Re: need help in rights delegation to a freelance web developer
On Wed, Nov 12, 2014 at 6:54 PM, Miles Fidelman mfidel...@meetinghouse.net wrote: Muhammad Yousuf Khan wrote: NOTE: These help, but if you end up on the attacking end of a distributed bot attack, it's likely that your Apache server will get hosed -- at times, I've had to tune Apache (number of concurrent processes, number of concurrent queries), to keep our server from getting so overloaded that it crashes. Thank for sharing every bit of information. yes i do want to tweak Apache concurrent connection and other settings. is there any formula to do this. would you like to share your thoughts on this. Unfortunately, what I shared is about all I know on the topic. Most of my hardening of Wordpress and Apache was on-the-fly, in response to a botnet attack. I did some googling and searching the WordPress plug-in site to find the plug-ins that I use, played with the settings a bit just to get things working, nothing orderly or that I could share as a best practice. For Apache, I just started in the config file and reducing max_ settings until I reached a level where I wasn't having to restart Apache every few minutes, or rebooting the machine. Unfortunately, the Wordpress site still becomes unreachable at times (when under attack), and the site runs slow at other times (limited number of concurrent accesses), but at least it doesn't take down the entire server - which is a good thing as the Wordpress site is a sideline, the server is really for mail and list processing. I did come across some references to software that could dynamically tune IP chains, based on wordpress level attacks -- to block IP addresses earlier in the processing chain, and I expect one could push that back to an external firewall -- but I never went all that far in exploring these. (If you end up doing so, please report back!). I am actually a system and network eng. i did all the protection on FW end. installed IPS/scan detection on linux machine. and my machine is behind firewall. which i believe is properly configured so there are many layers of security. but protecting apache traffic it self is a different domain of security. because WP and template coding may have loopholes which you may not control from FW. therefore learning the security of web application it self is an art. By the way i am working on mod_security and also working on All in one WP security module. for application layer which i belive will help in bot and other attackes. i am also planning to install fail2ban however as i know of F2B it working on bruteforce attacks. which lower in my working priorityies. BTW thanks for All for sharing your inputs i have learned alot from this threat. if any one like to add more please go ahead it will help newbies in protecting there websites. Thanks, MYK Happy Tuning, Miles -- In theory, there is no difference between theory and practice. In practice, there is. Yogi Berra -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/54636694.2090...@meetinghouse.net
Re: need help in rights delegation to a freelance web developer
Muhammad Yousuf Khan wrote: On Wed, Nov 12, 2014 at 6:54 PM, Miles Fidelman mfidel...@meetinghouse.net mailto:mfidel...@meetinghouse.net wrote: Muhammad Yousuf Khan wrote: NOTE: These help, but if you end up on the attacking end of a distributed bot attack, it's likely that your Apache server will get hosed -- at times, I've had to tune Apache (number of concurrent processes, number of concurrent queries), to keep our server from getting so overloaded that it crashes. Thank for sharing every bit of information. yes i do want to tweak Apache concurrent connection and other settings. is there any formula to do this. would you like to share your thoughts on this. Unfortunately, what I shared is about all I know on the topic. Most of my hardening of Wordpress and Apache was on-the-fly, in response to a botnet attack. I did some googling and searching the WordPress plug-in site to find the plug-ins that I use, played with the settings a bit just to get things working, nothing orderly or that I could share as a best practice. For Apache, I just started in the config file and reducing max_ settings until I reached a level where I wasn't having to restart Apache every few minutes, or rebooting the machine. Unfortunately, the Wordpress site still becomes unreachable at times (when under attack), and the site runs slow at other times (limited number of concurrent accesses), but at least it doesn't take down the entire server - which is a good thing as the Wordpress site is a sideline, the server is really for mail and list processing. I did come across some references to software that could dynamically tune IP chains, based on wordpress level attacks -- to block IP addresses earlier in the processing chain, and I expect one could push that back to an external firewall -- but I never went all that far in exploring these. (If you end up doing so, please report back!). I am actually a