[CentOS] Permissions for LAMP

2014-01-25 Thread Joseph Hesse 
I am running a Lamp server on a CentOS 6.5 box. It works fine, I am 
concerned that I may have the wrong file/dir permissions.

The directories /var and /var/www are root:root and 755.

For /var/www/html and all directories underneath I have apache:apache 
and 770.

For all files under /var/www/html I have apache:apache and 660.

Are these these permissions OK?

Thank you,
Joe
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Permissions for LAMP

2014-01-25 Thread Steven Tardy 
On Sat, Jan 25, 2014 at 7:33 AM, Joseph Hesse  wrote:

> I am running a Lamp server on a CentOS 6.5 box. It works fine, I am
> concerned that I may have the wrong file/dir permissions.
>
> The directories /var and /var/www are root:root and 755.
>
> For /var/www/html and all directories underneath I have apache:apache
> and 770.
>
> For all files under /var/www/html I have apache:apache and 660.
>
> Are these these permissions OK?
>
> Thank you,
> Joe
> ___
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
>

the problem with your /var/www/html permissions is the user/group "apache"
can write to directories and files. which can be used by anyone on the
internet(bad guys) to use potentially exploitable dynamic
pages(.php/.cgi/etc) to add/modify files on your server. this is a bad
thing. SELinux may offer some protections.
i would:
  chmod -R g-w /var/www/html
  chown -R somewebuser /var/www/html
(replace somewebuser with the unix user account to modify the website.)

  http://wiki.apache.org/httpd/FileSystemPermissions
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Permissions for LAMP

2014-01-25 Thread Joseph Hesse 
On 01/25/2014 07:32 AM, Steven Tardy wrote:
> On Sat, Jan 25, 2014 at 7:33 AM, Joseph Hesse  wrote:
>
>> I am running a Lamp server on a CentOS 6.5 box. It works fine, I am
>> concerned that I may have the wrong file/dir permissions.
>>
>> The directories /var and /var/www are root:root and 755.
>>
>> For /var/www/html and all directories underneath I have apache:apache
>> and 770.
>>
>> For all files under /var/www/html I have apache:apache and 660.
>>
>> Are these these permissions OK?
>>
>> Thank you,
>> Joe
>> ___
>> CentOS mailing list
>> CentOS@centos.org
>> http://lists.centos.org/mailman/listinfo/centos
>>
> the problem with your /var/www/html permissions is the user/group "apache"
> can write to directories and files. which can be used by anyone on the
> internet(bad guys) to use potentially exploitable dynamic
> pages(.php/.cgi/etc) to add/modify files on your server. this is a bad
> thing. SELinux may offer some protections.
> i would:
>chmod -R g-w /var/www/html
>chown -R somewebuser /var/www/html
> (replace somewebuser with the unix user account to modify the website.)
>
>http://wiki.apache.org/httpd/FileSystemPermissions
> ___
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
I now understand, by rtfd, how to set it up so apache owns nothing and 
does not have write permission.
For my understanding, please tell me what a bad guy would have to do to 
exploit apache having read/write permission.
Thank you,
Joe


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Permissions for LAMP

2014-01-25 Thread Always Learning 

On Sat, 2014-01-25 at 08:32 -0500, Steven Tardy wrote:

> the problem with your /var/www/html permissions is the user/group "apache"
> can write to directories and files. which can be used by anyone on the
> internet(bad guys) to use potentially exploitable dynamic
> pages(.php/.cgi/etc) to add/modify files on your server. this is a bad
> thing. SELinux may offer some protections.
> i would:
>   chmod -R g-w /var/www/html
>   chown -R somewebuser /var/www/html
> (replace somewebuser with the unix user account to modify the website.)
> 
>   http://wiki.apache.org/httpd/FileSystemPermissions

On my setup I have all web pages in a special root directory

/data/web/do/domain-name/sub-domain-name/files .

with a non-standard user having rw-r-r 

Apache can't write to anything except

/data/web/logs/

I have self-created web site defences which, instantly after the first
hacking attempt, block the hacker's IP address. I am not giving hackers
unlimited opportunities to continuing trying to break-in.


-- 
Paul.
England,
EU.

   Our systems are exclusively Linux. No Micro$oft Windoze here.

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Permissions for LAMP

2014-01-25 Thread John R Pierce 
On 1/25/2014 6:12 AM, Joseph Hesse wrote:
> For my understanding, please tell me what a bad guy would have to do to
> exploit apache having read/write permission.

A) exploit a bug in PHP or Apache, perhaps known but not yet patched, or 
totally unknown

B) corrupt a database via a SQL Injection Exploit (see 
http://xkcd.com/327/ ), thence triggering a bug in your PHP code

C) take advantage of poorly written php or whatever code that allows a 
page to be uploaded (such as a photo attachment feature on a blog's 
comment engine), then manage to invoke and execute that 'picture' which 
turns out to be evil php code, now running as apache on your system.

D) ??? its amazing how resourceful starving 3rd world geeks are when 
money is put in front of them by mobsters.



-- 
john r pierce  37N 122W
somewhere on the middle of the left coast

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Permissions for LAMP

2014-01-25 Thread John R Pierce 
On 1/25/2014 6:20 AM, Always Learning wrote:
> On my setup I have all web pages in a special root directory
>
> /data/web/do/domain-name/sub-domain-name/files .
>
> with a non-standard user having rw-r-r
>
> Apache can't write to anything except
>
> /data/web/logs/
>
> I have self-created web site defences which, instantly after the first
> hacking attempt, block the hacker's IP address. I am not giving hackers
> unlimited opportunities to continuing trying to break-in.

and you have configured SELinux to allow all this?

