Setting up security sites on VPS / VDS
You purchased a dedicated or virtual server, or blinded your own at home. And now it's time to think about the security of sites, since a breach in one of them could endanger all others.
On hosting these problems are solved by the hoster itself, but on its own server it is already the task of the administrator. And even if you have a hosting with a preset, then the likelihood that it has limited rights for each user and site is unlikely. Most likely, your provider limited itself to installing standard applications vsftpd, Apache, nginx, php, mysql, etc. and etc.
We assume that the necessary kit is installed on the site and it's time to take care of security. If not, then we find the appropriate instructions on “configuring nginx as the front-end to apache” and return to the issue of security.
')
Security will be based on the following principles:
The first is the creation of users with the / bin / false shell using the example of vsftpd and proftpd. This will limit the execution of scripts within its own directory.
The second division of users on the site. We will be able to launch our sites on behalf of different users, and access to one of them will in no way endanger the other.
I will also point out a few other points of security known to me, if I missed something, I will be happy to add an article. And since I have not found a single article pointing to all the necessary security moments on the Internet, I think the article will be quite useful.
In fact, I wrote this memo for myself based on the existing and working server, as the final stage of the installation, so the article is also suitable for those who only install the server, and for those who want to secure it and speed up the php interpreter, since this topic will also have to touch.
Let's start by setting up proftpd. To do this, open the configuration file ProFTPd /etc/proftpd/proftpd.conf
Restart proftpd.
Now consider an example on vsftpd. Vsftpd configuration file /etc/vsftpd.conf
Add a shell in the / etc / shells file
In the / etc / skel folder, write the necessary files and folders with the corresponding attributes that will be created in the user's folder. For myself, I at least set a folder for the site (public_html), and a folder for storing temporary files (tmp). I think this will be enough for a start.
Reboot vsftpd.
We will add a user with the / bin / false shell, and the -m key to create a home directory at the same time when adding a user, and immediately disable entry to the root directory, since all the necessary directories and files are written in / etc / skel above
There are at least 2 implementations for user separation: suexec and apache2-mpm-itk. To work through suexec, you will need to run a php application for each user separately, unlike apache2-mpm-itk, which is started via mod_php once for all processes. However, I’ll miss the apache2-mpm-itk configuration, since the launch of one process does not provide enough flexibility, and in particular the launch of a separate php.ini, and the performance loss can be compensated using Fast-CGI. Of course, the speed that php_mod gives will not be possible, but it will be possible to save system resources.
First, install the necessary modules. It is assumed that you have already installed and configured the server.
Using Ubuntu as an example
If Apache2 was installed with PHP5 as an Apache module, disable it:
Include the following modules if not included
The script for running PHP is located in the Suexec directory, which by default is / var / www, however the following command will help to verify this.
In it we will create the fcgi directory, where our scripts and php settings for each user will be stored and we will define the subfolder directly for the owner
Inside, create a php5 file, where we will write a script to execute php
Add entry to / var / www / fcgi / login / php5
The PHPRC line contains the directory where the php.ini file is located (for example, / var / www / fcgi / login / is translated to /var/www/fcgi/login/php.ini). PHP_FCGI_MAX_REQUESTS is responsible for the number of requests that a single process will handle. PHP_FCGI_CHILDREN indicates the number of child processes that PHP runs to handle incoming requests. php5 must be executable, and it (and its directories) must belong to the website user and group.
Now we will transfer the default php.ini file from the default directory / etc / php5 / cgi / to our / var / www / fcgi / login / php5, and configure the basic settings. For each site they will be individual, but you should immediately pay attention to the main ones.
To adjust the paths in the /etc/apache2/mods-available/fcgid.conf file, add
and also set the FcgidMaxRequestLen parameter specifying the maximum request size
Also speed will add memcached and xcache
For additional security, install the mod_security extension
Rename configuration file
Now open it and change the configuration.
We load the basic rules, for which we add between IfModule security2_module> in the /etc/apache2/mods-enabled/mod-security.conf file
Install mod-evasive for Apache
connect
and change the configuration in the /etc/apache2/mods-available/mod-evasive.conf file
For brute force protection, install Fail2ban
Restart apache, nginx and memcached
Mod_evasive configuration
ProFTPD module mod_auth
Fail2ban
FTP server
VSFTPD.CONF
modsecurity
Users and Groups
Protect the Apache web server from a slow-reading attack, as well as some other targeted attacks.
