Hello to everybody.
I've realized a mailserver following the Perfect server how to.
I'm using Debian distribution.
I've setup ISPFirewall and I want to configure Apache and PHP, so that the system is quite sure.
A month ago my server was hacked by somebody who used a bug in roundcube (now fixed), and was able to launch a wget command that downloaded a script...

Do you have some suggestion about the configuration of this 2 programs and, more in general, about security of the server?

Thanks
Michele

Do you use mod_php, php-fcgi or suphp for the websites?

Hi Till,
I use this server just for as email server... I'm not managing any website...

Thanks
Michele

Basically my configuration is: all the programs listed here: http://www.howtoforge.com/perfect-server-debian-lenny-ispconfig3
plus roundcube 0.3 stable.

I've just added in /etc/apache2/site-enable/000-default the line:
ServerSignature Off
so that they can not see witch version of apache I have.
I've also added in apache.conf this:
<FilesMatch \.(inc|conf)>
Order Allow,Deny
Deny from all
</FilesMatch>

and the timeout to 45.

You can beef up Apache security a little by installing mod_security, disable all modules that are not used. Set ServerTokens to Prod, restrict access rights to site content and lastly chroot apache.

Last part im not sure if it works with ISPconfig?

Regarding PHP, you should run it as website owner. Set display_errors to Off, set expose_php to off, set log_errors to On. Register global should be Off. Than we have Safe Mode, but there is ISPc interaction with the services that has to be taken in consideration when you hardening services.

Thanks Damir for your suggestions.

Unfortunately I'm not an expert, so I don't know 100% where I can find this values that I've to modify.
Anyway I'll try to do it...
Do you know if on the web there is a how-to that explain more about this modify?

Thanks a lot

Michele

Modsecurity2: http://www.mogilowski.net/lang/en-us/2008/12/03/secure-apache-2-with-mod-security-2-on-debian-lenny/ or http://howtoforge.org/apache2_mod_security_debian_etch

Rest of the stuff are in apache2.conf and php.ini file.

/etc/apache/apach2.conf
/etc/php5/apache2/php.ini

I most cases google and howtoforge are your friends :)

Thanks Damir,
I'll try it