Apache - SuExec and SuPhp

Using directadmin custombuild to build one web server ( not mail, i don`t like exim). I using suExec and suPhp, not suHosin.
    cd /usr/local/directadmin/
    wget http://files.directadmin.com/services/custombuild/1.1/custombuild.tar.gz
    tar xvzf custombuild.tar.gz
    cd custombuild
    ./build update_data
Edit host:
#vim /etc/hosts           server.hbn.local server               localhost.localdomain localhost
    ::1             localhost6.localdomain6 localhost6
Install bind ( da co)
    yum install -y bind-chroot
    cd /usr/local/updatescript/
    wget http://tools.web4host.net/update.script
    chmod 700 update.script
    ./update.script OPENSSL
Install apache
    cd /usr/local/directadmin/
    ./build zlib
    ./build apache
Install Mysql: http://mysql.com
    yum install -y perl-DBI
    rpm -Uvh MySQL-*
    mysqladmin -u root password password
    mysql -u root -p
Install php
    cd /usr/local/directadmin/custombuild
    ./build libtool
    ./build libjpeg
    ./build libpng
    ./build php n
    check : /etc/httpd/conf/extra/httpd-suphp.conf

AddHandler x-httpd-php5 .inc .php .php3 .php4 .php5 .phtml

suPHP_Engine on
suPHP_ConfigPath /usr/local/etc/php5/cgi/
suPHP_AddHandler x-httpd-php5
        cd   /etc/httpd/conf/extra/
        vim httpd-vhosts.conf
        #Include /etc/httpd/conf/ips.conf
        LogFormat "%b \"%r\"" homedir

    ServerAdmin new@pdt.local
    AliasMatch ^/~([^/]+)(/.*)* /home/$1/public_html$2
    DocumentRoot /home/new/public_html
    ServerName new.pdt.local
        SuexecUserGroup new new
        suPHP_Engine on
        suPHP_UserGroup new new
        suPHP_AddHandler x-httpd-php
    ScriptAlias /cgi-bin/ /home/new/cgi-bin/

    ServerAdmin www@pdt.local
    AliasMatch ^/~([^/]+)(/.*)* /home/$1/public_html$2
    DocumentRoot /home/www/public_html
    ServerName www.pdt.local
    ScriptAlias /cgi-bin/ /home/www/cgi-bin/
        SuexecUserGroup www www
        suPHP_Engine on
        suPHP_UserGroup www www
        suPHP_AddHandler x-httpd-php
        SetEnv PHP_INI_SCAN_DIR /usr/local/directadmin/data/users/www/php/
mkdir /var/log/httpd
restat httpd

use another php.ini ( php.ini per user)
    cd /usr/local/directadmin/data/users/www/php/
    vim php.ini
        open_basedir = /home/www/:/tmp/
Allow CGI
    vim /etc/httpd/conf/httpd.conf
        Include conf/extra/httpd-userdir.conf
    vim /etc/httpd/conf/extra/httpd-userdir.conf
        AllowOverride None
        Options None
        Order allow,deny
        Allow from all

Tree i use for each user:
chmod thu muc: 755
file: 400
run shell to see id :D
Disable load_data in file of MySQL
    vim /etc/my.cnf
    Note: User privilege, using grant if you know or phpmyadmin.
/// System
disable ln cat prel sh dir cd wget tar cd ll chmod setfacl getfacl ( all command i think is dangerous to your system) chmod 700
if you understand your system, you can use acl to controll permission to access /etc/passwd and /etc/shaddown
use  http://configserver.com/cp/csf.html to prevent DDOS
disable all unuseful serive
 services="acpid anacron apmd autofs bluetooth cups firstboot gpm haldaemon messagebus mdmonitor hidd ip6tables kudzu lvm2-monitor netfs nfslock pcscd portmap rpcgssd rpcidmad sendmail smartd yum-updatesd"
 for service in $services; do
service  $service stop
chkconfig --level 35 $service off
echo "Complelte"
Note: php ở đây được cấu hình chạy chế độ CGI ( php-cgi), non cli, run dưới quyền của ower nên file chỉ cần chmod 400. Apche chạy prefork, hạn chế đc tương đối nếu attackẻ dùng cgi-telnet, tuy nhiên tốt nhất là disable vì ở VN cũg chẳg customer nào sử dụng nó. Mysql cần được gia cố thêm.
Sẽ viết tiếp tut2 về security + optimizing server :D
Thanks for reading
All my Lab:
Linux Lab -- window and Cisco Lab
to be continued - I will update more.


Popular posts from this blog

Python - Multithread to read one file

An toàn thông tin ứng dụng Web

OpenCA tutorial