INSTALLING AND CONFIGURING MOD_SECURITY ON APACHE IN DEBIAN AND UBUNTU
On hosting these problems are solved by the hoster itself, but on its own server it is already the task of the administrator. And even if you have a hosting with a preset, then the likelihood that it has limited rights for each user and site is unlikely. Most likely, your provider limited itself to installing standard applications vsftpd, Apache, nginx, php, mysql, etc. and etc.
We assume that the necessary kit is installed on the site and it's time to take care of security. If not, then we find the appropriate instructions on “configuring nginx as the front-end to apache” and return to the issue of security.
')
Security will be based on the following principles:
The first is the creation of users with the / bin / false shell using the example of vsftpd and proftpd. This will limit the execution of scripts within its own directory.
The second division of users on the site. We will be able to launch our sites on behalf of different users, and access to one of them will in no way endanger the other.
I will also point out a few other points of security known to me, if I missed something, I will be happy to add an article. And since I have not found a single article pointing to all the necessary security moments on the Internet, I think the article will be quite useful.
In fact, I wrote this memo for myself based on the existing and working server, as the final stage of the installation, so the article is also suitable for those who only install the server, and for those who want to secure it and speed up the php interpreter, since this topic will also have to touch.
Let's start by setting up proftpd. To do this, open the configuration file ProFTPd /etc/proftpd/proftpd.conf
# . DefaultRoot ~ # root RootLogin off # shell RequireValidShell off # MaxInstances 10 # MaxLoginAttempts 5 Restart proftpd.
Now consider an example on vsftpd. Vsftpd configuration file /etc/vsftpd.conf
# local_enable=YES # write_enable=YES # . chroot_local_user=YES # local_umask=022 Add a shell in the / etc / shells file
/bin/false In the / etc / skel folder, write the necessary files and folders with the corresponding attributes that will be created in the user's folder. For myself, I at least set a folder for the site (public_html), and a folder for storing temporary files (tmp). I think this will be enough for a start.
Reboot vsftpd.
We will add a user with the / bin / false shell, and the -m key to create a home directory at the same time when adding a user, and immediately disable entry to the root directory, since all the necessary directories and files are written in / etc / skel above
useradd -m -s /bin/false login passwd login chmod 555 /home/login Separating users and installing fast-cgi
There are at least 2 implementations for user separation: suexec and apache2-mpm-itk. To work through suexec, you will need to run a php application for each user separately, unlike apache2-mpm-itk, which is started via mod_php once for all processes. However, I’ll miss the apache2-mpm-itk configuration, since the launch of one process does not provide enough flexibility, and in particular the launch of a separate php.ini, and the performance loss can be compensated using Fast-CGI. Of course, the speed that php_mod gives will not be possible, but it will be possible to save system resources.
First, install the necessary modules. It is assumed that you have already installed and configured the server.
Using Ubuntu as an example
aptitude install apache2-suexec libapache2-mod-fcgid php5-cgi If Apache2 was installed with PHP5 as an Apache module, disable it:
a2dismod php5 Include the following modules if not included
a2enmod rewrite a2enmod suexec a2enmod include a2enmod fcgid The script for running PHP is located in the Suexec directory, which by default is / var / www, however the following command will help to verify this.
/usr/lib/apache2/suexec -V In it we will create the fcgi directory, where our scripts and php settings for each user will be stored and we will define the subfolder directly for the owner
mkdir -p /var/www/fcgi/login Inside, create a php5 file, where we will write a script to execute php
chown login:login /var/www/fcgi/login/php5 Add entry to / var / www / fcgi / login / php5
#!/bin/sh PHPRC=/var/www/fcgi/login/php.ini export PHPRC export PHP_FCGI_MAX_REQUESTS=5000 export PHP_FCGI_CHILDREN=8 exec /usr/lib/cgi-bin/php The PHPRC line contains the directory where the php.ini file is located (for example, / var / www / fcgi / login / is translated to /var/www/fcgi/login/php.ini). PHP_FCGI_MAX_REQUESTS is responsible for the number of requests that a single process will handle. PHP_FCGI_CHILDREN indicates the number of child processes that PHP runs to handle incoming requests. php5 must be executable, and it (and its directories) must belong to the website user and group.
Now we will transfer the default php.ini file from the default directory / etc / php5 / cgi / to our / var / www / fcgi / login / php5, and configure the basic settings. For each site they will be individual, but you should immediately pay attention to the main ones.
