2016-04-14 14:20:23 +02:00
<!DOCTYPE html>
< html >
< head >
< meta charset = "utf-8" >
< meta name = "generator" content = "pandoc" >
< meta name = "viewport" content = "width=device-width, initial-scale=1.0, user-scalable=yes" >
< title > Shaarli – Server security< / title >
< style type = "text/css" > code { white-space : pre ; } < / style >
< style type = "text/css" >
div.sourceCode { overflow-x: auto; }
table.sourceCode, tr.sourceCode, td.lineNumbers, td.sourceCode {
margin: 0; padding: 0; vertical-align: baseline; border: none; }
table.sourceCode { width: 100%; line-height: 100%; }
td.lineNumbers { text-align: right; padding-right: 4px; padding-left: 4px; color: #aaaaaa; border-right: 1px solid #aaaaaa; }
td.sourceCode { padding-left: 5px; }
code > span.kw { color: #007020; font-weight: bold; } /* Keyword */
code > span.dt { color: #902000; } /* DataType */
code > span.dv { color: #40a070; } /* DecVal */
code > span.bn { color: #40a070; } /* BaseN */
code > span.fl { color: #40a070; } /* Float */
code > span.ch { color: #4070a0; } /* Char */
code > span.st { color: #4070a0; } /* String */
code > span.co { color: #60a0b0; font-style: italic; } /* Comment */
code > span.ot { color: #007020; } /* Other */
code > span.al { color: #ff0000; font-weight: bold; } /* Alert */
code > span.fu { color: #06287e; } /* Function */
code > span.er { color: #ff0000; font-weight: bold; } /* Error */
code > span.wa { color: #60a0b0; font-weight: bold; font-style: italic; } /* Warning */
code > span.cn { color: #880000; } /* Constant */
code > span.sc { color: #4070a0; } /* SpecialChar */
code > span.vs { color: #4070a0; } /* VerbatimString */
code > span.ss { color: #bb6688; } /* SpecialString */
code > span.im { } /* Import */
code > span.va { color: #19177c; } /* Variable */
code > span.cf { color: #007020; font-weight: bold; } /* ControlFlow */
code > span.op { color: #666666; } /* Operator */
code > span.bu { } /* BuiltIn */
code > span.ex { } /* Extension */
code > span.pp { color: #bc7a00; } /* Preprocessor */
code > span.at { color: #7d9029; } /* Attribute */
code > span.do { color: #ba2121; font-style: italic; } /* Documentation */
code > span.an { color: #60a0b0; font-weight: bold; font-style: italic; } /* Annotation */
code > span.cv { color: #60a0b0; font-weight: bold; font-style: italic; } /* CommentVar */
code > span.in { color: #60a0b0; font-weight: bold; font-style: italic; } /* Information */
< / style >
< link rel = "stylesheet" href = "github-markdown.css" >
<!-- [if lt IE 9]>
< script src = "//cdnjs.cloudflare.com/ajax/libs/html5shiv/3.7.3/html5shiv-printshiv.min.js" > < / script >
<![endif]-->
< / head >
< body >
< div id = "local-sidebar" >
< ul >
< li > < a href = "Home.html" > Home< / a > < / li >
< li > Installation
< ul >
< li > < a href = "Download.html" > Download< / a > < / li >
< li > < a href = "Server-requirements.html" > Server requirements< / a > < / li >
< li > < a href = "Server-configuration.html" > Server configuration< / a > < / li >
< li > < a href = "Server-security.html" > Server security< / a > < / li >
< li > < a href = "Shaarli-installation.html" > Shaarli installation< / a > < / li >
< li > < a href = "Shaarli-configuration.html" > Shaarli configuration< / a > < / li >
2016-05-14 11:37:28 +02:00
< li > < a href = "Plugins.html" > Plugins< / a > < / li >
2016-04-14 14:20:23 +02:00
< / ul > < / li >
< li > < a href = "Docker.html" > Docker< / a > < / li >
< li > < a href = "Usage.html" > Usage< / a >
< ul >
< li > < a href = "Sharing-button.html" > Sharing button< / a > (bookmarklet)< / li >
< li > < a href = "Browsing-and-Searching.html" > Browsing and Searching< / a > < / li >
