The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

How to secure apache

Discussion in 'EasyApache' started by linuxoid, Jun 15, 2005.

  1. linuxoid

    linuxoid Member

    Joined:
    Feb 22, 2005
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Oslo
    Hello,

    I am having few issues with apache server.
    Although I am using large number of disabled functions in PHP, I have to keep enabled popen(), and register_globals, otherwise users are simply leaving to another hosting.

    What I have now is:
    disable_functions = set_ini,ini_alter,curl_exec, exec, system, passthru, shell_exec, proc_open, proc_close, proc_get_status,proc_nice, proc_terminate, leak, listen, chgrp, set_time_limit,apache_note,apache_setenv,closelog,debugger_off,debugger_on,
    define_syslog_variables,openlog,syslog,escapeshellcmd,ftp_exec,phpinfo,dl ;

    Right now I am running php as module, and therefore I am able to use open_basedir parameters in httpd.conf. I needed to run it as module only to be able to limit users who are using php to lock them inside of home directory, since I found few PHP shells on server.
    mod_security is not a big help here since it cannot filter output good enough (works only on apache2), and apache2 has problems with few modules which I need and not good supported on cpanel yet.

    Before that, I was running PHP as CGI (phpsuexec), and was able to see which user is running which processes, however there was downside on that - open_basedir was no longer effective since it requires mod_php (correct me if I am wrong).

    --
    What I am after is this:
    1. I want to be able to limit resource usage for all users who are using web server (apache+php+mod_perl), since some of them are running buggy scripts and it affects entire server, which is almost going to hang when it runs for a while. If I restart httpd + mysql load goes down immediately.
    2. I also want to have good enough security, so users would not be able to run primarily php shells. Third step perhaps would be also to disable perl-based webshells and such, but I am not sure how to do that.

    Apache2 + mod_security would do the trick since I would be able to filter output, but since apache2 is not supported good enough, is there any other solution?

    Your advise is appreciated.

    I don't need step by step, just please name what setup I should use - I can fix the rest :)

    Best regards, Mike.
     
  2. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    A few things:

    1. phpsuexcc doesn't need open_basedir protection as such since scripts are restricted by linux security on file ownership, permissions.

    2. If you're going to all this trouble with php, does this mean that you disable and disallow perl CGI scripts? If not, then it's probably pretty pointless as you cannot effectively do such things with perl scripts at all.

    3. Your best defence is always going to be at the Linux level with permissions and file ownership anyway.

    4. You can do resource restriction within httpd.conf on a serverwide or virtualhost level. You should probably have a trawl through apache.org for that kind of stuff, though ultimately, a sound AUP is going to be much better and having users who abuse the server resources available either: moderate their usage themselves; get a dedicated server; go elsewhere.
     
  3. linuxoid

    linuxoid Member

    Joined:
    Feb 22, 2005
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Oslo
    In reply to chirpy:
    1. If I am not using open_basedir, then users can upload phpshell or perl shell script and use those to browse entire machine. Sure, I can set correct permissions to protect other users home directories and such, but what if attacker is searching for files like frontpage files, typical names like db.conf, db.conf, frontpage files and so on?`If I do not lock users in their home directories nothing stops them from doing so, unless I change permissions on ALL files under web directories for ALL users so only users read that.
    It should not be a problem though, but somehow with cPanel I am getting errors 500 (access denied) if I use 600 permissions on files belonging to user, and use 711 recursively on directories for web in user's home.
    2. Agree with you - right now perl scripts are disabled, and reason why I asked advice is because few resellers want perl scripts access. So, coming back to open_basedir - is it able to lock users running perl scripts to be only in their directory, or will they be able to browse entire server?
    I am interested in locking them down so they cannot search for other user's files with certain known names.
    4. Can I restrict resource usage pr. virtual host like filedescriptors, cpu time and such as at OS level itself? So far I found nothng how to do that in apache 1.3.x.

    Advice is appreciated.

    M.
     
Loading...

Share This Page