system and network eng. i did all the protection on FW end. installed IPS/scan detection on linux machine. and my machine is behind firewall. which i believe is properly configured so there are many layers of security. but protecting apache traffic it self is a different domain of security. because WP and template coding may have loopholes which you may not control from FW. therefore learning the security of web application it self is an art. By the way i am working on mod_security and also working on All in one WP security module. for application layer which i belive will help in bot and other attackes. i am also planning to install fail2ban however as i know of F2B it working on bruteforce attacks. which lower in my working priorityies. Good to hear that you're working on such. Please advise when you have a security model to test! Meanwhile, just to clarify, my thought about external firewalls was wondering if some of the adaptive firewalling, that can be done through dynamic change to IP chains configurations, could be extended to dynamic blocking by an external firewall (WP security module detects a persistent attack from an IP address, tells external firewall to filter that address). BTW thanks for All for sharing your inputs i have learned alot from this threat. if any one like to add more please go ahead it will help newbies in protecting there websites. Well hey, that's what support lists are for (not just debating the merits of init systems :-). Cheers, Miles -- In theory, there is no difference between theory and practice. In practice, there is. Yogi Berra -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/5465fd2c.2060...@meetinghouse.net
Re: Re: need help in rights delegation to a freelance web developer
NOTE: These help, but if you end up on the attacking end of a distributed bot attack, it's likely that your Apache server will get hosed -- at times, I've had to tune Apache (number of concurrent processes, number of concurrent queries), to keep our server from getting so overloaded that it crashes. Thank for sharing every bit of information. yes i do want to tweak Apache concurrent connection and other settings. is there any formula to do this. would you like to share your thoughts on this.
Re: need help in rights delegation to a freelance web developer
Muhammad Yousuf Khan wrote: NOTE: These help, but if you end up on the attacking end of a distributed bot attack, it's likely that your Apache server will get hosed -- at times, I've had to tune Apache (number of concurrent processes, number of concurrent queries), to keep our server from getting so overloaded that it crashes. Thank for sharing every bit of information. yes i do want to tweak Apache concurrent connection and other settings. is there any formula to do this. would you like to share your thoughts on this. Unfortunately, what I shared is about all I know on the topic. Most of my hardening of Wordpress and Apache was on-the-fly, in response to a botnet attack. I did some googling and searching the WordPress plug-in site to find the plug-ins that I use, played with the settings a bit just to get things working, nothing orderly or that I could share as a best practice. For Apache, I just started in the config file and reducing max_ settings until I reached a level where I wasn't having to restart Apache every few minutes, or rebooting the machine. Unfortunately, the Wordpress site still becomes unreachable at times (when under attack), and the site runs slow at other times (limited number of concurrent accesses), but at least it doesn't take down the entire server - which is a good thing as the Wordpress site is a sideline, the server is really for mail and list processing. I did come across some references to software that could dynamically tune IP chains, based on wordpress level attacks -- to block IP addresses earlier in the processing chain, and I expect one could push that back to an external firewall -- but I never went all that far in exploring these. (If you end up doing so, please report back!). Happy Tuning, Miles -- In theory, there is no difference between theory and practice. In practice, there is. Yogi Berra -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/54636694.2090...@meetinghouse.net
Re: need help in rights delegation to a freelance web developer
On Tue, Nov 11, 2014 at 12:39:24PM +0500, Muhammad Yousuf Khan wrote: last time he was facing issue with rewrite module. however i have installed that module for sure. even i have check with apachectl command tool. though it is resolved for now. so i thought, in advance if there is any list of necessary modules that are needed in default website deployment. that would be great. thus i will just directly install the stuff without wasting time in research. As far as I know, the only non-default modules needed are mod_rewrite and mod_php. (WordPress is written in PHP.) Technically you could presumably skip mod_php and just use PHP as CGI but it would be both slower and potentially less secure. -- Carl Fink nitpick...@nitpicking.com Read my blog at blog.nitpicking.com. Reviews! Observations! Stupid mistakes you can correct! -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/2014135228.ga3...@panix.com