< li > < a href = "Firefox-share.html" > Firefox share< / a > < / li >
< li > < a href = "RSS-feeds.html" > RSS feeds< / a > < / li >
< / ul > < / li >
< li > How To
< ul >
< li > < a href = "Backup,-restore,-import-and-export.html" > Backup, restore, import and export< / a > < / li >
< li > < a href = "Upgrade-from-original-sebsauvage/Shaarli.html" > Upgrade from original sebsauvage/Shaarli< / a > < / li >
< li > < a href = "Copy-an-existing-installation-over-SSH-and-serve-it-locally.html" > Copy an existing installation over SSH and serve it locally< / a > < / li >
< li > < a href = "Create-and-serve-multiple-Shaarlis-(farm).html" > Create and serve multiple Shaarlis (farm)< / a > < / li >
< li > < a href = "Download-CSS-styles-from-an-OPML-list.html" > Download CSS styles from an OPML list< / a > < / li >
< li > < a href = "Datastore-hacks.html" > Datastore hacks< / a > < / li >
< / ul > < / li >
< li > < a href = "Troubleshooting.html" > Troubleshooting< / a > < / li >
< li > < a href = "Development.html" > Development< / a >
< ul >
< li > < a href = "GnuPG-signature.html" > GnuPG signature< / a > < / li >
< li > < a href = "Coding-guidelines.html" > Coding guidelines< / a > < / li >
< li > < a href = "Directory-structure.html" > Directory structure< / a > < / li >
< li > < a href = "3rd-party-libraries.html" > 3rd party libraries< / a > < / li >
< li > < a href = "Plugin-System.html" > Plugin System< / a > < / li >
< li > < a href = "Release-Shaarli.html" > Release Shaarli< / a > < / li >
< li > < a href = "Security.html" > Security< / a > < / li >
< li > < a href = "Static-analysis.html" > Static analysis< / a > < / li >
< li > < a href = "Theming.html" > Theming< / a > < / li >
< li > < a href = "Unit-tests.html" > Unit tests< / a > < / li >
< / ul > < / li >
< li > About
< ul >
< li > < a href = "FAQ.html" > FAQ< / a > < / li >
< li > < a href = "Community-&-Related-software.html" > Community & Related software< / a > < / li >
< li > < a href = "TODO.html" > TODO< / a > < / li >
< / ul > < / li >
< / ul >
< / div >
< h1 id = "server-security" > Server security< / h1 >
< h2 id = "php.ini" > php.ini< / h2 >
< p > PHP settings are defined in:< / p >
< ul >
< li > a main configuration file, usually found under < code > /etc/php5/php.ini< / code > ; some distributions provide different configuration environments, e.g.
< ul >
< li > < code > /etc/php5/php.ini< / code > - used when running console scripts< / li >
< li > < code > /etc/php5/apache2/php.ini< / code > - used when a client requests PHP resources from Apache< / li >
< li > < code > /etc/php5/php-fpm.conf< / code > - used when PHP requests are proxied to PHP-FPM< / li >
< / ul > < / li >
< li > additional configuration files/entries, depending on the installed/enabled extensions:
< ul >
< li > < code > /etc/php/conf.d/xdebug.ini< / code > < / li >
< / ul > < / li >
< / ul >
< h3 id = "locate-.ini-files" > Locate .ini files< / h3 >
< h4 id = "console-environment" > Console environment< / h4 >
< div class = "sourceCode" > < pre class = "sourceCode bash" > < code class = "sourceCode bash" > $ < span class = "kw" > php< / span > --ini
< span class = "kw" > Configuration< / span > File (php.ini) < span class = "kw" > Path< / span > : /etc/php
< span class = "kw" > Loaded< / span > Configuration File: /etc/php/php.ini
< span class = "kw" > Scan< / span > for additional .ini files in: /etc/php/conf.d
< span class = "kw" > Additional< / span > .ini files parsed: /etc/php/conf.d/xdebug.ini< / code > < / pre > < / div >
< h4 id = "server-environment" > Server environment< / h4 >
< ul >
< li > create a < code > phpinfo.php< / code > script located in a path supported by the web server, e.g.