FWIW, I usually put websites in /home/someuser/html  where each virtual 
host has its own user account who owns said files, and manages his own 
stuff.  even if that user is really me, I use sudo to log on as a given 
user to edit that site's files.

re: your intrusion detection system, mod_evasive is a useful tool for 
creating such.


-- 
john r pierce  37N 122W
somewhere on the middle of the left coast

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Permissions for LAMP

2014-01-25 Thread Always Learning 

On Sat, 2014-01-25 at 10:00 -0800, John R Pierce wrote:


> re: your intrusion detection system, mod_evasive is a useful tool for 
> creating such.

Mine works like this:

1. All errors 301, 302, 400, 401, 403, 500 etc are send to a standard
PHP file

ErrorDocument 401 /error.php?code=401

2. In that php file, the original HTTP method etc. are extracted

$code  = $_GET['code'];
$method0   = @$_SERVER['REDIRECT_REQUEST_METHOD'];
$method= $_SERVER['REQUEST_METHOD'];
$mm= date('m');
$webpage   = $_SERVER["REQUEST_URI"]; if(!$webpage) $webpage="(none)";

3. If the web page requested is one of the usual 'php.' or other
frequent ones, the banned variable is set.

4. If it HTML activity on an IP address and not on a valid domain name,
the banned variable is set.

5. Ditto if the Method is not allowed, example POST, CONNECT etc.

6. 

if($ban)
   { $ipx = $ip1;
 exec("sudo -u root -t pts/1 /sbin/iptables -A 1banned.".$mm." -j
DROP -s ".$ipx);
   }

7. There are 12 banned tables in IPtables for port 80 traffic. One for
every month. Every month a new table is populated with banned IP
addresses. The current month (January) is named banned.01

8. I keep the contents (the banned IPs) for about a month, then flush
the table (emptying it). 

9. Data Centres are blocked permanently for all port 80 traffic. I allow
known major crawlers.

That is the essence of my system. Its 5? years of refinements. It
catches virtually all hackers after their first attempt. I tried
filtering within IPtables but its difficult to read and blocking is also
difficult to read. My current system is readable, easily maintainable
and flexible.

My system also creates an email ready for sending to the IP's abuse
contact. Just have to copy and paste into a database's webform and press
'send'. Have just complained; it took 1 minute 18 seconds - from opening
the warning email to pressing 'send' - to email a very comprehensive
report.

---
Date & time   = Saturday, 25 January 2014 20:21:21 UTC (GMT
+00:00)
Server name   = d.com
Server IP = 123.123.123.123
Submitted host name   = d.com
Submitted page name   = /components/com_content/router.php
>From web page = (none)
Browser   = Mozilla/4.0 (compatible; MSIE 6.0; Windows NT
5.1)
Remote host   = 5.45.72.16
Remote address= 5.45.72.16
Remote name   = 5.45.72.16
Location  = , Netherlands.
Remote port   = 56067
Remote protocol   = HTTP/1.0
IP2 host  = -
IP2 address   = -
Forwarded-for host= -
Forwarded-for address = -
HTML status code  = 404
HTML method   = GET

---

Its a Data Centre so  5.45.72.0/22 is now blocked. Just want a quiet and
enjoyable life :-)

Probably publish my set-up sometime this year.

-- 
Paul.
England,
EU.

   Our systems are exclusively Linux. No Micro$oft Windoze here.

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Permissions for LAMP

2014-01-25 Thread Always Learning 

On Sat, 2014-01-25 at 21:44 +0100, Reindl Harald wrote:

> Am 25.01.2014 21:40, schrieb Always Learning:
> > 
> > if($ban)
> >{ $ipx = $ip1;
> >  exec("sudo -u root -t pts/1 /sbin/iptables -A 1banned.".$mm." -j
> > DROP -s ".$ipx);
> >}

> if your webserver is allowed to call exec() at all from php-scripts and
> even "sudo" this is a security hole big like a house and you are a pure
> idiot - there is nothing more to say except some sane phh settings for
> a webserver
> 
> disable_functions = "apache_child_terminate, chown, dl, exec, fileinode, 
> get_current_user, getmypid, getmyuid,
> getrusage, highlight_file, link, mail, openlog, passthru, pclose, 
> pcntl_alarm, pcntl_errno, pcntl_exec, pcntl_fork,
> pcntl_get_last_error, pcntl_getpriority, pcntl_setpriority, 
> pcntl_signal_dispatch, pcntl_signal, pcntl_sigprocmask,
> pcntl_sigtimedwait, pcntl_sigwaitinfo, pcntl_strerror, pcntl_wait, 
> pcntl_waitpid, pcntl_wexitstatus,
> pcntl_wifexited, pcntl_wifsignaled, pcntl_wifstopped, pcntl_wstopsig, 
> pcntl_wtermsig, pfsockopen, popen,
> posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, 
> proc_close, proc_get_status, proc_nice,
> proc_open, proc_terminate, shell_exec, show_source, socket_accept, 
> socket_bind, symlink, syslog, system"

Guten Abend Harald (that's a good old Norwegian name)

1. Both C6 and C5's /etc/php.ini have

disable_functions =

Neither C5 nor C6 /etc/php.ini have your list of dangerous PHP functions.  One 
wonders why not, if they are so dangerous.

2. In your list you have 'mail' which I consider an essential PHP command in a 
production environment.

3. I'm willing to add your suggestions to php.ini except for three.

4. I'm puzzled how hackers can break-in to use all those functions in your 
list. Can you elaborate please?

Mfg / best regards,

Paul.


-- 
Paul.
England,
EU.

   Our systems are exclusively Linux. No Micro$oft Windoze here.

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos