giovedì 18 novembre 2010

Install Suhosin debian Lenny

I am quite surprised about it but not many people know Suhosin extension, particularly shared webhosts and even administrators of dedicated web servers. Suhosin is a well-known PHP extension made by Stefan Esser, PHP security researcher.

With any PHP software, you cannot protect yourself from unexperienced programmers, creating errors in applications that lead to most obvious security issues (unsecure include() on user input, unprotected mail forms, etc.).

We have been running Suhosin on all our servers with a great success and so far we didn't find any problems with Drupal and any other PHP software.

How does Suhosin work and what does it protects against? You can either install it as a PHP module or as a PHP patch and recompile yourself. The huge advantage of a standard module is that you don't have to recompile PHP itself and you might not loose any possible vendor support. With the patch, you get a bit more protection but you need to recompile PHP everytime there is a new PHP version (And without proper server administration, I bet you will forget and make things even worse).

Therefore I usually recommend installing Suhosin module as it's also in standard Debian/Ubuntu:

sudo apt-get install php5-suhosin
For Red Hat/CentOS, there are quite a few howtos on installing Suhosin (second option).

What does Suhosin protect against?

■The only stable and real PHP remote file include protection available - including php://input, etc. (very important)
■Protects against HTTP Response Splitting Vulnerabilities
■Protects against scripts manipulating the memory_limit
■Adds protection against newline attacks to mail() (very important)
■Filters ASCIIZ characters from user input
■Ignores GET, POST, COOKIE variables with the following names: GLOBALS, _COOKIE, _ENV, _FILES, _GET, _POST, _REQUEST, _SERVER, _SESSION, HTTP_COOKIE_VARS, HTTP_ENV_VARS, HTTP_GET_VARS, HTTP_POST_VARS, HTTP_POST_FILES, HTTP_RAW_POST_DATA, HTTP_SERVER_VARS, HTTP_SESSION_VARS
■Supports verification of uploaded files through an external script (want automatic antivirus checking of EVERY uploaded file? Done!)
■Allows disabling the preg_replace() /e modifier
■Allows disabling eval() and blacklist/whitelist of eval functions!
■And more and lot more and a lot much more.
Did I tell you that I consider shared webhosts running PHP without Suhosin as irresponsible?

Configuration
What about configuring Suhosin? The configuration file is either in /etc/php5/conf.d/suhosin.ini or integrated in php.ini, based on your Linux distribution. This is a config we use, together with explanation:

# Enable Suhosin.
extension=suhosin.so

# How many directory traversals are permitted? "../dir" is OK,
# "../../../../../dir" is not (5 times > 4).
suhosin.executor.include.max_traversal=4

# Disable /e in preg_replace which is usually used insecurely. Feel free to
# turn on at dedicated servers and slap everybody who uses /e.
suhosin.executor.disable_emodifier=Off

# Protect mail forms against spammer attacks (Effectively disables any headers
# injected from user input. Very important.
suhosin.mail.protect=2

# Upper limit for memory. When safe_mode is disabled, users can use ini_set to
# change their memory limit, with Suhosin up to this amount.
suhosin.memory_limit=256M

# What to do when Suhosin filters out something. 402 = 402 HTTP response.
# See Suhosin conf.
suhosin.filter.action=402

# Maximum limits for variables coming from COOKIE, POST and GET.
# These are reasonable values (based on experience).
suhosin.request.max_array_depth=4096
suhosin.request.max_array_index_length=2048
suhosin.request.max_name_length=2048
suhosin.request.max_value_length=650000
suhosin.request.max_vars=4096
suhosin.post.max_array_depth=8048
suhosin.post.max_array_index_length=1024
suhosin.post.max_name_length=2048
suhosin.post.max_totalname_length=8048
suhosin.post.max_vars=4096

