Sunday, March 28, 2010

Apache - SuExec and SuPhp

Using directadmin custombuild to build one web server ( not mail, i don`t like exim). I using suExec and suPhp, not suHosin.
download:
    cd /usr/local/directadmin/
    wget http://files.directadmin.com/services/custombuild/1.1/custombuild.tar.gz
    tar xvzf custombuild.tar.gz
    cd custombuild
    ./build
    ./build update_data
Preparing:
Edit host:
#vim /etc/hosts
    192.168.232.100           server.hbn.local server
    127.0.0.1               localhost.localdomain localhost
    ::1             localhost6.localdomain6 localhost6
Install bind ( da co)
    yum install -y bind-chroot
Update_script:
    cd /usr/local/updatescript/
    wget http://tools.web4host.net/update.script
    chmod 700 update.script
    ./update.script OPENSSL
Install apache
    cd /usr/local/directadmin/
    ./build zlib
    ./build apache
Install Mysql: http://mysql.com
    MySQL-client-5.1.41-0.glibc23.i386.rpm
    MySQL-devel-5.1.41-0.glibc23.i386.rpm
    MySQL-server-5.1.41-0.glibc23.i386.rpm
    MySQL-shared-compat-5.1.41-0.glibc23.i386.rpm
    yum install -y perl-DBI
    rpm -Uvh MySQL-*
    mysqladmin -u root password password
    mysql -u root -p
Install php
    cd /usr/local/directadmin/custombuild
    ./build libtool
    ./build libjpeg
    ./build libpng
    options.conf
        php5_cli=no
        php5_cgi=yes
    ./build php n
    check : /etc/httpd/conf/extra/httpd-suphp.conf


AddHandler x-httpd-php5 .inc .php .php3 .php4 .php5 .phtml


suPHP_Engine on
suPHP_ConfigPath /usr/local/etc/php5/cgi/
suPHP_AddHandler x-httpd-php5
~
        cd   /etc/httpd/conf/extra/
        vim httpd-vhosts.conf
        #Include /etc/httpd/conf/ips.conf
        Insert:
        LogFormat "%b \"%r\"" homedir
        NameVirtualHost 192.168.232.100:80
        NameVirtualHost 192.168.232.100:443


    ServerAdmin new@pdt.local
    AliasMatch ^/~([^/]+)(/.*)* /home/$1/public_html$2
    DocumentRoot /home/new/public_html
    ServerName new.pdt.local
        SuexecUserGroup new new
        suPHP_Engine on
        suPHP_UserGroup new new
        suPHP_AddHandler x-httpd-php
    ScriptAlias /cgi-bin/ /home/new/cgi-bin/


    ServerAdmin www@pdt.local
    AliasMatch ^/~([^/]+)(/.*)* /home/$1/public_html$2
    DocumentRoot /home/www/public_html
    ServerName www.pdt.local
    ScriptAlias /cgi-bin/ /home/www/cgi-bin/
        SuexecUserGroup www www
        suPHP_Engine on
        suPHP_UserGroup www www
        suPHP_AddHandler x-httpd-php
        SetEnv PHP_INI_SCAN_DIR /usr/local/directadmin/data/users/www/php/
mkdir /var/log/httpd
restat httpd

use another php.ini ( php.ini per user)
    cd /usr/local/directadmin/data/users/www/php/
    vim php.ini
        open_basedir = /home/www/:/tmp/
Allow CGI
    vim /etc/httpd/conf/httpd.conf
        Include conf/extra/httpd-userdir.conf
    vim /etc/httpd/conf/extra/httpd-userdir.conf
       
        AllowOverride None
        Options None
        Order allow,deny
        Allow from all
       

Tree i use for each user:
/home/user/public_html
/home/user/cgi-bin
chmod thu muc: 755
file: 400
run shell to see id :D
///MYSQL
Disable load_data in file of MySQL
    vim /etc/my.cnf
    local-infile=0
    Note: User privilege, using grant if you know or phpmyadmin.
/// System
disable ln cat prel sh dir cd wget tar cd ll chmod setfacl getfacl ( all command i think is dangerous to your system) chmod 700
if you understand your system, you can use acl to controll permission to access /etc/passwd and /etc/shaddown
// DOS DDOS
use  http://configserver.com/cp/csf.html to prevent DDOS
//Optimize
disable all unuseful serive
 #!/bin/bash
 #
 services="acpid anacron apmd autofs bluetooth cups firstboot gpm haldaemon messagebus mdmonitor hidd ip6tables kudzu lvm2-monitor netfs nfslock pcscd portmap rpcgssd rpcidmad sendmail smartd yum-updatesd"
 for service in $services; do
service  $service stop
chkconfig --level 35 $service off
done
echo "Complelte"
Note: php ở đây được cấu hình chạy chế độ CGI ( php-cgi), non cli, run dưới quyền của ower nên file chỉ cần chmod 400. Apche chạy prefork, hạn chế đc tương đối nếu attackẻ dùng cgi-telnet, tuy nhiên tốt nhất là disable vì ở VN cũg chẳg customer nào sử dụng nó. Mysql cần được gia cố thêm.
Sẽ viết tiếp tut2 về security + optimizing server :D
Thanks for reading
--------------------------------------------------------------------------
All my Lab:
Linux Lab -- window and Cisco Lab
to be continued - I will update more.

No comments:

Install Xposed Inspector and Frida on Genymotion

Today i had some work with android. So i need trace application. I found 2 nice tool can help me: Xposed Inspector and Frida. To setup ther...