Apache 2 - Security
Apache 2 and PHP5: Secure your installation!
PHP Security Info
If you want to test your PHP security, you can use the PHPSecInfo tool, available at: http://phpsec.org/projects/phpsecinfo/index.html
Installation
cd /tmp
wget http://phpsec.org/projects/phpsecinfo/phpsecinfo.zip
unzip phpsecinfo.zip
mv phpsecinfo-Version phpsecinfo
mv phpsecinfo/ /var/www
cd /var/www
chown -R www-data:www-data phpsecinfo
Virtual host configuration
Edit your V.Host configuration
vim /etc/apache2/sites-available/myServer!! For security reason: DO NOT use 'phpsecinfo' as alias. It's too easy to guess.
<VirtualHost _default_:443>
# PHPSecInfo
Alias /phpsec /var/www/phpsecinfo
<Location /phpsec >
Require all granted
ProxyPass !
order deny,allow
# allow from 127.0.0.1 192.168.1.0/24
allow from all
</Location>
</VirtualHost>
Reload your configuration
/etc/init.d/apache2 reload
Run the test
To asset your current installation you can run the test: https://myServer/phpsec
Improve security
PHP5 sessions and temp files
Create specific directory to store the sessions and temp files:
mkdir -p /etc/php5/temp
mkdir -p /etc/php5/session
chown -R www-data:root /etc/php5/temp
chown -R www-data:root /etc/php5/session
chmod -R 770 /etc/php5/session
chmod -R 770 /etc/php5/tempEdit the configuration file
vim /etc/php5/apache2/php.iniline 798 → upload_tmp_dir = /etc/php5/temp line 1409 → session.save_path = "/etc/php5/session"
PHP5 tweak
vim /etc/php5/apache2/php.iniline 261 → expose_php = Off line 480 → display_errors=Off line 675 → post_max_size=256K line 814 → allow_url_fopen=Off
DO NOT enable the open_basedir (even if the test say so! It’s a troublesome setting)
Restart your server to load the changes:
service apache2 restartRe-run the test. Then:
- Ignore the open_basedir and upload_tmp_dir alerts, if any.
- You can enable some specific options with a .htaccess file
Change Apache 2 UID
Do not change the UID if you already have install web programs such as phpldapadmin or phpmyadmin, cacti, ...
Change the Apache UID
vim /etc/groupChange www-data UID
www-data:x:10033:Change the Apache GID
vim /etc/passwdChange the group settings
www-data:x:10033:10033:www-data:/var/www:/bin/falseApply modifications
chown -R www-data:www-data /var/www/*
chown -R www-data:root /etc/php5/*To take on the modifications you have to reboot your server.
Avoid DOS attacks
Source: Linux mag’ – Hors serie Apache2
You can protect your server from Denial Of Service (DOS) attacks through mod_evasive
apt-get install libapache2-mod-evasivePrepare log directory
mkdir /var/log/apache2/mod_evasive
chown -R www-data:www-data /var/log/apache2/mod_evasiveEnable module
a2enmod mod-evasive
Configuration
Create the configuration file
vim /etc/apache2/conf.d/mod_evasive.confPut:
# Mod evasive configuration
# Based upon Linux Mag
<IfModule mod_evasive20.c>
DOSHashTableSize 3097
# Limit user to 5 pages per 2 seconds
DOSPageCount 5
DOSPageInterval 2
# No more than 100 HTTP request per second (HTML, CSS, images, …)
DOSSiteCount 100
DOSSiteInterval 1
# Block client for 300 seconds
DOSBlockingPeriod 300
# Send alert email
#DOSEmailNotify "admin@myDomain"
# Log directory
DOSLogDir "/var/log/apache2/mod_evasive"
# Command to execute on ban
#DOSSystemCommand "/sbin/iptables -I INPUT -s %s -j DROP"
# Ignore following IP and networks
DOSWhiteList 127.0.0.1
#DOSWhitelist 66.249.65.*
<IfModule mod_evasive20.c>DosHashTableSize = Size of the hash table.
- The greater, the more memory is required but the faster it is! The value must be a prime number
Apply changes
service apache2 restart