< ul >
< li > Apache (with user dirs enabled): < code > /home/myself/public_html/phpinfo.php< / code > < / li >
< li > < code > /var/www/test/phpinfo.php< / code > < / li >
< / ul > < / li >
< li > make sure the script is readable by the web server user/group (usually, < code > www< / code > , < code > www-data< / code > or < code > httpd< / code > )< / li >
< li > access the script from a web browser< / li >
< li > < p > look at the < em > Loaded Configuration File< / em > and < em > Scan this dir for additional .ini files< / em > entries< / p >
< div class = "sourceCode" > < pre class = "sourceCode php" > < code class = "sourceCode php" > < span class = "kw" > < ?php< / span > < span class = "fu" > phpinfo< / span > < span class = "ot" > ();< / span > < span class = "kw" > ?> < / span > < / code > < / pre > < / div > < / li >
< / ul >
< h2 id = "fail2ban" > fail2ban< / h2 >
< p > < code > fail2ban< / code > is an intrusion prevention framework that reads server (Apache, SSH, etc.) and uses < code > iptables< / code > profiles to block brute-force attempts:< / p >
< ul >
< li > < a href = "http://www.fail2ban.org/wiki/index.php/Main_Page" > Official website< / a > < a href = ".html" > < / a > < / li >
< li > < a href = "https://github.com/fail2ban/fail2ban" > Source code< / a > < a href = ".html" > < / a > < / li >
< / ul >
< h3 id = "read-shaarli-logs-to-ban-ips" > Read Shaarli logs to ban IPs< / h3 >
< p > Example configuration:< / p >
< ul >
< li > allow 3 login attempts per IP address< / li >
< li > after 3 failures, permanently ban the corresponding IP adddress< / li >
< / ul >
< p > < code > /etc/fail2ban/jail.local< / code > < / p >
< div class = "sourceCode" > < pre class = "sourceCode ini" > < code class = "sourceCode ini" > < span class = "kw" > [shaarli-auth][]< / span > < span class = "dt" > (.html)< / span >
< span class = "dt" > enabled < / span > < span class = "ot" > =< / span > < span class = "st" > < / span > < span class = "kw" > true< / span >
< span class = "dt" > port < / span > < span class = "ot" > =< / span > < span class = "st" > https,http< / span >
< span class = "dt" > filter < / span > < span class = "ot" > =< / span > < span class = "st" > shaarli-auth< / span >
< span class = "dt" > logpath < / span > < span class = "ot" > =< / span > < span class = "st" > /var/www/path/to/shaarli/data/log.txt< / span >
< span class = "dt" > maxretry < / span > < span class = "ot" > =< / span > < span class = "st" > < / span > < span class = "dv" > 3< / span >
< span class = "dt" > bantime < / span > < span class = "ot" > =< / span > < span class = "st" > -< / span > < span class = "dv" > 1< / span > < / code > < / pre > < / div >
< p > < code > /etc/fail2ban/filter.d/shaarli-auth.conf< / code > < / p >
< div class = "sourceCode" > < pre class = "sourceCode ini" > < code class = "sourceCode ini" > < span class = "kw" > [INCLUDES][]< / span > < span class = "dt" > (.html)< / span >
< span class = "dt" > before < / span > < span class = "ot" > =< / span > < span class = "st" > common.conf< / span >
< span class = "kw" > [Definition][]< / span > < span class = "dt" > (.html)< / span >
< span class = "dt" > failregex < / span > < span class = "ot" > =< / span > < span class = "st" > \s-\s< HOST> \s-\sLogin failed for user.*$< / span >
< span class = "dt" > ignoreregex < / span > < span class = "ot" > =< / span > < span class = "st" > < / span > < / code > < / pre > < / div >
< / body >
< / html >