Questions? Start a Support Ticket
User Registration
Customer Login

Knowledgebase

Portal Home > Knowledgebase > Articles Database > How can I secure this server?


How can I secure this server?




Posted by matt2kjones, 08-26-2010, 10:42 AM
Hello, Before I start, I want to make it clear that im not in the webhosting business, I am just looking into running multiple different webapps for our company under seperate users on a secure linux machine. So far, I have installed the operating system, and using these solutions: Exim & Dovecot for mail (Virtual users in MySQL) Bind (running in chroot under /var/named as user named) SSH (Only allows access via internal network, blocked externally via ip tables). IPTables blocking everything other than used ports. VSFTPD for ftp. Apache/mod_ssl/mod_security/mpm_peruser/php Each webapplication is installed as a different local users /home//htdocs mpm_peruser runs each virtual host as the correct user, for example: /home/user1/htdocs vhost runs as user1 /home/user2/htdocs vhost runs as user2 All home directories are chown user:user /home/user -R as well as chmod 0700 /home/user -R. My method of thinking is that if we run a web app with a security flaw, it will be running as a user only with read/write access to its own home dir and /tmp. It wont have any access privs to other home directories, not even read. I have disabled many functions in php as per recommendations. My situation now, is that its recommended that i "secure" /tmp by adding noexec to the mount options. I have always done this on any server I have run, but surely thats completly pointless if /home/ is read/write and allows executing. How do i get around this problem. Should i be mounting /home with the same options as /tmp considering its read/write to the apache vhost? Thank you
Posted by netmar, 08-26-2010, 06:06 PM
Well, for one, you may want to consider limiting the directories to which apache can write. After all, if your webapp doesn't ever write files to /some/directory/ then you hardly need to have write access enabled. This is just dependent on the application and how much it uses the filesystem vs. database storage. Second, if the only use for ssh is for a few admins (such as yourself), then there's really no need for password access at all. As far as the /tmp directory goes, do you gain anything by not using noexec? If not, then you've no reason not to use it. Also (and I mention this only because you didn't list it above) you may want to make sure that the root mysql password is set. Finally, it might be handy to install a flood detector/blocker to help defend those ports that you have to leave open. Fail2ban is a simple script that is readily available for most installs(just apt-get install fail2ban), or you can download a small scrip collection from ConfigServer Security & Firewall if you want something a little more elaborate.
Posted by matt2kjones, 08-27-2010, 03:43 AM
Thanks netmar... I had already changed the MySQL root password and set root to only have access from localhost. Set up seperate users with only privs on _% so that they have access to their databases only I have changed /tmp to be noexec as well. Im wondering whether i should change my policy of running each vhost as : but rather apache:. This would give me the flexibility of each users home dir having its own user and group permissions, but running apache only as the group, as a result having to set group write permissions for the users group for apache to have write access, but still blocking other users from writing to those files since they are in a different group. Fail2Ban is installed and is setup to block brute force attempts on services such as ftp. I use shorewall to generate firewall rules (just because i find it faster for generating the rules than writing the iptables myself). Im just wondering how popular SELinux, PaX and grsecurity are amoung webhosting. Are these things really needed if your not offering shell access?
Posted by Steven, 08-27-2010, 03:52 AM
Grsecurity is a good thing. Just because you don't offer shell access does not mean someone cant run shell commands. Perl and php both offer the ability to run shell commands - the very same ones that can be run in ssh to exploit you.
Posted by matt2kjones, 08-27-2010, 05:34 AM
All the php functions that offer shell access have been disabled as this server runs only our own webapps or webapps we have had created for us, and we dont run any perl applications online. My only concern is security holes in software resulting in a low level user getting access to the system and being able to escalate their permissions to root access. If a service running as root is compromised, for example, the apache process binding to port 80, then im screwed, but looking at selinux it creates containers to limit the damage. I just want feedback on whether its worth adding selinux, grsecurity and other security features like PaX. The server doesn't hold any really sensitive information like credit cards.... If it did I wouldn't question installing the above solutions


Was this answer helpful?

Add to Favourites Add to Favourites    Print this Article Print this Article

Also Read
VS Hosting - Some logic - FRAUD (Views: 679)
Looking for reliable Chicago based VPS (Views: 717)
anyone know much about crazyhosting4u? (Views: 779)
Multiple private clouds sharing L2 switches (Views: 746)
looking for a VPS for email server (Views: 713)


Language:

Our Services

Client Menu

Legal

Terms of Service | Privacy Policy | Refund Policy | Affiliates
Copyright © 2015 DC International LLC in partnership with Bragin IT Solutions Inc. - All Rights Reserved.