Suggestion about apache-php secure configuration

Discussion in 'Installation/Configuration' started by voltron81, Oct 28, 2009.

  1. voltron81

    voltron81 New Member

    Hello to everybody.
    I've realized a mailserver following the Perfect server how to.
    I'm using Debian distribution.
    I've setup ISPFirewall and I want to configure Apache and PHP, so that the system is quite sure.
    A month ago my server was hacked by somebody who used a bug in roundcube (now fixed), and was able to launch a wget command that downloaded a script...

    Do you have some suggestion about the configuration of this 2 programs and, more in general, about security of the server?

  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Do you use mod_php, php-fcgi or suphp for the websites?
  3. voltron81

    voltron81 New Member

    Hi Till,
    I use this server just for as email server... I'm not managing any website...

  4. voltron81

    voltron81 New Member

    Basically my configuration is: all the programs listed here:
    plus roundcube 0.3 stable.

    I've just added in /etc/apache2/site-enable/000-default the line:
    ServerSignature Off
    so that they can not see witch version of apache I have.
    I've also added in apache.conf this:
    <FilesMatch \.(inc|conf)>
        Order Allow,Deny
        Deny from all
    and the timeout to 45.
  5. damir

    damir New Member

    You can beef up Apache security a little by installing mod_security, disable all modules that are not used. Set ServerTokens to Prod, restrict access rights to site content and lastly chroot apache.

    Last part im not sure if it works with ISPconfig?

    Regarding PHP, you should run it as website owner. Set display_errors to Off, set expose_php to off, set log_errors to On. Register global should be Off. Than we have Safe Mode, but there is ISPc interaction with the services that has to be taken in consideration when you hardening services.
  6. voltron81

    voltron81 New Member

    Thanks Damir for your suggestions.

    Unfortunately I'm not an expert, so I don't know 100% where I can find this values that I've to modify.
    Anyway I'll try to do it...
    Do you know if on the web there is a how-to that explain more about this modify?

    Thanks a lot

  7. damir

    damir New Member

  8. voltron81

    voltron81 New Member

    Thanks Damir,
    I'll try it

Share This Page