Server security

Filesystem permission

There are various ways to set up file/directory level permissions on an OpenIMS server. The default setup allows OpenIMS to udate itself but in several cases tigther security is required, and in case of DMZ servers, even recommended.

In general all files and directories can be made read only for the webserver (Apache) with some exceptions. The webserver needs modification rights for the directories in the document root ending in _sites, _com and _nl and the metabase, ufc, dfc, backups, config and tmp directories in the document root. All other files and directories, including all PHP files can be made read only for the webserver process. E.g. by executing a  "find | grep [.]php$ | xargs chmod 0755" command for Linux servers where the owner of the PHP files is not Apache.

 

Apache hardening

The following options in httpd.conf can be used:

ServerSignature Off
ServerTokens Prod
TraceEnable Off

 

In ssl.conf:
SSLCipherSuite HIGH:MEDIUM
SSLProtocol all -SSLv2

 

In php.ini:
expose_php = off

 

Also, the following options in httpd.conf can be commented out:

# Alias /icons
# ScriptAlias /cgi-bin

 

An OpenIMS server must be able to read its own (extended) server status at http://<<<server_ip>>>/server-status. For support, it is also desirable that developers and helpdesk can read the server status and the included phpinfo script. Access can be limited to designated IP's using the following configuration:

<Location /server-status>
  SetHandler server-status
  Order deny,allow
  Deny from all
  Allow from 127.0.0.1 ::1 <<<IP_OF_THE_SERVER>>> <<<SUPPORT_IPS>>> 
</Location>

Support_IPS zijn op het moment van schrijven 213.125.167.242 en 145.128.195.232. (Ziggo en kpn vdsl).

<Files ~ "phpinfo\.php$">
  Order deny,allow
  Deny from all
  Allow from 127.0.0.1 <<<IP_OF_THE_SERVER>>> <<<SUPPORT_IPS>>>
</Files>

 

Altijd als eerste op de hoogte van de laatste nieuwtjes?

Schrijf je in voor onze nieuwsbrief