Answer the question
In order to leave comments, you need to log in
A
A
ANUFRiY2013-11-06 10:10:30
ANUFRiY, 2013-11-06 10:10:30
With security?
Hello.
There is a VPS that hosts several dozen projects, both on a system of its own development, and on DLE and Wordpress.
After discovering a flooded backdoor on one of the sites, I seriously took up security. So far, at the level of configuration of scripts, php and apache
Below I list the measures that I took. Please advise that I did not take into account the critical, and where, perhaps, I overdid it. I understand that it is impossible to create a completely secure system, but I would like to have at least protection from ordinary solutions. Thank you!
In the system:
- Put chmod 700 on folders, 600 on files
- Moved especially important projects, each for a separate user, in the control panel (ispmanager)
- For each host in Apache vhosts, the open_basedir parameter was set to the folder of this site, and not to the entire user folder.
- Prohibited the following functions in php.ini via disable_functions (selected those that bypass the Apache open_basedir restriction):
exec
system
shell_exec
passthru
popen
proc_open
(did not prohibit those that read configurations and code (ini_get, php_uname, show_source, ...) and those what php code executes (eval, preg_replace, ...))
In scripts (already implemented earlier):
- prohibited direct access to user-uploaded files (images).
- I go through all the loaded images with the gd library and resample.
- Escaping requests to the database and strict filtering of input
- Passing jevix through all form data where html input is available. in the rest, use strip_tags or direct cast to type
4 answer(s)
@Levhav
Thus, if everything is correct, then when you start the task manager, you can observe that for each site php scripts are executed on behalf of a specific OS user, which guarantees that even through the exec function or the like, it cannot harm.
@stan_jeremy
@VasiliyIsaichkin
V
Viktor, 2013-11-06 @Levhav
I share sites on my vds with the apache2-mpm-itk module (http://wiki.hasanov.ru/ubuntu/apache_multi_users).
It allows you to run virtual hosts from different accounts in the OS.
For each site, I create a new user in the system and a group that includes only this user. And I give it minimal rights, remove the ability to log in via ssh, and so on.
I place the virtual host in the home directory of this user.
And I repeat this process for each site.
As a result, for one user in the OS, one virtual host in his home folder.
Add the following to the virtual host config:
<IfModule mpm_itk_module>
AssignUserId user1 user1
</IfModule>
Thus, if everything is correct, then when you start the task manager, you can observe that for each site php scripts are executed on behalf of a specific OS user, which guarantees that even through the exec function or the like, it cannot harm.
S
stan_jeremy, 2013-11-06 @stan_jeremy
You can’t guarantee that you’ve escaped everything EVERYWHERE, filtering everything everywhere, etc., unless of course this is a project with a couple of places for entering user data)
V
Vasily, 2013-11-06 @VasiliyIsaichkin
Use public large scripts - there is always a chance that a little/unknown vulnerability in them will be used for evil. IMHO, you should always consider that a particular site can be hacked in terms of code vulnerability, you must not let the rest be captured.
Isolate sites from each other as much as possible (different users, different rights, home divers, etc.), jail separation mechanisms, virtualization, etc.
It is difficult to say whether the measures you have indicated are enough, because a lot depends on the OS and software used, their settings, and application features.
Similar questions
E
A
R
A
M
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question