Secure Debian + Apache2 + vsftpd virtual hosting setup

1. Statement of the problem

Given
Debian server "out of the box" (installed from the distribution)

Task
Organize the work of several projects on the server so that the people who deal with them do not have access to neighboring projects:

• Limit the ability to browse the file system to a specific folder for the project user.
• Restrict the ability to run binary users
• Limit the possibility of opening ports on the server (you need to formulate it in some other way)
• Automate adding a user to the system: creating a folder, apache config, mysql users or postgres

2. Decision

• 2.0 System Update
• 2.1 SSH
• 2.2 File System
• 2.3 Apache
• 2.3.1 User rights [apache2-mpm-itk]
• 2.3.2 Separate tmp for each site
• 2.3.3 Sendmail
• 2.4 FTP
• 2.5 MySQL + Postgres
• 2.6 Firewall
• 2.7 chroot
• 2.8 Automation

')

2.0 Updating

We put fresh versions of packages. Here is my list of repositories:

# file: /etc/apt/sources.list # Yandex deb http://mirror.yandex.ru/debian/ lenny main deb http://mirror.yandex.ru/debian/ lenny contrib non-free deb-src http://mirror.yandex.ru/debian/ lenny main deb-src http://mirror.yandex.ru/debian/ lenny contrib non-free # Security fix deb http://security.debian.org/ lenny/updates main deb http://security.debian.org/ lenny/updates contrib non-free deb-src http://security.debian.org/ lenny/updates main deb-src http://security.debian.org/ lenny/updates contrib non-free 

 debian:~# apt-get update debian:~# apt-get dist-upgrade 

2.1 Generate keys for SSH

In order to eliminate the possibility of intercepting a password phrase, we will generate rsa keys for logging on to the server.

 neoveneficus@book:~$ ssh-keygen Generating public/private rsa key pair. Enter file in which to save the key (/home/neoveneficus/.ssh/id_rsa): /home/neoveneficus/.ssh/id_rsa already exists. Overwrite (y/n)? y Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/neoveneficus/.ssh/id_rsa. Your public key has been saved in /home/neoveneficus/.ssh/id_rsa.pub. The key fingerprint is: cb:07:dd:67:21:37:ab:93:e1:60:40:ce:0e:b8:b8:e3 neoveneficus@book The key's randomart image is: +--[ RSA 2048]----+ | . | | . + | |. . + . + | |.. o . . + + | |+ . o S . oo | |.o . + = . o | |.E . * o | | . o | | . | +-----------------+ 

Please note - the keys are generated on your working machine, and then the public key is uploaded to the server:

 neoveneficus@book:~/.ssh$ scp ~/.ssh/id_rsa.pub root@217.212.252.146:.ssh/authorized_keys neoveneficus@book:~/.ssh$ cat ~/.ssh/id_rsa.pub | ssh root@217.212.252.146 "cat > ~/.ssh/authorized_keys; chmod 600 ~/.ssh/authorized_keys" 

Now we will be able to log in to the server — by key, with or without a password — depending on your settings. I would like to emphasize that if you generated keys without a password, the server security level is equivalent to the security level of your private key on your machine. Be careful and take care of the key.

2.2 File system. User rights.

Let's talk about the file system. I propose to allocate for our sites a separate folder in the root of the file system.

 debian:~# cd / debian:/# mkdir -m 755 web 

Home folders of our users will be of this type:

• / web / site1
• / web / site2

Create users and set permissions:

 debian:~# useradd site1 -b /web/ -m -U -s /bin/false debian:~# passwd site1 debian:~# chmod 754 /web/site1 debian:~# mkdir -p -m 754 /web/site1/public_html/www debian:~# mkdir -p -m 777 /web/site1/tmp debian:~# chmod +t /web/site1/tmp debian:~# chown -R site1:site1 /web/site1/ 

The user site1 will have a home folder / web / site1. The -m switch means that the folder will be created automatically. -U - the same name group will also be created where the user will be placed. The user will not have a shell. All that will be available from the web - will be located in the public_html folder. If you ever want to have subdomains - place them in folders near www.