# Maximum file uploads in a script.
suhosin.upload.max_uploads=100

# Newest thing we learned. Disable any include,curl,fpassthru,base64_encode,mail
# and others in eval(). This is Security by obscurity, however it works
# very well for shared hosts when an attacker is able to upload a bad
# script. Most of the current scripts use obfuscated code decoded from
# base64 and then eval()'ed. This stops them, until they learn something new.
suhosin.executor.eval.blacklist=include,include_once,require,require_once,
curl_init,fpassthru,file,base64_encode,base64_decode,mail,exec,system,proc_open,
leak,syslog,pfsockopen,shell_exec,ini_restore,symlink,stream_socket_server,
proc_nice,popen,proc_get_status,dl, pcntl_exec, pcntl_fork, pcntl_signal,
pcntl_waitpid, pcntl_wexitstatus, pcntl_wifexited, pcntl_wifsignaled,
pcntl_wifstopped, pcntl_wstopsig, pcntl_wtermsig, socket_accept,
socket_bind, socket_connect, socket_create, socket_create_listen,
socket_create_pair,link,register_shutdown_function,register_tick_function

# Feel free to turn on, disables eval() at all.
suhosin.executor.disable_eval=Off

# We don't use but feel free. Function whitelist!
# Anything that's not in this list will not be permitted!
suhosin.executor.func.whitelist=

# This is equivalent to disable_functions in php.ini.
suhosin.executor.func.blacklist=

# Log all actions into Syslog.
suhosin.log.syslog = S_ALL & ~S_SQL

# Check all file uploads using some script.
# The script must write "1" as a first line of standard output
# to allow the upload, anything else to disallow.
suhosin.upload.verification_script=/opt/check.sh
Based on my experience, Suhosin works very well, even together with PHP Xcache and Memcache.

See Hardened PHP for more configuration directives.

martedì 16 novembre 2010

Configurazione VSFTP

Configurazione VsFtp


nano /etc/vsftpd.conf

configurazione base del vsftpd.conf:

----------------------------
anonymous_enable=NO
anon_upload_enable=NO
anon_mkdir_write_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
xferlog_file=/var/log/vsftpd.log
xferlog_std_format=YES
ascii_upload_enable=YES
ascii_download_enable=YES
ls_recurse_enable=NO
listen_port=21
connect_from_port_20=NO
listen=YES
background=YES
# definiamo una chroot() jail
chroot_local_user=YES
check_shell=NO
userlist_deny=NO
# definiamo una lista di utenti autorizzati
# nel file /etc/vsftpd.user_list
userlist_enable=YES
userlist_file=/etc/vsftpd.user_list
------------------------------------


CREAZIONE DEGLI UTENTI

Ripeto, visto che è fondamentale: ogni utente del server FTP è anche un utente del sistema linux!

Aggiungiamo adesso il primo utente linux (pippo), e creiamo cartella relativa sulla cartella ftp.

mkdir /var/ftp/pippo
useradd -d /var/ftp/pippo pippo
chown /var/ftp/pippo pippo


nano /etc/vsftpd.user_list

# file /etc/vsftpd.user_list
# Lista Utenti Autorizzati
pippo
pluto
topolino



Una volta configurato il server FTP, e testato in tutte le funzionalità, sarebbe bello e professionale aggiungere un messaggio iniziale di benvenuto.


Questo messaggio sarà contenuto in un semplice file di testo (/etc/welcome.banner).

Aggiungere al file /etc/vsftpd.conf le seguenti righe:

# Aggiunge un messaggio iniziale
banner_file=/etc/welcome.banner

Poi creare il file di puro testo (/etc/welcome.banner)

Benvenuti sul server FTP di Mario Rossi.
Inserisci i tuoi dati per l’autenticazione
Tutte le attivita sono monitorate.
Ti auguriamo un buon lavoro….

(o qualsiasi altra cosa vi venga in mente!)