; PATH_INFO/PATH_TRANSLATED CGI cgi.fix_pathinfo=1 ; <? ?> short_open_tag = on ; open_basedir = /home/login/docs ; , exec, . disable_functions = pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_getpriority,pcntl_setpriority,pcntl_exec,exec,passthru,shell_exec,system,proc_open,popen,curl_multi_exec,parse_ini_file,show_source,highlight_file,etc ; register_globals = Off ; register_long_arrays = Off ; , POST post_max_size = 8M ; , upload_tmp_dir = /home/login/tmp ; upload_max_filesize = 2M ; allow_url_include = Off ; e-mail sendmail_path = /usr/sbin/sendmail -t -i ; X-PHP-Originating-Script mail.add_x_header = Off ; . -1 memory_limit = 128M ; max_execution_time = 30 pcntl_wait, pcntl_wifexited, pcntl_wifstopped, pcntl_wifsignaled, pcntl_wexitstatus, pcntl_wtermsig, pcntl_wstopsig, pcntl_signal, pcntl_signal_dispatch, pcntl_get_last_error, pcntl_strerror, pcntl_sigprocmask, pcntl_sigwaitinfo, pcntl_sigtimedwait, pcntl_getpriority, pcntl_setpriority, pcntl_exec, exec, passthru, shell_exec, system, ; PATH_INFO/PATH_TRANSLATED CGI cgi.fix_pathinfo=1 ; <? ?> short_open_tag = on ; open_basedir = /home/login/docs ; , exec, . disable_functions = pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_getpriority,pcntl_setpriority,pcntl_exec,exec,passthru,shell_exec,system,proc_open,popen,curl_multi_exec,parse_ini_file,show_source,highlight_file,etc ; register_globals = Off ; register_long_arrays = Off ; , POST post_max_size = 8M ; , upload_tmp_dir = /home/login/tmp ; upload_max_filesize = 2M ; allow_url_include = Off ; e-mail sendmail_path = /usr/sbin/sendmail -t -i ; X-PHP-Originating-Script mail.add_x_header = Off ; . -1 memory_limit = 128M ; max_execution_time = 30 To adjust the paths in the /etc/apache2/mods-available/fcgid.conf file, add
PHP_Fix_Pathinfo_Enable 1 and also set the FcgidMaxRequestLen parameter specifying the maximum request size
FcgidMaxRequestLen 10737418 Also speed will add memcached and xcache
aptitude install memcached aptitude install php5-xcache Protection against all sorts of injections
For additional security, install the mod_security extension
aptitude install libapache2-modsecurity Rename configuration file
mv /etc/modsecurity/modsecurity.conf{-recommended,} Now open it and change the configuration.
# SecRuleEngine on # POST, 10 SecRequestBodyLimit 10485760 # POST , 10 SecRequestBodyNoFilesLimit 1048576 We load the basic rules, for which we add between IfModule security2_module> in the /etc/apache2/mods-enabled/mod-security.conf file
Include /usr/share/modsecurity-crs/*.conf Include /usr/share/modsecurity-crs/base_rules/*.conf Protection against DOS, DDOS and FLUD attacks, as well as brute force passwords
Install mod-evasive for Apache
aptitude install libapache2-mod-evasive connect
a2enmod and change the configuration in the /etc/apache2/mods-available/mod-evasive.conf file
<IfModule mod_evasive20.c> # DOSHashTableSize 3097 # IP . DOSPageCount 2 # , . 50- - – - . DOSSiteCount 50 # DOSPageCount ( ) DOSPageInterval 1 # DOSSiteCount ( ) DOSSiteInterval 1 # - ( ) DOSBlockingPeriod 10 #Email DOSEmailNotify mail@gmail.com # DOSLogDir "/var/log/mod_evasive" # DOSWhitelist 127.0.0.1 DOSWhitelist 192.168.1.1 </IfModule> For brute force protection, install Fail2ban
aptitude install fail2ban Restart apache, nginx and memcached
Mod_evasive configuration
ProFTPD module mod_auth
Fail2ban
FTP server
VSFTPD.CONF
modsecurity
Users and Groups
Protect the Apache web server from a slow-reading attack, as well as some other targeted attacks.
INSTALLING AND CONFIGURING MOD_SECURITY ON APACHE IN DEBIAN AND UBUNTU
Source: https://habr.com/ru/post/261271/
All Articles