[Tutorial] Cum sa securizezi APACHE2,MySql,PHP

[sleed]

Buna.Daca tot a inceput ,,treaba cu securitatea la un server", https://rstforums.com/forum/15896-tutorial-cum-securizam-un-server.rst , propun sa va arat cum se securizeaza si elementele care fac un server sa fie functionabil.

Bun , sa incepem cu APACHE. CE este apache?

Apache este un server HTTP de tip open source.Apache suport? o mare varietate de module care îi extind func?ionalitatea, acestea variaz? de la server side programming ?i pân? la scheme de autentificare. Câteva limbaje suportate sunt: mod_perl, mod_python, Tcl si PHP. Ca alte module putem enumera : SSL si TLS support (mod_ssl), un modul proxyun, modul de rescriere URL (cunoscut ca un motor de rescriere mod_rewrite), custom log files (mod_log_config) ?i suport de filtrare (mod_include ?i mod_ext_filter). O alt? calitate a serverului Apache este virtual hosting (g?zduirea virtual?), care const? în posibilitatea de a g?zdui mai multe situri simultan pe acela?i server.[sursa wikipedia]

Sa trecem la ... treaba.

PEntru APACHE2

In primul rand ascundem ce varianta de Linux se foloseste :

Intram aici : /etc/apache2/apache2.conf [ sau httpd.conf]

si adaugam la sfarsit :

ServerSignature Off

ServerTokens Prod

Apoi dam un disable la listarea directoarelor :

<Directory /var/www/html>

Options -Indexes

</Directory>

, adaugam tot in .conf.

Dezinstalam modulele care nu ne intereseaza : spre exemplu : mod_imap, mod_include, mod_info, mod_userdir, mod_autoindex , cu urmatoarea comanda :

a2dismod ...

Instalam mod security :

sudo apt-get install libapache2-mod-security

sudo a2enmod mod-security

service apache2 restart

Am vrut sa folosesc mod evasive, dar voi arata in .htaccess cum sa previi bruteforce

Apoi turnoff la symlinks :

Options -FollowSymLinks

, putem include aceasta treaba in apache.conf sau in .htaccess

Punem o limita pentru upload, din partea userilor in conf :

<Directory "/var/www/myweb1/user_uploads">

LimitRequestBody 210000

</Directory>

--------------------------------------------------------------------------------

Apoi facem un folder, denumit de exemplu

: members, in /var/www/

AuthName "Login Intro Exemplu."

AuthType Basic

AuthUserFile /var/www/member/.htpasswd

AuthGroupFile /dev/null

require user name-of-user

Tot in cd/var/www/members, facem si un login pentru acces:

htpasswd -c .htpasswd name-utilizator

Dam un chmod doar pentru access din interior si gata : chown root:root .htpassword

Apoi sa trecem la MYSQL

In primul rand, RECOMAND sa nu se foloseasca PHPMYADMIN.Sunt multe vulnerabilitati care le gasiti in phpmyadmin,explituri etc.. mai bine lucrati totul manual.

Sa schimbam parola de la root : Intram in mysql :

mysql -u root -p; , apoi use mysql; , apoi SET PASSWORD FOR 'root'@'localhost' = PASSWORD('PAROLA-BRE');

,

Executam

FLUSH PRIVILEGES;

si gata, am schimbat parola. Sa puneti o parola formata din !%@%%@##FD , peste 13 caractere recomand...Sa fim siguri , schimbam si numele de la root..

Ca sa prevenim citirea fisierelor locale, in my.cnf , adaugam :

set-variable=local-infile=0

, my este aflat in /etc/mysql/...*

Dam un remove la default users :

mysql: drop database test; mysql: use mysql; mysql: delete from db; mysql: delete from user where not (host="localhost" and user="root"); mysql: flush privileges;

Schimbam numele root-ului, sau a adminului .. : mysql: update user set user="sleedSCHEMALE" where user="root";

mysql> flush privileges;

Dam un remove la istoric : cat /dev/null > ~/.mysql_history

Cam atat cu mySQL, sa trecem la PHP :

PHP

Sa avem grija ca nu avem :

rm /etc/php5/sqlite3.ini

instalat.Sau poti verifica cu :

whereis sqlite3

Apoi :

expose_php=Off

display_errors=Off

log_errors=On

error_log=/var/log/httpd/php_scripts_error.log

file_uploads=Off [sau daca vreti ca utilizatorii sa foloseasca modulul pentru a avea acces la upload, folosim asa :

file_uploads=On

#utilizatorii pot incarca doar 1M

upload_max_filesize=1M

allow_url_fopen=Off

allow_url_include=Off

sql.safe_mode=On

magic_quotes_gpc=Off

post_max_size=100K

max_execution_time = 30

max_input_time = 30

memory_limit = 60M

Dam disable la cateva module periculoase :

disable_functions =exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source

Anti backdooring :

/etc/php5/security.ini si adaugam :

cgi.force_redirect=On

Dam un restrict la fisiere si la access: chown -R apache:apache /var/www/site.../

chmod -R 0444 /var/www/site../

PHPIDS (PHP-Intrusion Detection System) se poate instala ,sa verificam problemele din site...