2.3 Apache

2.3.1 User rights. Apache modification [apache2-mpm-itk]

As we know, by default, the apache web server runs from one user for all sites located on the server. And this means that, using the web-shell, you can read the files of neighboring projects.

To correct this misunderstanding, we need to install a modified version of apache. The package is called apache2-mpm-itk. Having installed the package, we will be able to specify in the file configurations which user and group apache should work from when processing the site.

 debian:~# apt-get install apache2-mpm-itk 

User and group is set in the config line:

 AssignUserId site1 site1 

At the same time, we want that, using the web-shell, it was impossible to edit the files of our project, except for those that have the rights o + w.

 drwxr-xr-- 2 site1 site1 4096  5 10:17 . drwxr-xr-x 3 site1 site1 4096  5 10:14 .. -rwxr-x--- 1 site1 site1 0  5 10:14 index.php -rwxrw---- 1 site1 site1 0  5 10:17 tmp.txt 

To do this, we will write in our config:

 AssignUserId www-data site1 

Thus, apache will be able to read index.php, execute and send to the browser, but will not be able to change it. And tmp.txt can change.
An important point - you need to disable the console from the user www-data

 debian:~# usermod -s /bin/false www-data 

2.3.2 Separate tmp for each site

We prevent inclusive sessions from a neighboring site. + Forbid php to go above the user home directory.

In the configuration of our site, you need to add the open_basedir, upload_tmp_dir, session.save_path directives

We get this minimalistic config:

 # file: /etc/apache2/sites-available/site1 <VirtualHost *:80> DocumentRoot "/web/site1/public_html/www/" ServerName "test1" ErrorLog /web/site1/error_log CustomLog /web/site1/access_log combined AssignUserId www-data site1 php_admin_value open_basedir "/web/site1/:." php_admin_value upload_tmp_dir "/web/site1/tmp" php_admin_value session.save_path "/web/site1/tmp" </VirtualHost> 

After creating the config, you need to make the site active with the command:

 debian:~# a2ensite site1 

And then re-read configs:

 debian:~# /etc/init.d/apache2 reload 

2.3.3 Sendmail

Why did I take out Sendmail as a separate item? Because by default it did not work. I had to tinker. I will tell the easiest way. That php was able to send letters, we make the following operations.

 # file: /etc/php5/apacge2/php.ini [   ] ++ sendmail_path = /usr/sbin/exim4 -t 

There is an exim4-config package for the Exim4 configuration (by default it is the Mail Transfer Agent that it is used for). You can use it like this:

 debian:~# dpkg-reconfigure exim4-config 

After that, you will start asking questions. To the first (General type of mail configuration) we answer:

• Web site; receiving and sending mail directly using SMTP

And then press Enter until the end of the settings. Now everything should work.

2.4 vsftpd

Now let's deal with FTP. For work, vsftpd was chosen.

 debian:~# apt-get install vsftpd 

Next, change the config:

 # file:/etc/vsftpd.conf listen=YES #    anonymous_enable=NO #         FTP local_enable=YES #     write_enable=YES dirmessage_enable=YES xferlog_enable=YES connect_from_port_20=YES ascii_upload_enable=YES ascii_download_enable=YES ftpd_banner=Welcome to our FTP service. # ""     chroot_local_user=YES secure_chroot_dir=/var/run/vsftpd pam_service_name=vsftpd rsa_cert_file=/etc/ssl/certs/vsftpd.pem 

We tell the vsftpd daemon to reread the configs:

 debian:~# /etc/init.d/vsftpd reload 

2.5 MySQL + PostgreSQL

We put MySQL

 debian:~# apt-get install mysql-server phpmyadmin 

Create a new user.

