Security tips needed

Discussion in 'Installation/Configuration' started by u4david, Feb 1, 2010.

  1. veuster

    veuster New Member

    how?

    Oh, that figures.

    How can I use custom php.ini for ispconfig 3?

    How to make all the other website on my server uses a disabled php.ini and ispconfig uses a different php.ini?
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Please see here for several examples on how to use custom php.ini files:

    http://www.askapache.com/php/custom-phpini-tips-and-tricks.html

    The ispconfig vhost file is /etc/apache2/sites-available/ispconfig.vhsot

    Most likely the ispconfig interface on your system uses mod_php, so you can specify a custom php.ini file by adding this line inside the vhost definition:

    PHPIniDir /path/to/custom/phpini/directory/
     
  3. asus

    asus New Member

    I didn't read this whole post but I installed mod_security and mod_evasive and it broke my ispconfig3.

    when trying to create new email accounts i can't see any text and i get these errors.

    Warning: tform::include(lib/lang/en_mail_user.lng) [tform.include]: failed to open stream: No such file or directory in /usr/local/ispconfig/interface/lib/classes/tform.inc.php on line 140

    Warning: tform::include() [function.include]: Failed opening 'lib/lang/en_mail_user.lng' for inclusion (include_path='.:/usr/share/php:/usr/share/pear') in /usr/local/ispconfig/interface/lib/classes/tform.inc.php on line 140

    and

    ERROR

    1. error_no_pwd
    email_error_isemail

    even after I removed them.
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    You are missing the english language files on your server. Please update ispconfig to reinstall all files.
     
  5. 007007

    007007 New Member

    some apache2 values are misconfigured for security:

    Code:
    MaxConnPerIP 15 (not found in apache2.conf !!!)
    KeepAliveTimeout 15 (must be 5 or 10 max)
    what do you think ?
     
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    You can set this but the old values are as fine as the new ones. It depends on the speed of your hardware etc. which values to use for this. So this is not directly security related.
     
  7. 007007

    007007 New Member

    fail2ban installed by default does not block attacks DOS / DDOS ?

    I tested the DOS attack:

    Code:
    wget http://ha.ckers.org/slowloris/slowloris.pl
    chmod +x slowloris.pl
    ./slowloris.pl -dns ip
    After 10 seconds my server is slow to load, it became inaccessible ...

    I did:

    Code:
    netstat-tan | grep ip: 80 | wc-l
    the result was: 300

    I already installed mod-evasive but they failed to protect the server!!!

    so, any solution ??
     
  8. falko

    falko Super Moderator ISPConfig Developer

    fail2ban just reacts on failed login attempts.
     
  9. orasis

    orasis Member

    Looks like an old thread but this is the one that came up on google.

    I got some questions regarding things that were mentioned in this thread and some more.

    I now run ISPCofing 3 on debian and as mentioned here, the php.ini to edit for global website php settings is:
    /etc/php5/cgi/php.ini

    What I would like to know though is if that is the php.ini for the websites or for ISPConfig as well or if there is another one. I say that cause when I was using ISPCofig 2 I had messed some things and ended up with ISPConfing not working. I am not asking for cusotm php.ini for each website, I know how to do that. But I am not sure if ICPConfig 3 is using a separate php.ini file for the control panel, than the one I show above.

    Now another thing is the default index.html plus some more files and dirs that get created upon website creation from ISPConfig 3. I had edited these in the past, right now I do remember the path. My question is, If I edit them will my changes be wiped by a future update ? And can I change the default permissions of them ? Because I would like all automated files created in the /web dir to be 644 and dirs to be 755 but the script used makes even the files executable (such as the .htaccess and index.html) and I see no reason for this. Same question goes for the error pages and stats directory. Generally, can I edit that script my own way or it will be wiped by an update ? and what are the paths I should look for it in debian/ispconfig3 ?

    Also can we expect php5.4 support in the next ISPConfig 3 update ? I know there is a tutorial on how to add more php versions. I am just asking if such a thing will become a core feature of ISPConfig 3.

    Those are some questions that came to my mind for now.

    Thanks !
    and keep up !
     

Share This Page