e far ripartire il server:
/etc/init.d/vsftpd restart

lunedì 15 novembre 2010

Installazione file BIN in Fedora

1
Open a Terminal by clicking "Applications," "System Tools" and "Terminal."
2
Navigate to the directory containing the .bin file in the Terminal with the "cd" command. For example, open the Downloads folder by typing "cd Downloads" into the Terminal and pressing "Enter."
3
Make the .bin file executable by typing "chmod +x" into the Terminal, pressing "Space," typing the name of the file and pressing "Enter." For example, make "File.bin" executable by typing "chmod +x File.bin" into the Terminal and pressing "Enter."
4
Become root by typing "su" into the Terminal, pressing "Enter," typing your root password when prompted and pressing "Enter." Installing a .bin file system-wide requires root access; some .bin file may install for a single user if you are not root.
5
Run the .bin file by typing "./" followed by the .bin file's name into the Terminal window and pressing "Enter." For example, run "File.bin" by typing "./File.bin" and pressing "Enter." The "./" at the start of the command tells the Terminal to look for the specified file in the current directory, and not in system directories containing Linux commands.
6
Complete the .bin file's installer by following the instructions on your screen. As with Windows software installers, each .bin file has its own interface.


Read more: How to Install a Bin File in Fedora | eHow.com http://www.ehow.com/how_6860652_install-bin-file-fedora.html#ixzz15NAiCojI

venerdì 5 novembre 2010

Installazione Apache2 Php5 Proftpd su Debian Lenny

In questo articolo effettueremo un’installazione passo-passo del web server apache2, integreremo il php come modulo ed infine installeremo proftpd per poter aggiornare il nostro sito via ftp.

-Installazione di apache2 e php

Ecco i primi comandi da eseguire

apt-get update

apt-get install apache2-mpm-prefork libapache2-mod-php5 php-pear php5-imagick php5-curl php5-gd php5-imap php5-mcrypt php5-mysql php5-xmlrpc php5-xsl

Eseguendo “ps ax” vedrete gia’ apache in esecuzione:

6163 ? Ss 0:00 /usr/sbin/apache2 -k start
9227 ? S 0:00 /usr/sbin/apache2 -k start
9228 ? S 0:00 /usr/sbin/apache2 -k start
9229 ? S 0:00 /usr/sbin/apache2 -k start
9230 ? S 0:00 /usr/sbin/apache2 -k start
9231 ? S 0:00 /usr/sbin/apache2 -k start

La configurazione di default crea un sito con la document root in

/var/www/

inserire in /etc/apache2/apache2.conf questo prima della riga “# Include the virtual host configurations:” (verso la fine del file)

AddType application/x-httpd-php .php

e riavviate il servizio

/etc/init.d/apache2 restart


------------------------------------------------------


aslam@aslam:~$ sudo /etc/init.d/apache2 restart
* Restarting web server apache2 apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1 for ServerName
... waiting apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1 for ServerName

To fix that problem, you need to edit the httpd.conf file. Open the terminal and type,

sudo gedit /etc/apache2/httpd.conf
By default httpd.conf file will be blank. Now, simply add the following line to the file.

ServerName localhost
Save the file and exit from gEdit.

Finally restart the server.

sudo /etc/init.d/apache2 restart


------------------------------------

Se dobbiamo ospitare un solo dominio, allora il lavoro e’ quasi terminato.

Pubblicando questo file

/var/www/info.php

con questo contenuto



Avremo modo (accedendo con un browser web all’indirizzo www.tuosito.it/info.php) di visualizzare la configurazione del php installato.
Tutte le modifiche al php dovranno essere effettuate al file /etc/php5/apache2/php.ini e dovrete riavviare il server web (/etc/init.d/apache2 restart)
Potrete passare tranquillamente alla sezione relativa all’installazione di proftpd se questa configurazione e’ adatta all’utilizzo che intendete fare del server web. Se invece desiderate ospitare piu’ di un sito allora dovrete create dei virtual host. Si possono creare di due tipi, ip based (quando ad ogni sito e’ riservato un proprio indirizzo ip) oppure name based (se sullo stesso indirizzo ip sono ospitati piu’ siti). In questo articolo vediamo come installare sullo stesso indirizzo ip piu’ di un sito. Cancelliamo la configurazione del sito di default

rm -f /etc/apache2/sites-available/*
rm -f /etc/apache2/sites-enabled/*

creiamo le cartelle che dovranno contenere i dati del sito sito (dati web e file di log)

mkdir -p /var/www/virtual_hosts/www.tuosito.it/htdocs
mkdir -p /var/www/virtual_hosts/www.tuosito.it/logs

