Help to secure my FreeBSD/Apache installation

Polytropon freebsd at edvax.de
Wed Jul 17 22:25:27 UTC 2013 

On Wed, 17 Jul 2013 23:11:27 +0200, Andy Wodfer wrote:
> Hi everybody!
> 
> I'm running a server on FreeBSD 8.1 STABLE (apache 2.2.16, mysql 5.1.50,
> php 5.3.3) and I server some websites from it, most of them using Joomla or
> Wordpress CMS.

Those are typical (and known) attack vectors. Make sure you're
always up to date regarding fixes!



> I recently had a security breach where someone used a hole in an older
> Joomla version and was able to install a php script called webadmin.php.
> From that the person was able to browse all folders and view all files -
> and change them... not nice!

This implies you cannot know in how far your system has been
compromized. I'd suggest a new installation. Make backups of
user files and configurations. Make sure you audit them (so
you won't re-install a possible backdoor after a clean install).



> I need some help and pointers to what I can do to strengthen security and
> to atleast prevent someone from writing to the filesystem and browse all
> directories and files. (allthough joomla needs some folders to be chmod 777)


> I'm thinking about installing apache2-mpm-itk or similare to jail each site
> into its own directory and run each virtualhost as its own user. Is this a
> good idea?

At least it is a _working_ idea. If it is actually a good
idea depends on many different factors. Jails are a good
means of separation. Sometimes, using "simple user accounts"
is sufficient, but especially regarding complex web content
(such as CMS, stuff that involves PHP and whatnot) the more
security you can add, the better it is.

Also install portaudit to check for security fixes that have
been made available for the software you're running.

Apply restrictions as hard as possible. If programs want write
access to specific directories, try to make then writable per
uer accounts, not within the global tree structure (or even
within system directories).

The "nobody" user can also be helpful (regarding on what you
are running).

If you can separate the different CMSs and sites, a possible
security breach will be restricted to that only instance. It
can be taken down without affecting the other sites.

But also: Educate your users. In order to do that, use money.
Make them pay. ;-)




PS.
Allow me a short addition, I know people will beat me with
a pointed stick for mentioning it, but: There are no "folders".
This term is wrong. What you mean are called directories.
A folder is the name of one visual representation (among
others) of a directory in a graphical user interface. It
_is_ not a directory and it is not similar to one. It's
comparable to the relation of the handbrake light in your
car's dashboard vs. the real handbrake. Don't claim your
handbrake light isn't working when in fact your handbrake
is broken. :-)

Bottom line: Directory correct, "folder" plain wrong. You
don't call files "sheets of paper" either. :-)

-- 
Polytropon
Magdeburg, Germany
Happy FreeBSD user since 4.0
Andra moi ennepe, Mousa, ...

More information about the freebsd-questions mailing list