Re: Help to secure my FreeBSD/Apache installation

2013-07-17 Thread Polytropon
On Wed, 17 Jul 2013 23:11:27 +0200, Andy Wodfer wrote:
> Hi everybody!
> 
> I'm running a server on FreeBSD 8.1 STABLE (apache 2.2.16, mysql 5.1.50,
> php 5.3.3) and I server some websites from it, most of them using Joomla or
> Wordpress CMS.

Those are typical (and known) attack vectors. Make sure you're
always up to date regarding fixes!



> I recently had a security breach where someone used a hole in an older
> Joomla version and was able to install a php script called webadmin.php.
> From that the person was able to browse all folders and view all files -
> and change them... not nice!

This implies you cannot know in how far your system has been
compromized. I'd suggest a new installation. Make backups of
user files and configurations. Make sure you audit them (so
you won't re-install a possible backdoor after a clean install).



> I need some help and pointers to what I can do to strengthen security and
> to atleast prevent someone from writing to the filesystem and browse all
> directories and files. (allthough joomla needs some folders to be chmod 777)


> I'm thinking about installing apache2-mpm-itk or similare to jail each site
> into its own directory and run each virtualhost as its own user. Is this a
> good idea?

At least it is a _working_ idea. If it is actually a good
idea depends on many different factors. Jails are a good
means of separation. Sometimes, using "simple user accounts"
is sufficient, but especially regarding complex web content
(such as CMS, stuff that involves PHP and whatnot) the more
security you can add, the better it is.

Also install portaudit to check for security fixes that have
been made available for the software you're running.

Apply restrictions as hard as possible. If programs want write
access to specific directories, try to make then writable per
uer accounts, not within the global tree structure (or even
within system directories).

The "nobody" user can also be helpful (regarding on what you
are running).

If you can separate the different CMSs and sites, a possible
security breach will be restricted to that only instance. It
can be taken down without affecting the other sites.

But also: Educate your users. In order to do that, use money.
Make them pay. ;-)




PS.
Allow me a short addition, I know people will beat me with
a pointed stick for mentioning it, but: There are no "folders".
This term is wrong. What you mean are called directories.
A folder is the name of one visual representation (among
others) of a directory in a graphical user interface. It
_is_ not a directory and it is not similar to one. It's
comparable to the relation of the handbrake light in your
car's dashboard vs. the real handbrake. Don't claim your
handbrake light isn't working when in fact your handbrake
is broken. :-)

Bottom line: Directory correct, "folder" plain wrong. You
don't call files "sheets of paper" either. :-)

-- 
Polytropon
Magdeburg, Germany
Happy FreeBSD user since 4.0
Andra moi ennepe, Mousa, ...
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"


Re: Help to secure my FreeBSD/Apache installation

2013-07-17 Thread Julian H. Stacey
Hi, Reference:
> From: "Julian H. Stacey"  
> Date: Wed, 17 Jul 2013 23:38:51 +0200 

"Julian H. Stacey" wrote:
> Hi, Reference:
> > From:   Andy Wodfer  
> > Date:   Wed, 17 Jul 2013 23:11:27 +0200 
> 
> Andy Wodfer wrote:
> > Hi everybody!
> > 
> > I'm running a server on FreeBSD 8.1 STABLE (apache 2.2.16, mysql 5.1.50,
> 
> To quote front page of http://www.freebsd.org:
> * Production: 9.1
> * Legacy: 8.4
> My net. con. is too slow right now to check this for you, but look
> yourself, I bet FreeBSD-8.1 was long ago declared by security-officer@
> as not supported as too old,

Re version numbers:
  Your 8.1 STABLE does not exist !
  Only 8 Stable, 8.1-RELEASE, 8.2-RELEASE, etc.
  
  http://www.freebsd.org/security/unsupported.html
  8.1 & 8.2 not supported. 
  
  http://www.freebsd.org/security/index.html#sup
  
  9.1-RELEASE has /usr/ports/www/apache22/work/httpd-2.2.23

> Upgrade to 8.4 or 9.1, 
> Reinstall new versions of all ports,
> cd /usr/ports/ports-mgmt/portaudit  ; make install ; rehash ; portaudit ; 
> # (Which is in 9.1 & not in 8.2) 
> port-audit

Cheers,
Julian
-- 
Julian Stacey, BSD Unix Linux C Sys Eng Consultant, Munich http://berklix.com
 Reply below not above, like a play script.  Indent old text with "> ".
 Send plain text.  No quoted-printable, HTML, base64, multipart/alternative.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"


Re: Help to secure my FreeBSD/Apache installation

2013-07-17 Thread Julian H. Stacey
Hi, Reference:
> From: Andy Wodfer  
> Date: Wed, 17 Jul 2013 23:11:27 +0200 

Andy Wodfer wrote:
> Hi everybody!
> 
> I'm running a server on FreeBSD 8.1 STABLE (apache 2.2.16, mysql 5.1.50,

To quote front page of http://www.freebsd.org:
* Production: 9.1
* Legacy: 8.4
My net. con. is too slow right now to check this for you, but look
yourself, I bet FreeBSD-8.1 was long ago declared by security-officer@
as not supported as too old,

> php 5.3.3) and I server some websites from it, most of them using Joomla or
> Wordpress CMS.
> 
> I recently had a security breach where someone used a hole in an older
> Joomla version and was able to install a php script called webadmin.php.
> From that the person was able to browse all folders and view all files -
> and change them... not nice!
> 
> Apache runs using the www user (std installation) and all virtualhosts
> share the same user, but are placed in different directories.
> 
> I need some help and pointers to what I can do to strengthen security and
> to atleast prevent someone from writing to the filesystem and browse all
> directories and files. (allthough joomla needs some folders to be chmod 777)
> 
> I'm thinking about installing apache2-mpm-itk or similare to jail each site
> into its own directory and run each virtualhost as its own user. Is this a
> good idea?
> 
> Thankful for answers and pointers!
> 
> All the best -
> Andy

Upgrade to 8.4 or 9.1, 
Reinstall new versions of all ports,
cd /usr/ports/ports-mgmt/portaudit  ; make install ; rehash ; portaudit ; 
# (Which is in 9.1 & not in 8.2) 
port-audit

Cheers,
Julian
-- 
Julian Stacey, BSD Unix Linux C Sys Eng Consultant, Munich http://berklix.com
 Reply below not above, like a play script.  Indent old text with "> ".
 Send plain text.  No quoted-printable, HTML, base64, multipart/alternative.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"


Help to secure my FreeBSD/Apache installation

2013-07-17 Thread Andy Wodfer
Hi everybody!

I'm running a server on FreeBSD 8.1 STABLE (apache 2.2.16, mysql 5.1.50,
php 5.3.3) and I server some websites from it, most of them using Joomla or
Wordpress CMS.

I recently had a security breach where someone used a hole in an older
Joomla version and was able to install a php script called webadmin.php.
>From that the person was able to browse all folders and view all files -
and change them... not nice!

Apache runs using the www user (std installation) and all virtualhosts
share the same user, but are placed in different directories.

I need some help and pointers to what I can do to strengthen security and
to atleast prevent someone from writing to the filesystem and browse all
directories and files. (allthough joomla needs some folders to be chmod 777)

I'm thinking about installing apache2-mpm-itk or similare to jail each site
into its own directory and run each virtualhost as its own user. Is this a
good idea?

Thankful for answers and pointers!

All the best -
Andy
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"