Big security risk with my ISPCONFIG 3 Installation

Discussion in 'General' started by filipealvarez, Dec 8, 2009.

  1. filipealvarez

    filipealvarez New Member

    Hi everybody, I have an installation of ISPCONFIG 3.0.1.3 and one big problem.

    All users webusers can list all files and dirs of /var/www folder.

    I'm using Fastcgi in the vhost configuration, how can I secure that?

    The right action in this case is the user lists just the content of /var/www/clientNUMBER...

    Thanks in advance!
     
  2. filipealvarez

    filipealvarez New Member

    I tried to change de /var/www permission to 750, but the Apache does not read the files owned by user:group =/

    Any ideas?
     
  3. till

    till Super Moderator Staff Member ISPConfig Developer

    First, your ISPConfig version is a bit old, you have to update to ISPConfig 3.0.1.6. Then select secure mode in the server settings and change a config in every website were you want to switch to secure mode.
     
  4. filipealvarez

    filipealvarez New Member

    Till, tnks for your reply.

    There is a secure option in ISPCONFIG 3.0.1.3? How can I find that?

    Is the upgrade to 3.0.1.6 needed?
     
  5. till

    till Super Moderator Staff Member ISPConfig Developer

    Yes. Thats why I told you to update.
     
  6. filipealvarez

    filipealvarez New Member

    Ok Till, I will make the upgrade tonight.

    Do you have a link from forum that describes this upgrade to help me?

    Thanks again!
     
  7. till

    till Super Moderator Staff Member ISPConfig Developer

    See release notes.
     
  8. filipealvarez

    filipealvarez New Member

    Till, the update has been made and now I'm running ISPCONFIG 3.0.1.6.

    I changed the level from Medium to High on Server Configuration > Web.

    Is there other option to change to secure my vhosts?
     
  9. BorderAmigos

    BorderAmigos New Member

    Do you have an .htaccess file in /var/www ? There should be one with "Options -Indexes" so that the directory can not be listed.

    If you want to enable the directory listing in subdirectories of that have an additional .htaccess file with "Options +Indexes".

    There are a lot of things that can be done to further secure your host. Too many to list.
     
  10. filipealvarez

    filipealvarez New Member

    Thanks for your suggestion BorderAmigos, my apache already has this set, the really problem was that users cannot be 'arrasted' in the /var/www/clients/clientexx

    Now (thanks Till), nobody can escape from that dir.
     
  11. BorderAmigos

    BorderAmigos New Member

    "Arrasted"?
     

Share This Page