Generiamo un file index con un messaggio di benvenuto

echo “Il mio primo sito” > /var/www/virtual_hosts/www.tuosito.it/htdocs/index.html

accediamo nella cartella /etc/apache2/sites-available/ (qui sono contenuti i siti ospitati, anche quelli non abilitati)

cd /etc/apache2/sites-available/

creiamo il file associato al sito. chiamiamolo per esempio www.tuosito.it e scriviamo questo al suo interno


ServerName www.tuosito.it
ServerAdmin luca@tuosito.it

DocumentRoot /var/www/virtual_hosts/www.tuosito.it/htdocs

ErrorLog /var/www/virtual_hosts/www.tuosito.it/logs/error.log

LogLevel crit

CustomLog /var/www/virtual_hosts/www.tuosito.it/logs/access.log combined
ServerSignature On


N.B. cambiare il nome del virtualhost e correggere il percorso di riferitmento dei log e della document root adattandola al vostro sito.

Adesso abilitiamolo. I siti abilitati sono quelli presenti nella cartella /etc/apache2/sites-enabled/. Dato che abbiamo gia’ creato la nostra configurazione, per abilitare il sito bastera’ creare un link simbolito da sites-enabled verso sites-available. Si fa in questo modo:

cd /etc/apache2/sites-enabled/
ln -s ../sites-available/www.tuosito.it

Riavviare apache

/etc/init.d/apache2 restart

- Procediamo con l’installazione di proftpd

Anche in questo caso utilizzaremo apt per installare il daemon

apt-get install proftpd

Nel menu’ “ProFTPD configuration” scegliamo l’opzione “standalone”


Creiamo l’utente del sito

adduser sito1

Eseguiamo l’applicazione

vipw

Cambiamo la home dell’utente facendola puntare alla cartella htdocs del sito (quindi da /home/sito1 a /var/www/virtual_hosts/www.tuosito.it/htdocs/) e disabilitiamo l’accesso via ssh impostando la shell da /bin/bash a /bin/false

Usciamo da vipw (digitando :wq) ed impostiamo /bin/false come shell valida per l’accesso ftp.
Si fa inserendo la riga /bin/false in /etc/shells

echo “/bin/false” >> /etc/shells

Impostiamo il corretto proprietario ai dati

cd /var/www/virtual_hosts/www.tuosito.it/
chown sito1:sito1 htdocs -R

Finito! Adesso il nostro sito e’ aggiornabile via ftp.
Ecco la registrazione di una sessione di prova effettuata:

ftp www.tuosito.it
Connected to www.tuosito.it

220 ProFTPD 1.3.1 Server (Debian) [::ffff:XXX.251.36.131]
Name (www.tuosito.it): sito1
331 Password required for sito1
Password:
230 User sito1 logged in
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (XXX,251,36,131,10,87).
150 Opening ASCII mode data connection for file list
-rw-r–r– 1 sito1 sito1 18 Sep 25 10:27 index.html
-rw-r–r– 1 sito1 sito1 20 Sep 25 12:46 info.php
226 Transfer complete
ftp> put dummy.file.gz
local: dummy.file.gz remote: dummy.file.gz
227 Entering Passive Mode (XXX,251,36,131,18,30).
150 Opening BINARY mode data connection for dummy.file.gz
226 Transfer complete
1038 bytes sent in 0.00 secs (3607.4 kB/s)
ftp> ls
227 Entering Passive Mode (XXX,251,36,131,13,95).
150 Opening ASCII mode data connection for file list
-rw-r–r– 1 sito1 sito1 1038 Sep 25 17:50 dummy.file.gz
-rw-r–r– 1 sito1 sito1 18 Sep 25 10:27 index.html
-rw-r–r– 1 sito1 sito1 20 Sep 25 12:46 info.php
226 Transfer complete
ftp> dele dummy.file.gz
250 DELE command successful
ftp> ls
227 Entering Passive Mode (XXX,251,36,131,16,89).
150 Opening ASCII mode data connection for file list
-rw-r–r– 1 sito1 sito1 18 Sep 25 10:27 index.html
-rw-r–r– 1 sito1 sito1 20 Sep 25 12:46 info.php
226 Transfer complete
ftp> quit
221 Goodbye.