Difference between revisions of "Apache 2 - Security"

(Created page with "=Apache 2 and PHP5: Secure your installation!= ==PHP Security Info== If you want to test your PHP security, you can use the PHPSecInfo tool, available at: http://phpsec.org...")
 
(Improve security)
Line 64: Line 64:
  
  
 +
===PHP5 sessions and temp files===
  
===PHP5 sessions and temp files===
 
 
Create specific directory to store the sessions and temp files:
 
Create specific directory to store the sessions and temp files:
 +
 
<syntaxhighlight lang="bash">
 
<syntaxhighlight lang="bash">
 
mkdir -p /etc/php5/temp
 
mkdir -p /etc/php5/temp
Line 75: Line 76:
 
chmod -R 770 /etc/php5/temp
 
chmod -R 770 /etc/php5/temp
 
</syntaxhighlight>
 
</syntaxhighlight>
 +
  
 
Edit the configuration file
 
Edit the configuration file
 +
 
<syntaxhighlight lang="bash">
 
<syntaxhighlight lang="bash">
 
vim /etc/php5/apache2/php.ini
 
vim /etc/php5/apache2/php.ini
 
</syntaxhighlight>
 
</syntaxhighlight>
  
line 798 → upload_tmp_dir = /etc/php5/temp
+
 
line 1409 → session.save_path = "/etc/php5/session"
+
Adjust:
 +
* line 801 → upload_tmp_dir = /etc/php5/temp
 +
* line 1357 → session.save_path = "/etc/php5/session"
 +
 
  
 
===PHP5 tweak===
 
===PHP5 tweak===
 +
 +
Edit the configuration file
 +
 
<syntaxhighlight lang="bash">
 
<syntaxhighlight lang="bash">
 
vim /etc/php5/apache2/php.ini
 
vim /etc/php5/apache2/php.ini
 
</syntaxhighlight>
 
</syntaxhighlight>
  
line 261 → expose_php = Off
 
line 480 → display_errors=Off
 
line 675 → post_max_size=256K
 
line 814 → allow_url_fopen=Off
 
  
DO NOT enable the open_basedir (even if the test say so! It’s a troublesome setting)
+
Adjust:
 +
* line 376 → expose_php = Off
 +
* line 406 → memory_limit = 8M
 +
* line 480 → display_errors=Off
 +
* line 675 → post_max_size=256K
 +
* line 805 → upload_max_filesize=256K
 +
* line 814 → allow_url_fopen=Off
 +
 
 +
  DO '''NOT''' enable the open_basedir (even if the test say so! It’s a troublesome setting)
 +
 
 +
 
  
 
Restart your server to load the changes:
 
Restart your server to load the changes:
 +
 
<syntaxhighlight lang="bash">
 
<syntaxhighlight lang="bash">
 
service apache2 restart
 
service apache2 restart
 
</syntaxhighlight>
 
</syntaxhighlight>
  
Re-run the test. Then:
+
 
 +
Re-run the test, then:
 
* Ignore the open_basedir and upload_tmp_dir alerts, if any.
 
* Ignore the open_basedir and upload_tmp_dir alerts, if any.
 
* You can enable some specific options with a .htaccess file
 
* You can enable some specific options with a .htaccess file

Revision as of 18:05, 8 June 2014

Apache 2 and PHP5: Secure your installation!

PHP Security Info

If you want to test your PHP security, you can use the PHPSecInfo tool, available at: http://phpsec.org/projects/phpsecinfo/index.html


Installation

cd /tmp
wget http://phpsec.org/projects/phpsecinfo/phpsecinfo.zip
unzip phpsecinfo.zip
mv phpsecinfo-Version phpsecinfo
mv phpsecinfo/ /var/www
cd /var/www
chown -R www-data:www-data phpsecinfo


Virtual host configuration

Edit your V.Host configuration 

vim /etc/apache2/sites-available/myServer

!! For security reason: DO NOT use 'phpsecinfo' as alias. It's too easy to guess. 


