[github/shaarli/Shaarli.git] / doc / md / Server-security.md

## php.ini
PHP settings are defined in:

- a main configuration file, usually found under `/etc/php5/php.ini`; some distributions provide different configuration environments, e.g.
    - `/etc/php5/php.ini` - used when running console scripts
    - `/etc/php5/apache2/php.ini` - used when a client requests PHP resources from Apache
    - `/etc/php5/php-fpm.conf` - used when PHP requests are proxied to PHP-FPM
- additional configuration files/entries, depending on the installed/enabled extensions:
    - `/etc/php/conf.d/xdebug.ini`

### Locate .ini files
#### Console environment
```bash
$ php --ini
Configuration File (php.ini) Path: /etc/php
Loaded Configuration File:         /etc/php/php.ini
Scan for additional .ini files in: /etc/php/conf.d
Additional .ini files parsed:      /etc/php/conf.d/xdebug.ini
```

#### Server environment
- create a `phpinfo.php` script located in a path supported by the web server, e.g.
    - Apache (with user dirs enabled): `/home/myself/public_html/phpinfo.php`
    - `/var/www/test/phpinfo.php`
- make sure the script is readable by the web server user/group (usually, `www`, `www-data` or `httpd`)
- access the script from a web browser
- look at the _Loaded Configuration File_ and _Scan this dir for additional .ini files_ entries
```php
<?php phpinfo(); ?>
```

## fail2ban
`fail2ban` is an intrusion prevention framework that reads server (Apache, SSH, etc.) and uses `iptables` profiles to block brute-force attempts:

- [Official website](http://www.fail2ban.org/wiki/index.php/Main_Page)
- [Source code](https://github.com/fail2ban/fail2ban)

### Read Shaarli logs to ban IPs
Example configuration:
- allow 3 login attempts per IP address
- after 3 failures, permanently ban the corresponding IP adddress

`/etc/fail2ban/jail.local`
```ini
[shaarli-auth]
enabled  = true
port     = https,http
filter   = shaarli-auth
logpath  = /var/www/path/to/shaarli/data/log.txt
maxretry = 3
bantime = -1
```

`/etc/fail2ban/filter.d/shaarli-auth.conf`
```ini
[INCLUDES]
before = common.conf
[Definition]
failregex = \s-\s<HOST>\s-\sLogin failed for user.*$
ignoreregex = 
```

## Robots - Restricting search engines and web crawler traffic

Creating a `robots.txt` with the following contents at the root of your Shaarli installation will prevent _honest_ web crawlers from indexing each and every link and Daily page from a Shaarli instance, thus getting rid of a certain amount of unsollicited network traffic.

```
User-agent: *
Disallow: /
```

See:

- http://www.robotstxt.org
- http://www.robotstxt.org/robotstxt.html
- http://www.robotstxt.org/meta.html
Commit	Line	Data
5409ade2 A	1	## php.ini
5409ade2 A	2	PHP settings are defined in:
43ad7c8e	3
5409ade2 A	4	- a main configuration file, usually found under `/etc/php5/php.ini`; some distributions provide different configuration environments, e.g.
	5	- `/etc/php5/php.ini` - used when running console scripts
	6	- `/etc/php5/apache2/php.ini` - used when a client requests PHP resources from Apache
	7	- `/etc/php5/php-fpm.conf` - used when PHP requests are proxied to PHP-FPM
	8	- additional configuration files/entries, depending on the installed/enabled extensions:
	9	- `/etc/php/conf.d/xdebug.ini`
	10
	11	### Locate .ini files
	12	#### Console environment
	13	```bash
	14	$ php --ini
	15	Configuration File (php.ini) Path: /etc/php
	16	Loaded Configuration File: /etc/php/php.ini
	17	Scan for additional .ini files in: /etc/php/conf.d
	18	Additional .ini files parsed: /etc/php/conf.d/xdebug.ini
	19	```
	20
	21	#### Server environment
	22	- create a `phpinfo.php` script located in a path supported by the web server, e.g.
	23	- Apache (with user dirs enabled): `/home/myself/public_html/phpinfo.php`
	24	- `/var/www/test/phpinfo.php`
	25	- make sure the script is readable by the web server user/group (usually, `www`, `www-data` or `httpd`)
	26	- access the script from a web browser
	27	- look at the _Loaded Configuration File_ and _Scan this dir for additional .ini files_ entries
	28	```php
	29	<?php phpinfo(); ?>
	30	```
	31
	32	## fail2ban
	33	`fail2ban` is an intrusion prevention framework that reads server (Apache, SSH, etc.) and uses `iptables` profiles to block brute-force attempts:
43ad7c8e	34
53ed6d7d	35	- [Official website](http://www.fail2ban.org/wiki/index.php/Main_Page)
53ed6d7d	36	- [Source code](https://github.com/fail2ban/fail2ban)
5409ade2 A	37
	38	### Read Shaarli logs to ban IPs
	39	Example configuration:
	40	- allow 3 login attempts per IP address
	41	- after 3 failures, permanently ban the corresponding IP adddress
	42
	43	`/etc/fail2ban/jail.local`
	44	```ini
53ed6d7d	45	[shaarli-auth]
5409ade2 A	46	enabled = true
	47	port = https,http
	48	filter = shaarli-auth
	49	logpath = /var/www/path/to/shaarli/data/log.txt
	50	maxretry = 3
	51	bantime = -1
	52	```
	53
	54	`/etc/fail2ban/filter.d/shaarli-auth.conf`
	55	```ini
53ed6d7d	56	[INCLUDES]
5409ade2	57	before = common.conf
53ed6d7d	58	[Definition]
5409ade2 A	59	failregex = \s-\s<HOST>\s-\sLogin failed for user.*$
	60	ignoreregex =
	61	```
fdf88d19 A	62
	63	## Robots - Restricting search engines and web crawler traffic
	64
	65	Creating a `robots.txt` with the following contents at the root of your Shaarli installation will prevent _honest_ web crawlers from indexing each and every link and Daily page from a Shaarli instance, thus getting rid of a certain amount of unsollicited network traffic.
	66
	67	```
	68	User-agent: *
	69	Disallow: /
	70	```
	71
	72	See:
43ad7c8e V	73
43ad7c8e V	74	- http://www.robotstxt.org
fdf88d19 A	75	- http://www.robotstxt.org/robotstxt.html
fdf88d19 A	76	- http://www.robotstxt.org/meta.html