Re: Re: need help in rights delegation to a freelance web developer
Secondly do you guys have any advice on more security of WP. i have heard that word press is kind of week in security. maybe i am wrong but i have heard that. I've had no problems in several years of hosting WP. I do recommend NOT using the Debian package for WordPress. For security and also better features, use the most recent version available at wordpress.org. Installation is actually only slightly harder than the Debian package--their claim of a 5-minute install is totally valid. I would echo the comment about installing from source. After doing so, Wordpress includes functions for installing plug-ins, updating both the base software and plug-ins from upstream, and so forth. Re. security: I find that our site gets hit rather frequently by various kinds of distributed attacks. Wordpress is a very popular target for automated software that tries to crack it, spam it, and install spambots. I've found it very helpful to install several plug-ins that provide various forms of firewall and blocking functions. In particular: Akismet: anti-spam, comes in the basic install, but needs to be configured iThemes Security - blocks brute force login attacks and such VSF Simple Block - adaptive firewall Wordpress Firewall 2 - another firewall NOTE: These help, but if you end up on the attacking end of a distributed bot attack, it's likely that your Apache server will get hosed -- at times, I've had to tune Apache (number of concurrent processes, number of concurrent queries), to keep our server from getting so overloaded that it crashes. Also: BackWPup is a nice auto-backup tool Miles Fidelman -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/546280a4.3060...@meetinghouse.net
Re: need help in rights delegation to a freelance web developer
On Mon, Nov 10, 2014 at 07:20:46PM +0500, Muhammad Yousuf Khan wrote: for some testing we first want to install our Wordpress website inhouse. and for that i have designed a Debian 7. and installed all the necessary packages that are needed for the deployment. now i want to grant rights to our freelance web developer so he can deploye the website. i never did this in pas i am a one man army. now Firewall and all security related things are already deployed with 1 to 1 NAT. however now i want to give him very limited right so that he can install the website with out complaining and i can also feel secure. If you have already installed WordPress and set up its database, you don't need to give your developer any system-wide rights at all. Just make him administrator of the WordPress site itself. If it's properly installed, he can then install plugins, themes, etc. from the WP GUI. If security is a concern (and it probably should be) you might consider sandboxing WorPress and having its MySQL instance be separate from any other MySQL uses on your server. Or maybe even putting it on its own virtual instance. -- Carl Fink nitpick...@nitpicking.com Read my blog at blog.nitpicking.com. Reviews! Observations! Stupid mistakes you can correct! -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20141110143254.ga4...@panix.com
Re: need help in rights delegation to a freelance web developer
Thanks for sharing your input. what would be the rights of /var/www and its sub-directories. currently it is root : root and 775 Secondly do you guys have any advice on more security of WP. i have heard that word press is kind of week in security. maybe i am wrong but i have heard that. no problem with the data base we only have single data base only with one user. Moreover, our developer is also saying that he is having problem running our website on our current debian 7 VM. do you guys think there should be some modules required in order to work things properly. Thanks, MYK On Mon, Nov 10, 2014 at 7:32 PM, Carl Fink c...@finknetwork.com wrote: On Mon, Nov 10, 2014 at 07:20:46PM +0500, Muhammad Yousuf Khan wrote: for some testing we first want to install our Wordpress website inhouse. and for that i have designed a Debian 7. and installed all the necessary packages that are needed for the deployment. now i want to grant rights to our freelance web developer so he can deploye the website. i never did this in pas i am a one man army. now Firewall and all security related things are already deployed with 1 to 1 NAT. however now i want to give him very limited right so that he can install the website with out complaining and i can also feel secure. If you have already installed WordPress and set up its database, you don't need to give your developer any system-wide rights at all. Just make him administrator of the WordPress site itself. If it's properly installed, he can then install plugins, themes, etc. from the WP GUI. If security is a concern (and it probably should be) you might consider sandboxing WorPress and having its MySQL instance be separate from any other MySQL uses on your server. Or maybe even putting it on its own virtual instance. -- Carl Fink nitpick...@nitpicking.com Read my blog at blog.nitpicking.com. Reviews! Observations! Stupid mistakes you can correct! -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20141110143254.ga4...@panix.com
