Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 3 > Installation/Configuration

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 1st February 2010, 18:43
u4david u4david is offline
Member
 
Join Date: Nov 2009
Posts: 99
Thanks: 1
Thanked 0 Times in 0 Posts
Default Security tips needed

Ispconfig3 security tips.
Wonder what is good practice to have secure environment within Ispconfig3.
Is that out of box pretty much secured?(kind of doubt that) Ani tips where to look for loop holes?
Account management tips?
Ftp,ssh,dtb accounts security tips?
CMS within ispconfig3 security tips?
Thank you.

Last edited by u4david; 1st February 2010 at 19:30.
Reply With Quote
Sponsored Links
  #2  
Old 1st February 2010, 20:28
damir damir is offline
Senior Member
 
Join Date: Jun 2006
Posts: 375
Thanks: 11
Thanked 51 Times in 42 Posts
Default

Debian Lenny as base system is pretty secure but you can always make it more secure.

Start with by disabling services that you don't need. Install rcconf and disable the services that you don't need. Reboot the os.

Mount /tmp with noexec to keep away script kiddies.
Install mod_security2 to filter out most common webjunk. Install mod_evasive to ease ddos attacks.
Tweak you apache2 settings by changing following settings:
ServerSignature Off
ServerTokens Prod

Tweak your php:
expose_php = Off
display_errors = Off
disable_functions = show_source, system, shell_exec, passthru, exec, phpinfo, popen, escapeshellarg, escapeshellcmd, proc_open

Open basedir is set by ispconfig.

Install policy firewall and tweak the settings. There is bastille firewall in Ispconfig that you can use.

There is much more but this is the basic web stuff. You can always read:

http://www.debian.org/doc/manuals/se...-debian-howto/
Reply With Quote
The Following User Says Thank You to damir For This Useful Post:
yoplait (1st February 2010)
  #3  
Old 2nd February 2010, 03:40
u4david u4david is offline
Member
 
Join Date: Nov 2009
Posts: 99
Thanks: 1
Thanked 0 Times in 0 Posts
Default So far i got

in /etc/apache2/httpd.conf added:
ServerSignature Off
ServerTokens Prod


in /etc/php5/apache2 & cgi & cli I changed/added in the php.ini:
expose_php = Off
display_errors = Off
disable_functions = show_source, system, shell_exec, passthru, exec, phpinfo, popen, escapeshellarg, escapeshellcmd, proc_open

so this i got so far.

I will create tmp and mount it as described,any recommendation on size of the tmp or type of file system?

The other tips provided will require more explanation please:how to links a nd stuff.
Reply With Quote
  #4  
Old 2nd February 2010, 12:34
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lneburg, Germany
Posts: 37,045
Thanks: 841
Thanked 5,661 Times in 4,468 Posts
Default

Also make sure that the security level is set to high in the ispconfuig server settings.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #5  
Old 2nd February 2010, 20:01
yoplait yoplait is offline
Senior Member
 
Join Date: Dec 2009
Posts: 144
Thanks: 50
Thanked 14 Times in 11 Posts
Default

By the way, what are the differences between these levels, in ispconfig ?
Reply With Quote
  #6  
Old 2nd February 2010, 20:14
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lneburg, Germany
Posts: 37,045
Thanks: 841
Thanked 5,661 Times in 4,468 Posts
Default

The differences are in the file and folder permissions of the sites and in the vhohost file.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #7  
Old 21st July 2010, 23:13
007007 007007 is offline
Senior Member
 
Join Date: Jul 2010
Posts: 139
Thanks: 5
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by u4david View Post
in /etc/apache2/httpd.conf added:
ServerSignature Off
ServerTokens Prod
thx for tips

i added these variables but it's don't work, i can see signature of apache in my phpinfos :

http://213.186.40.113/pret.php

(I have restarted apache)

any idea please ?

for php security I suggest :

Code:
memory_limit = 20M
post_max_size = 512K
upload_max_filesize = 4M 
allow_url_fopen = Off
expose_php = Off 
disable_functions = show_source, system, shell_exec, passthru, popen, proc_open, exec, eval, parse_ini_file, dl, virtual, escapeshellarg, escapeshellcmd
Reply With Quote
  #8  
Old 21st July 2010, 23:16
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lneburg, Germany
Posts: 37,045
Thanks: 841
Thanked 5,661 Times in 4,468 Posts
Default

You have to edit these values in the file /etc/php5/cgi/php.ini and then restart apache.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #9  
Old 21st July 2010, 23:18
007007 007007 is offline
Senior Member
 
Join Date: Jul 2010
Posts: 139
Thanks: 5
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by till View Post
You have to edit these values in the file /etc/php5/cgi/php.ini and then restart apache.
I must add this to php.ini?

ServerSignature = Off
ServerTokens = Prod
Reply With Quote
  #10  
Old 22nd July 2010, 09:46
damir damir is offline
Senior Member
 
Join Date: Jun 2006
Posts: 375
Thanks: 11
Thanked 51 Times in 42 Posts
 
Default

No, that should be added to apache conf files. Which distribution do you use?
Reply With Quote
Reply

Bookmarks

Tags
ispconfig3 security

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
setting up a media server centos 5.2 asphix20 HOWTO-Related Questions 2 9th December 2009 17:37
Unable to install ISPConfig bdonecker Installation/Configuration 21 26th May 2009 09:20
Upgrade to php 5.2 in suse 10.1 gimhan90 Installation/Configuration 3 1st January 2009 21:32
odbc Chad Installation/Configuration 0 10th April 2008 02:43
Help....package missing sbovisjb1 Installation/Configuration 3 31st March 2006 12:14


All times are GMT +2. The time now is 04:32.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.