Apoi si cu .htaccess se poate modifica sa nu avem vulnerabilitati sql injection :

ServerSignature Off

Options -Indexes

RewriteCond %{REQUEST_METHOD} ^(HEAD|TRACE|DELETE|TRACK|DEBUG) [NC]

RewriteRule ^(.*)$ - [F,L]

RewriteCond %{HTTP_USER_AGENT} (libwww-perl|wget|python|nikto|curl|scan|java|winhttp|clshttp|loader) [NC,OR]

RewriteCond %{HTTP_USER_AGENT} (<|>|'|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]

RewriteCond %{HTTP_USER_AGENT} (;|<|>|'|"|\)|\(|%0A|%0D|%22|%27|%28|%3C|%3E|%00).*(libwwwperl|wget|python|nikto|curl|scan|java|winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner[.completati cu alte scannere......]) [NC,OR]

RewriteCond %{THE_REQUEST} \?\ HTTP/ [NC,OR]

RewriteCond %{THE_REQUEST} \/\*\ HTTP/ [NC,OR]

RewriteCond %{THE_REQUEST} etc/passwd [NC,OR]

RewriteCond %{THE_REQUEST} cgi-bin [NC,OR]

RewriteCond %{THE_REQUEST} (%0A|%0D) [NC,OR]

RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=http:// [OR]

RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [OR]

RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC,OR]

RewriteCond %{QUERY_STRING} \=PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC,OR]

RewriteCond %{QUERY_STRING} (\.\./|\.\.) [OR]

RewriteCond %{QUERY_STRING} ftp\: [NC,OR]

RewriteCond %{QUERY_STRING} http\: [NC,OR]

RewriteCond %{QUERY_STRING} https\: [NC,OR]

RewriteCond %{QUERY_STRING} \=\|w\| [NC,OR]

RewriteCond %{QUERY_STRING} ^(.*)/self/(.*)$ [NC,OR]

RewriteCond %{QUERY_STRING} ^(.*)cPath=http://(.*)$ [NC,OR]

RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]

RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]

RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]

RewriteCond %{QUERY_STRING} (<|%3C)([^i]*i)+frame.*(>|%3E) [NC,OR]

RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR]

RewriteCond %{QUERY_STRING} base64_(en|de)code[^(]*\([^)]*\) [NC,OR]

RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]

RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) [OR]

RewriteCond %{QUERY_STRING} ^.*(\[|\]|\(|\)|<|>).* [NC,OR]

RewriteCond %{QUERY_STRING} (NULL|OUTFILE|LOAD_FILE) [OR]

RewriteCond %{QUERY_STRING} (\./|\../|\.../)+(motd|etc|bin) [NC,OR]

RewriteCond %{QUERY_STRING} (localhost|loopback|127\.0\.0\.1) [NC,OR]

RewriteCond %{QUERY_STRING} (<|>|'|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]

RewriteCond %{QUERY_STRING} concat[^\(]*\( [NC,OR]

RewriteCond %{QUERY_STRING} union([^s]*s)+elect [NC,OR]

RewriteCond %{QUERY_STRING} union([^a]*a)+ll([^s]*s)+elect [NC,OR]

RewriteCond %{QUERY_STRING} (;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|drop|delete|update|cast|create|char|convert|alter|declare|order|script|set|md5|benchmark|encode) [NC,OR]

RewriteCond %{QUERY_STRING} (sp_executesql) [NC]

RewriteRule ^(.*)$ - [F,L]

Acest .htaccess se poate folosi si impotriva la SQL INJECTION si XSS

Trebuie sa precizez ca puteti folosi SELinux pentru o buna securitate a sistemului, dupa cum ma invatat un maestru in asa ceva..Voi veni cu precizari si mai multe.Daca aveti ceva completari va rog , nu ezitati sa le adresati sau sa sesizati.Astept sa propuneti imbunatatiri, sa fac un tutorial complex de la A LA Z despre securitatea unui server.Acum ma dedic unei variante de Linux, sleenux se numeste si vreau sa fie doar pentru server, acum testez Debian 7 cum se comporta pe distro-ul meu, dar astept cu nerabdare 8 sa pot sa ma joc cum vreau cu el, sa fac un server foarte securizat.Va fi varianta Desktop.In fine, sper ca va placut, o seara buna.