own directory and run each virtualhost as its own user. Is this a > good idea? At least it is a _working_ idea. If it is actually a good idea depends on many different factors. Jails are a good means of separation. Sometimes, using "simple user accounts" is sufficient, but especially regarding complex web content (such as CMS, stuff that involves PHP and whatnot) the more security you can add, the better it is. Also install portaudit to check for security fixes that have been made available for the software you're running. Apply restrictions as hard as possible. If programs want write access to specific directories, try to make then writable per uer accounts, not within the global tree structure (or even within system directories). The "nobody" user can also be helpful (regarding on what you are running). If you can separate the different CMSs and sites, a possible security breach will be restricted to that only instance. It can be taken down without affecting the other sites. But also: Educate your users. In order to do that, use money. Make them pay. ;-) PS. Allow me a short addition, I know people will beat me with a pointed stick for mentioning it, but: There are no "folders". This term is wrong. What you mean are called directories. A folder is the name of one visual representation (among others) of a directory in a graphical user interface. It _is_ not a directory and it is not similar to one. It's comparable to the relation of the handbrake light in your car's dashboard vs. the real handbrake. Don't claim your handbrake light isn't working when in fact your handbrake is broken. :-) Bottom line: Directory correct, "folder" plain wrong. You don't call files "sheets of paper" either. :-) -- Polytropon Magdeburg, Germany Happy FreeBSD user since 4.0 Andra moi ennepe, Mousa, ...