Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 3 > Installation/Configuration

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 28th October 2009, 18:25
voltron81 voltron81 is offline
Senior Member
 
Join Date: Sep 2009
Posts: 292
Thanks: 1
Thanked 4 Times in 3 Posts
Default Suggestion about apache-php secure configuration

Hello to everybody.
I've realized a mailserver following the Perfect server how to.
I'm using Debian distribution.
I've setup ISPFirewall and I want to configure Apache and PHP, so that the system is quite sure.
A month ago my server was hacked by somebody who used a bug in roundcube (now fixed), and was able to launch a wget command that downloaded a script...

Do you have some suggestion about the configuration of this 2 programs and, more in general, about security of the server?

Thanks
Michele
Reply With Quote
Sponsored Links
  #2  
Old 29th October 2009, 09:17
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 35,340
Thanks: 810
Thanked 5,172 Times in 4,055 Posts
Default

Do you use mod_php, php-fcgi or suphp for the websites?
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #3  
Old 29th October 2009, 10:50
voltron81 voltron81 is offline
Senior Member
 
Join Date: Sep 2009
Posts: 292
Thanks: 1
Thanked 4 Times in 3 Posts
Default

Hi Till,
I use this server just for as email server... I'm not managing any website...

Thanks
Michele
Reply With Quote
  #4  
Old 29th October 2009, 11:56
voltron81 voltron81 is offline
Senior Member
 
Join Date: Sep 2009
Posts: 292
Thanks: 1
Thanked 4 Times in 3 Posts
Default

Basically my configuration is: all the programs listed here: http://www.howtoforge.com/perfect-se...nny-ispconfig3
plus roundcube 0.3 stable.

I've just added in /etc/apache2/site-enable/000-default the line:
Code:
ServerSignature Off
so that they can not see witch version of apache I have.
I've also added in apache.conf this:
Code:
<FilesMatch \.(inc|conf)>
    Order Allow,Deny
    Deny from all
</FilesMatch>
and the timeout to 45.
Reply With Quote
  #5  
Old 29th October 2009, 13:36
damir damir is offline
Senior Member
 
Join Date: Jun 2006
Posts: 375
Thanks: 11
Thanked 51 Times in 42 Posts
Default

You can beef up Apache security a little by installing mod_security, disable all modules that are not used. Set ServerTokens to Prod, restrict access rights to site content and lastly chroot apache.

Last part im not sure if it works with ISPconfig?

Regarding PHP, you should run it as website owner. Set display_errors to Off, set expose_php to off, set log_errors to On. Register global should be Off. Than we have Safe Mode, but there is ISPc interaction with the services that has to be taken in consideration when you hardening services.
Reply With Quote
  #6  
Old 29th October 2009, 13:46
voltron81 voltron81 is offline
Senior Member
 
Join Date: Sep 2009
Posts: 292
Thanks: 1
Thanked 4 Times in 3 Posts
Default

Thanks Damir for your suggestions.

Unfortunately I'm not an expert, so I don't know 100% where I can find this values that I've to modify.
Anyway I'll try to do it...
Do you know if on the web there is a how-to that explain more about this modify?

Thanks a lot

Michele
Reply With Quote
  #7  
Old 29th October 2009, 14:20
damir damir is offline
Senior Member
 
Join Date: Jun 2006
Posts: 375
Thanks: 11
Thanked 51 Times in 42 Posts
Default

Modsecurity2: http://www.mogilowski.net/lang/en-us...-debian-lenny/ or http://howtoforge.org/apache2_mod_security_debian_etch

Rest of the stuff are in apache2.conf and php.ini file.

/etc/apache/apach2.conf
/etc/php5/apache2/php.ini

I most cases google and howtoforge are your friends
Reply With Quote
  #8  
Old 29th October 2009, 14:57
voltron81 voltron81 is offline
Senior Member
 
Join Date: Sep 2009
Posts: 292
Thanks: 1
Thanked 4 Times in 3 Posts
 
Default

Thanks Damir,
I'll try it
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
libWand.so.10 error Taxick Installation/Configuration 8 3rd May 2009 01:27
Freebsd 6.1 support misterm Installation/Configuration 10 9th April 2009 09:29
Really Simple DNS Question andysm849 Server Operation 4 20th October 2008 23:32
ubuntu ispconfig joomla .htaccess steve1084 General 8 6th January 2007 15:55
apache & php error... didan Installation/Configuration 2 30th May 2006 09:08


All times are GMT +2. The time now is 08:54.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.