 debian:~# echo "CREATE USER 'site1'@'localhost' IDENTIFIED BY '___site1'; GRANT USAGE ON * . * TO 'site1'@'localhost' IDENTIFIED BY '___site1' WITH MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0 MAX_UPDATES_PER_HOUR 0 MAX_USER_CONNECTIONS 0; CREATE DATABASE IF NOT EXISTS site1 DEFAULT CHARACTER SET utf8 COLLATE utf8_unicode_ci; ; GRANT ALL PRIVILEGES ON site1 . * TO 'site1'@'localhost';" | mysql --user=root --password=_mysqlroot mysql 

We put Postgres

 debian:~# apt-get install postgressql phppgadmin 

Change password for postgres user:

 debian:~# echo "\password" | sudo -u postgres psql Enter new password: __postgres Enter it again: __postgres 

After setting the root password for the postgres user, we need to fix the config file. By default, any local user can run psql with superuser rights without entering a password. We fix.

 #file /etc/postgresql/8.3/main/pg_hba.conf -- local all postgres ident sameuser -- local all all ident sameuser ++ local all postgres md5 ++ local all postgres md5 

In /etc/phppgadmin/apache.conf we open access from the outside.

 order deny,allow deny from all allow from 127.0.0.0/255.0.0.0 ::1/128 # allow from all 

Change to:

 order deny,allow deny from all allow from 127.0.0.0/255.0.0.0 ::1/128 # allow from all 

We say apache re-read configs:

 debian:~# /etc/init.d/apache2 reload 

Postgres has one caveat. Users always see the names of neighboring databases. To prevent them from blinding our users' eyes in phppgadmin, we’re correcting the config:

 # file:/etc/phppgadmin/config.inc.php -- $conf['owned_only'] = false; ++ $conf['owned_only'] = true; 

Users are created with this command:

 debian:~# echo "CREATE USER site1 WITH PASSWORD '___site1' NOCREATEDB NOINHERIT NOCREATEUSER ; CREATE DATABASE site1 owner site1;" | sudo -u postgres psql 

2.6 Firewall

In our case, the goals are simple - to prohibit an attacker from opening ports. Therefore, the solution will be simple - we will not go into the nuances of the iptables rules, and use the package arno-iptables-firewall, which will simplify our lives. He will ask us what we want during the installation. Answers to the questions below.

 debian:~# apt-get install arno-iptables-firewall * Do you want to manage the firewall setup with debconf? :  * External network interfaces: eth0 * Open external TCP-portrs: 21 22 53 80 443 3128 5432 5001 5900 6881:6889 * Open external UDP-portrs: 53 3130 5001 6881:6889 * Internal network interfaces: <    > *    firewall'. 

2.7 Running Apache2 in a chroot environment [via libapache2-mod-chroot]

What is chroot'ing? This is the creation of a special environment (sandbox), isolated from the environment. Let's say the apache process should not have access to the home folders. At the same time, in an isolated environment, you need to take everything you need to work. The easiest way is to use libapache2-mod-chroot.

 debian:~# apt-get install libapache2-mod-chroot debian:~# a2enmod mod_chroot debian:~# /etc/init.d/apache2 restart 

Chroot'ing is an interesting topic with a bunch of problems associated with the fact that, in addition to apache, you usually need a bunch of additional programs, libraries, and tools to work. Therefore, I will not make an article in the article, and send you to an excellent material on this topic. Use the ldd program and take everything you need with you into an isolated environment.

sudouser.com/zapusk-web-servera-apache2-v-srede-chroot-v-debian-i-ubuntu.html

2.8 Automate adding new users

I started writing a script and realized that a monster who can do everything would be inconvenient to use. In the article, all the commands were written so that they were then just shoved into the sh script. Therefore, I think that in a few minutes each user easily concocts a script that is necessary and convenient for him.

P.S

I will be glad to comment. Particularly interesting thoughts about chroot. Who knows simple recipes?