<VirtualHost _default_:443>
         # PHPSecInfo
         Alias   /phpsec   /var/www/phpsecinfo
         <Location /phpsec >
                 Require all granted
                 ProxyPass !
                 order deny,allow
                 # allow from 127.0.0.1 192.168.1.0/24
                 allow from all
          </Location>
</VirtualHost>


Reload your configuration 

/etc/init.d/apache2 reload


Run the test

To asset your current installation you can run the test: https://myServer/phpsec



Improve security

PHP5 sessions and temp files

Create specific directory to store the sessions and temp files: 

mkdir -p /etc/php5/temp
mkdir -p /etc/php5/session
chown -R www-data:root /etc/php5/temp
chown -R www-data:root /etc/php5/session
chmod -R 770 /etc/php5/session
chmod -R 770 /etc/php5/temp


Edit the configuration file 

vim /etc/php5/apache2/php.ini


Adjust:

  • line 801 → upload_tmp_dir = /etc/php5/temp
  • line 1357 → session.save_path = "/etc/php5/session"


PHP5 tweak

Edit the configuration file 

vim /etc/php5/apache2/php.ini


Adjust:

  • line 376 → expose_php = Off
  • line 406 → memory_limit = 8M
  • line 480 → display_errors=Off
  • line 675 → post_max_size=256K
  • line 805 → upload_max_filesize=256K
  • line 814 → allow_url_fopen=Off
 DO NOT enable the open_basedir (even if the test say so! It’s a troublesome setting)


Restart your server to load the changes: 

service apache2 restart


Re-run the test, then:

  • Ignore the open_basedir and upload_tmp_dir alerts, if any.
  • You can enable some specific options with a .htaccess file


Change Apache 2 UID

Do not change the UID if you already have install web programs such as phpldapadmin or phpmyadmin, cacti, ...

Change the Apache UID

vim /etc/group

Change www-data UID 

    www-data:x:10033:

Change the Apache GID

 
vim /etc/passwd

Change the group settings 

	www-data:x:10033:10033:www-data:/var/www:/bin/false

Apply modifications 

chown -R www-data:www-data /var/www/*
chown -R www-data:root /etc/php5/*

To take on the modifications you have to reboot your server.


Avoid DOS attacks

Source: Linux mag’ – Hors serie Apache2

You can protect your server from Denial Of Service (DOS) attacks through mod_evasive 

apt-get install libapache2-mod-evasive

Prepare log directory 

mkdir /var/log/apache2/mod_evasive
chown -R www-data:www-data  /var/log/apache2/mod_evasive

Enable module 

a2enmod mod-evasive


Configuration

Create the configuration file 

vim /etc/apache2/conf.d/mod_evasive.conf

Put: 

# Mod evasive configuration
# Based upon Linux Mag 
<IfModule mod_evasive20.c>
	DOSHashTableSize 3097 

	# Limit user to 5 pages per 2 seconds
	DOSPageCount 5
	DOSPageInterval 2 

	# No more than 100 HTTP request per second (HTML, CSS, images, …) 
	DOSSiteCount 100
	DOSSiteInterval 1

	# Block client for 300 seconds
	DOSBlockingPeriod 300 
	# Send alert email
	#DOSEmailNotify "admin@myDomain" 

	# Log directory
	DOSLogDir "/var/log/apache2/mod_evasive" 

	# Command to execute on ban
	#DOSSystemCommand "/sbin/iptables -I INPUT -s %s -j DROP"

	# Ignore following IP and networks
	DOSWhiteList 127.0.0.1 
	#DOSWhitelist 66.249.65.*
<IfModule mod_evasive20.c>

DosHashTableSize = Size of the hash table.

  • The greater, the more memory is required but the faster it is! The value must be a prime number


Apply changes 

service apache2 restart
Retrieved from "http://www.daxiongmao.eu/wiki/index.php?title=Apache_2_-_Security&oldid=613"