Help to secure my FreeBSD/Apache installation

Julian H. Stacey jhs at
Wed Jul 17 21:39:29 UTC 2013

Hi, Reference:
> From:		Andy Wodfer <wodfer at> 
> Date:		Wed, 17 Jul 2013 23:11:27 +0200 

Andy Wodfer wrote:
> Hi everybody!
> I'm running a server on FreeBSD 8.1 STABLE (apache 2.2.16, mysql 5.1.50,

To quote front page of
    * Production: 9.1
    * Legacy: 8.4
My net. con. is too slow right now to check this for you, but look
yourself, I bet FreeBSD-8.1 was long ago declared by security-officer@
as not supported as too old,

> php 5.3.3) and I server some websites from it, most of them using Joomla or
> Wordpress CMS.
> I recently had a security breach where someone used a hole in an older
> Joomla version and was able to install a php script called webadmin.php.
> From that the person was able to browse all folders and view all files -
> and change them... not nice!
> Apache runs using the www user (std installation) and all virtualhosts
> share the same user, but are placed in different directories.
> I need some help and pointers to what I can do to strengthen security and
> to atleast prevent someone from writing to the filesystem and browse all
> directories and files. (allthough joomla needs some folders to be chmod 777)
> I'm thinking about installing apache2-mpm-itk or similare to jail each site
> into its own directory and run each virtualhost as its own user. Is this a
> good idea?
> Thankful for answers and pointers!
> All the best -
> Andy

Upgrade to 8.4 or 9.1, 
Reinstall new versions of all ports,
cd /usr/ports/ports-mgmt/portaudit  ; make install ; rehash ; portaudit ; 
# (Which is in 9.1 & not in 8.2) 

Julian Stacey, BSD Unix Linux C Sys Eng Consultant, Munich
 Reply below not above, like a play script.  Indent old text with "> ".
 Send plain text.  No quoted-printable, HTML, base64, multipart/alternative.

More information about the freebsd-questions mailing list