Re: need help in rights delegation to a freelance web developer
Please do not CC me on posts to the list. I read the list. On Mon, Nov 10, 2014 at 11:24:55PM +0500, Muhammad Yousuf Khan wrote: Thanks for sharing your input. what would be the rights of /var/www and its sub-directories. currently it is root : root and 775 I would havw www-data.www-data as owner, but it isn't likely to matter. Does your Apache run as root? That is not considered good practice last I heard. Secondly do you guys have any advice on more security of WP. i have heard that word press is kind of week in security. maybe i am wrong but i have heard that. I've had no problems in several years of hosting WP. I do recommend NOT using the Debian package for WordPress. For security and also better features, use the most recent version available at wordpress.org. Installation is actually only slightly harder than the Debian package--their claim of a 5-minute install is totally valid. Again, your WordPress developer DOES NOT NEED A SHELL ACCOUNT OR ANY SERVER PRIVILEGES at all, aside from being the administrator of the WordPress site. Unless you are asking him to also INSTALL WordPress? If WordPress works, permissions are OK. Again, none of this matters to the WP developer once WordPress is installed. And again, for best security give WordPress its own VM. You can get one for literally $1 per month from http://www.nosupportlinuxhosting.com. Moreover, our developer is also saying that he is having problem running our website on our current debian 7 VM. do you guys think there should be some modules required in order to work things properly. Much more information needed. Is this developer also doing non-WordPress things? Is this a different developer? Most importantly, exactly what problems is he having? -- Carl Fink nitpick...@nitpicking.com Read my blog at blog.nitpicking.com. Reviews! Observations! Stupid mistakes you can correct! -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20141110191454.ga18...@panix.com
Re: need help in rights delegation to a freelance web developer
On Mon, Nov 10, 2014 at 11:24:55PM +0500, Muhammad Yousuf Khan wrote: Thanks for sharing your input. what would be the rights of /var/www and its sub-directories. currently it is root : root and 775 I would havw www-data.www-data as owner, but it isn't likely to matter. Does your Apache run as root? That is not considered good practice last I heard. ok changing the rights as suggested. Since i am new, any guide or advice on run apache as non root will be highly appreciable. Secondly do you guys have any advice on more security of WP. i have heard that word press is kind of week in security. maybe i am wrong but i have heard that. I've had no problems in several years of hosting WP. I do recommend NOT using the Debian package for WordPress. For security and also better features, use the most recent version available at wordpress.org. Installation is actually only slightly harder than the Debian package--their claim of a 5-minute install is totally valid. Again, your WordPress developer DOES NOT NEED A SHELL ACCOUNT OR ANY SERVER PRIVILEGES at all, aside from being the administrator of the WordPress site. Unless you are asking him to also INSTALL WordPress? If WordPress works, permissions are OK. Again, none of this matters to the WP developer once WordPress is installed. And again, for best security give WordPress its own VM. You can get one for literally $1 per month from http://www.nosupportlinuxhosting.com. Thanks for sharing knowledge i will check this out. Moreover, our developer is also saying that he is having problem running our website on our current debian 7 VM. do you guys think there should be some modules required in order to work things properly. Much more information needed. Is this developer also doing non-WordPress things? Is this a different developer? Most importantly, exactly what problems is he having? i think there is nothing he is doing out side WP.AFAIK. last time he was facing issue with rewrite module. however i have installed that module for sure. even i have check with apachectl command tool. though it is resolved for now. so i thought, in advance if there is any list of necessary modules that are needed in default website deployment. that would be great. thus i will just directly install the stuff without wasting time in research. -- Carl Fink nitpick...@nitpicking.com Read my blog at blog.nitpicking.com. Reviews! Observations! Stupid mistakes you can correct! -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20141110191454.ga18...@panix.com
