-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hi Centos Users
How to secure a Wiki CMS? This Wiki is based on Apache2, MySQL and PHP. I cant read the code (lack of knowledge).
Would be glad about hints and URLs
cheers Simon
Simon Jolle "sjolle" wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hi Centos Users
How to secure a Wiki CMS? This Wiki is based on Apache2, MySQL and PHP. I cant read the code (lack of knowledge).
Would be glad about hints and URLs
cheers Simon -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFHsLAaEMN/lNE/wrwRAlqBAJ91UQgileOWgtjwqzxwfo2j6v2+yQCfb8tL eGkCnAkZ8lehGzUitDov6Iw= =s2ox -----END PGP SIGNATURE----- _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
This is a very broad question to ask, however, I will appeal to the basics.
1) Use HTTPS whenever possible to avoid any passwords crossing the wire in clear text.
2) Ensure only the necessary modules are installed or enabled for your CMS to operate.
3) Always think least permissions necessary to perform the task
4) Ensure that MySQL is locked down with least permissions necessary. At the very least after you've installed MySQL make sure to run the secure-mysql-installation script to assign a password to the MySQL root user and lock down some of the basic tables.
Each system is different and you should follow the guidelines outlined by the CMS to properly secure. If you are not sure of what you are deploying, that's kinda scary, you should be weary of that and tread lightly.
2008/2/11, James A. Peltier jpeltier@cs.sfu.ca:
This is a very broad question to ask, however, I will appeal to the basics.
- Use HTTPS whenever possible to avoid any passwords crossing the wire
in clear text.
- Ensure only the necessary modules are installed or enabled for your
CMS to operate.
Always think least permissions necessary to perform the task
Ensure that MySQL is locked down with least permissions necessary.
At the very least after you've installed MySQL make sure to run the secure-mysql-installation script to assign a password to the MySQL root user and lock down some of the basic tables.
Each system is different and you should follow the guidelines outlined by the CMS to properly secure. If you are not sure of what you are deploying, that's kinda scary, you should be weary of that and tread lightly.
thank you
I will deploy Wikka Wiki [0] - there are no explicit security settings or guidelines
How to harden Apache and PHP (without using SELinux)?
cheers Simon
[0] http://wikkawiki.org/HomePage
Simon Jolle wrote:
2008/2/11, James A. Peltier jpeltier@cs.sfu.ca:
This is a very broad question to ask, however, I will appeal to the basics.
- Use HTTPS whenever possible to avoid any passwords crossing the wire
in clear text.
- Ensure only the necessary modules are installed or enabled for your
CMS to operate.
Always think least permissions necessary to perform the task
Ensure that MySQL is locked down with least permissions necessary.
At the very least after you've installed MySQL make sure to run the secure-mysql-installation script to assign a password to the MySQL root user and lock down some of the basic tables.
Each system is different and you should follow the guidelines outlined by the CMS to properly secure. If you are not sure of what you are deploying, that's kinda scary, you should be weary of that and tread lightly.
thank you
I will deploy Wikka Wiki [0] - there are no explicit security settings or guidelines
How to harden Apache and PHP (without using SELinux)?
SELinux is the "best" hardening step available for securing RH based php/httpd/mysql stacks (IMHO) ... why are you taking it off the table ???
besides SELinux, you might want to look at php-suhosin:
http://www.hughesjr.com/content/view/21/1/
Thanks, Johnny Hughes
Johnny Hughes wrote:
Simon Jolle wrote:
2008/2/11, James A. Peltier jpeltier@cs.sfu.ca:
This is a very broad question to ask, however, I will appeal to the basics.
- Use HTTPS whenever possible to avoid any passwords crossing the wire
in clear text.
- Ensure only the necessary modules are installed or enabled for your
CMS to operate.
Always think least permissions necessary to perform the task
Ensure that MySQL is locked down with least permissions necessary.
At the very least after you've installed MySQL make sure to run the secure-mysql-installation script to assign a password to the MySQL root user and lock down some of the basic tables.
Each system is different and you should follow the guidelines outlined by the CMS to properly secure. If you are not sure of what you are deploying, that's kinda scary, you should be weary of that and tread lightly.
thank you
I will deploy Wikka Wiki [0] - there are no explicit security settings or guidelines
How to harden Apache and PHP (without using SELinux)?
SELinux is the "best" hardening step available for securing RH based php/httpd/mysql stacks (IMHO) ... why are you taking it off the table ???
Let me try:
- because it's too much? complexity is the ennemy of security. lack of adequate documentation is the ennemy of usability. I couldn't find simple directions on how to make a service work correctly in presence of selinux (except disabling it). all docs I've seen place the discussion in a meta-world and require spending time understanding terminology and concepts that I am not sure to find useful.
- because it doesn't secure apache/php. it secures the system against apache (to some extenst) but doesn't help securing apache itself.
besides SELinux, you might want to look at php-suhosin:
It would be nice if RH included this by default...
mouss wrote:
Johnny Hughes wrote:
Simon Jolle wrote:
2008/2/11, James A. Peltier jpeltier@cs.sfu.ca:
This is a very broad question to ask, however, I will appeal to the basics.
- Use HTTPS whenever possible to avoid any passwords crossing the
wire in clear text.
- Ensure only the necessary modules are installed or enabled for your
CMS to operate.
Always think least permissions necessary to perform the task
Ensure that MySQL is locked down with least permissions necessary.
At the very least after you've installed MySQL make sure to run the secure-mysql-installation script to assign a password to the MySQL root user and lock down some of the basic tables.
Each system is different and you should follow the guidelines outlined by the CMS to properly secure. If you are not sure of what you are deploying, that's kinda scary, you should be weary of that and tread lightly.
thank you
I will deploy Wikka Wiki [0] - there are no explicit security settings or guidelines
How to harden Apache and PHP (without using SELinux)?
SELinux is the "best" hardening step available for securing RH based php/httpd/mysql stacks (IMHO) ... why are you taking it off the table ???
Let me try:
- because it's too much? complexity is the ennemy of security. lack of
adequate documentation is the ennemy of usability. I couldn't find simple directions on how to make a service work correctly in presence of selinux (except disabling it).
--------- # Activate auditd chkconfig auditd on && /etc/init.d/auditd start
# Start apache and do your stuff to generate messages in audit.log
restorecon -R /var/www/ audit2allow -M rule-name < /var/log/audit/audit.log semodule -i rule-name.pp ---------
You should read (and maybe modify) the file "rule-name.te" before the semodule's command which is created by the audit2allow's one. It is not really the correct way to do as it is likely going to open too much stuff. It's just to show you that you can live with selinux enabled. Think that selinux can make you save time.
Regards, kfx
all docs I've seen place the discussion in a meta-world and require spending time understanding terminology and concepts that I am not sure to find useful.
- because it doesn't secure apache/php. it secures the system against
apache (to some extenst) but doesn't help securing apache itself.
besides SELinux, you might want to look at php-suhosin:
It would be nice if RH included this by default... _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On Tue, Feb 12, 2008 at 11:11:21AM +0100, Simon Jolle alleged:
How to harden Apache and PHP (without using SELinux)?
There is no "keep this stuff secure" configuration setting. The answer to your question is a large book and a skill set that takes years to learn.
If you have a more specific question, people will answer that.
-
Garrick Staples -
James A. Peltier -
Johnny Hughes -
kfx -
mouss -
Simon Jolle -
Simon Jolle "sjolle"