[CentOS] securing web applications (Wiki CMS installation)

mouss mouss at netoyen.net
Tue Feb 12 16:40:08 UTC 2008


Johnny Hughes wrote:
> Simon Jolle wrote:
>> 2008/2/11, James A. Peltier <jpeltier at cs.sfu.ca>:
>>> This is a very broad question to ask, however, I will appeal to the 
>>> basics.
>>>
>>> 1) Use HTTPS whenever possible to avoid any passwords crossing the wire
>>> in clear text.
>>>
>>> 2) Ensure only the necessary modules are installed or enabled for your
>>> CMS to operate.
>>>
>>> 3) Always think least permissions necessary to perform the task
>>>
>>> 4) Ensure that MySQL is locked down with least permissions necessary.
>>> At the very least after you've installed MySQL make sure to run the
>>> secure-mysql-installation script to assign a password to the MySQL root
>>> user and lock down some of the basic tables.
>>>
>>> Each system is different and you should follow the guidelines outlined
>>> by the CMS to properly secure.  If you are not sure of what you are
>>> deploying, that's kinda scary, you should be weary of that and tread
>>> lightly.
>>
>> thank you
>>
>> I will deploy Wikka Wiki [0] - there are no explicit security settings
>> or guidelines
>>
>> How to harden Apache and PHP (without using SELinux)?
>
> SELinux is the "best" hardening step available for securing RH based 
> php/httpd/mysql stacks (IMHO) ... why are you taking it off the table ???

Let me try:

- because it's too much? complexity is the ennemy of security. lack of 
adequate documentation is the ennemy of usability. I couldn't find 
simple directions on how to make a service work correctly in presence of 
selinux (except disabling it). all docs I've seen place the discussion 
in a meta-world and require spending time understanding terminology and 
concepts that I am not sure to find useful.

- because it doesn't secure apache/php. it secures the system against 
apache (to some extenst) but doesn't help securing apache itself.


>
> besides SELinux, you might want to look at php-suhosin:
>
> http://www.hughesjr.com/content/view/21/1/

It would be nice if RH included this by default...



More information about the CentOS mailing list