Security tips needed

Discussion in 'Installation/Configuration' started by u4david, Feb 1, 2010.

  1. u4david

    u4david New Member

    Ispconfig3 security tips.
    Wonder what is good practice to have secure environment within Ispconfig3.
    Is that out of box pretty much secured?(kind of doubt that) Ani tips where to look for loop holes?
    Account management tips?
    Ftp,ssh,dtb accounts security tips?
    CMS within ispconfig3 security tips?
    Thank you.
     
    Last edited: Feb 1, 2010
  2. damir

    damir New Member

    Debian Lenny as base system is pretty secure but you can always make it more secure.

    Start with by disabling services that you don't need. Install rcconf and disable the services that you don't need. Reboot the os.

    Mount /tmp with noexec to keep away script kiddies.
    Install mod_security2 to filter out most common webjunk. Install mod_evasive to ease ddos attacks.
    Tweak you apache2 settings by changing following settings:
    ServerSignature Off
    ServerTokens Prod

    Tweak your php:
    expose_php = Off
    display_errors = Off
    disable_functions = show_source, system, shell_exec, passthru, exec, phpinfo, popen, escapeshellarg, escapeshellcmd, proc_open

    Open basedir is set by ispconfig.

    Install policy firewall and tweak the settings. There is bastille firewall in Ispconfig that you can use.

    There is much more but this is the basic web stuff. You can always read:

    http://www.debian.org/doc/manuals/securing-debian-howto/
     
  3. u4david

    u4david New Member

    So far i got

    in /etc/apache2/httpd.conf added:
    ServerSignature Off
    ServerTokens Prod


    in /etc/php5/apache2 & cgi & cli I changed/added in the php.ini:
    expose_php = Off
    display_errors = Off
    disable_functions = show_source, system, shell_exec, passthru, exec, phpinfo, popen, escapeshellarg, escapeshellcmd, proc_open

    so this i got so far.

    I will create tmp and mount it as described,any recommendation on size of the tmp or type of file system?

    The other tips provided will require more explanation please:how to links a nd stuff.
     
  4. till

    till Super Moderator Howtoforge Staff HowtoForge Supporter ISPConfig Developer

    Also make sure that the security level is set to high in the ispconfuig server settings.
     
  5. yoplait

    yoplait Member

    By the way, what are the differences between these levels, in ispconfig ?
     
  6. till

    till Super Moderator Howtoforge Staff HowtoForge Supporter ISPConfig Developer

    The differences are in the file and folder permissions of the sites and in the vhohost file.
     
  7. 007007

    007007 New Member

    thx for tips

    i added these variables but it's don't work, i can see signature of apache in my phpinfos :

    http://213.186.40.113/pret.php

    (I have restarted apache)

    any idea please ?

    for php security I suggest :

    Code:
    memory_limit = 20M
    post_max_size = 512K
    upload_max_filesize = 4M 
    allow_url_fopen = Off
    expose_php = Off 
    disable_functions = show_source, system, shell_exec, passthru, popen, proc_open, exec, eval, parse_ini_file, dl, virtual, escapeshellarg, escapeshellcmd
     
  8. till

    till Super Moderator Howtoforge Staff HowtoForge Supporter ISPConfig Developer

    You have to edit these values in the file /etc/php5/cgi/php.ini and then restart apache.
     
  9. 007007

    007007 New Member

    I must add this to php.ini?

    ServerSignature = Off
    ServerTokens = Prod
     
  10. damir

    damir New Member

    No, that should be added to apache conf files. Which distribution do you use?
     
  11. 007007

    007007 New Member

    i have debian
     
  12. damir

    damir New Member

    Type the following in terminal:

    Code:
    nano -w /etc/apache2/conf.d/security
    Set the ServerTokens to Prod and ServerSignature to Off

    Save and quit

    It's always good to check config files for syntax errors when you are editing apache config files.

    Code:
    apache2ctl configtest
    It should say Syntax OK otherwise something went wrong.

    Last thing you need to do is to restart apache.

    Code:
    /etc/init.d/apache2 restart
     
  13. 007007

    007007 New Member

    it's work

    big thx
     
  14. 007007

    007007 New Member

  15. damir

    damir New Member

    mod_security2 is not installed by default but you can disable mod_security through ispconfig3 if you wish.
     
  16. 007007

    007007 New Member

    disable mod_security ? it's installed ?

    i not understand :D:D

    another tutorial for install mod_security on debian/lenny :

    http://forum.ovh.com/showthread.php?t=50900

    I'll wait for confirmation from a professional to install it ^^
     
  17. till

    till Super Moderator Howtoforge Staff HowtoForge Supporter ISPConfig Developer

    You can install mod_security on a ispconfig server. mod_security is disabled by default for the ispconfig vhost on port 8080 as it is not compatible with ispconfig, it creates false positive errors as ispconfig has to modify system paths which is uncommon for a web application. But it will work for the websites that you created in ispconfig.
     
  18. damir

    damir New Member

    It's not installed by default, but if you decide to install it than there is a option to disable mod_security through ispconfig3. Sometimes mod_security3 doesn't play along with ispconfig3 control panel and it's good to have option to disable mod_security just for the control panel but it remains ON for rest of the server.

    Edit: Till is faster at typing :D
     
  19. veuster

    veuster New Member

    disable_functions

    I want to ask about disable_functions setting.

    Among the functions that is disabled in damir's post, is there functions that is being used by ISPConfig?

    Because if I used that setting, some of the monitor and log in ISPConfig 3 is not working.
    The monitor just doesn't show anything, and the log file says "logfile path error"

    Do someone know which disabled functions is being used by ISPConfig 3?
     
  20. till

    till Super Moderator Howtoforge Staff HowtoForge Supporter ISPConfig Developer

    ISPConfig uses most of these functions, so you might have to use a custom php.ini for ispconfig (server and interface) if you want to disable them.
     

Share This Page