Help to secure my FreeBSD/Apache installation
Julian H. Stacey
jhs at berklix.com
Wed Jul 17 21:39:29 UTC 2013
> From: Andy Wodfer <wodfer at gmail.com>
> Date: Wed, 17 Jul 2013 23:11:27 +0200
Andy Wodfer wrote:
> Hi everybody!
> I'm running a server on FreeBSD 8.1 STABLE (apache 2.2.16, mysql 5.1.50,
To quote front page of http://www.freebsd.org:
* Production: 9.1
* Legacy: 8.4
My net. con. is too slow right now to check this for you, but look
yourself, I bet FreeBSD-8.1 was long ago declared by security-officer@
as not supported as too old,
> php 5.3.3) and I server some websites from it, most of them using Joomla or
> Wordpress CMS.
> I recently had a security breach where someone used a hole in an older
> Joomla version and was able to install a php script called webadmin.php.
> From that the person was able to browse all folders and view all files -
> and change them... not nice!
> Apache runs using the www user (std installation) and all virtualhosts
> share the same user, but are placed in different directories.
> I need some help and pointers to what I can do to strengthen security and
> to atleast prevent someone from writing to the filesystem and browse all
> directories and files. (allthough joomla needs some folders to be chmod 777)
> I'm thinking about installing apache2-mpm-itk or similare to jail each site
> into its own directory and run each virtualhost as its own user. Is this a
> good idea?
> Thankful for answers and pointers!
> All the best -
Upgrade to 8.4 or 9.1,
Reinstall new versions of all ports,
cd /usr/ports/ports-mgmt/portaudit ; make install ; rehash ; portaudit ;
# (Which is in 9.1 & not in 8.2)
Julian Stacey, BSD Unix Linux C Sys Eng Consultant, Munich http://berklix.com
Reply below not above, like a play script. Indent old text with "> ".
Send plain text. No quoted-printable, HTML, base64, multipart/alternative.
More information about the freebsd-questions