Server security
Filesystem permission
There are various ways to set up file/directory level permissions on an OpenIMS server. The default setup allows OpenIMS to udate itself but in several cases tigther security is required, and in case of DMZ servers, even recommended.
In general all files and directories can be made read only for the webserver (Apache) with some exceptions. The webserver needs modification rights for the directories in the document root ending in _sites, _com and _nl and the metabase, ufc, dfc, backups, config and tmp directories in the document root. All other files and directories, including all PHP files can be made read only for the webserver process. E.g. by executing a "find | grep [.]php$ | xargs chmod 0755" command for Linux servers where the owner of the PHP files is not Apache.
Apache hardening
The following options in httpd.conf can be used:
ServerSignature Off
ServerTokens Prod
TraceEnable Off
In ssl.conf:
SSLCipherSuite HIGH:MEDIUM
SSLProtocol all -SSLv2
In php.ini:
expose_php = off
Also, the following options in httpd.conf can be commented out:
# Alias /icons
# ScriptAlias /cgi-bin
An OpenIMS server must be able to read its own (extended) server status at http://<<<server_ip>>>/server-status. For support, it is also desirable that developers and helpdesk can read the server status and the included phpinfo script. Access can be limited to designated IP's using the following configuration:
<Location /server-status>
SetHandler server-status
Order deny,allow
Deny from all
Allow from 127.0.0.1 ::1 <<<IP_OF_THE_SERVER>>> <<<SUPPORT_IPS>>>
</Location>
Support_IPS zijn op het moment van schrijven 213.125.167.242 en 145.128.195.232. (Ziggo en kpn vdsl).
<Files ~ "phpinfo\.php$">
Order deny,allow
Deny from all
Allow from 127.0.0.1 <<<IP_OF_THE_SERVER>>> <<<SUPPORT_IPS>>>
</Files>