<!DOCTYPE html>
<title>Shaarli – Server security</title>
104 <h1 id="server-security">Server security</h1>
105 <h2 id="php.ini">php.ini</h2>
106 <p>PHP settings are defined in:</p>
107 <ul>
108 <li>a main configuration file, usually found under <code>/etc/php5/php.ini</code>; some distributions provide different configuration environments, e.g.
109 <ul>
110 <li><code>/etc/php5/php.ini</code> - used when running console scripts</li>
111 <li><code>/etc/php5/apache2/php.ini</code> - used when a client requests PHP resources from Apache</li>
112 <li><code>/etc/php5/php-fpm.conf</code> - used when PHP requests are proxied to PHP-FPM</li>
113 </ul></li>
114 <li>additional configuration files/entries, depending on the installed/enabled extensions:
115 <ul>
116 <li><code>/etc/php/conf.d/xdebug.ini</code></li>
117 </ul></li>
118 </ul>
119 <h3 id="locate-.ini-files">Locate .ini files</h3>
120 <h4 id="console-environment">Console environment</h4>
121 <div class="sourceCode"><pre class="sourceCode bash"><code class="sourceCode bash">$ <span class="kw">php</span> --ini
122 <span class="kw">Configuration</span> File (php.ini) <span class="kw">Path</span>: /etc/php
123 <span class="kw">Loaded</span> Configuration File: /etc/php/php.ini
124 <span class="kw">Scan</span> for additional .ini files in: /etc/php/conf.d
125 <span class="kw">Additional</span> .ini files parsed: /etc/php/conf.d/xdebug.ini</code></pre></div>
126 <h4 id="server-environment">Server environment</h4>
127 <ul>
128 <li>create a <code>phpinfo.php</code> script located in a path supported by the web server, e.g.
129 <ul>
130 <li>Apache (with user dirs enabled): <code>/home/myself/public_html/phpinfo.php</code></li>
131 <li><code>/var/www/test/phpinfo.php</code></li>
132 </ul></li>
133 <li>make sure the script is readable by the web server user/group (usually, <code>www</code>, <code>www-data</code> or <code>httpd</code>)</li>
134 <li>access the script from a web browser</li>
135 <li><p>look at the <em>Loaded Configuration File</em> and <em>Scan this dir for additional .ini files</em> entries</p>
136 <div class="sourceCode"><pre class="sourceCode php"><code class="sourceCode php"><span class="kw">&lt;?php</span> <span class="fu">phpinfo</span><span class="ot">();</span> <span class="kw">?&gt;</span></code></pre></div></li>
137 </ul>
138 <h2 id="fail2ban">fail2ban</h2>
139 <p><code>fail2ban</code> is an intrusion prevention framework that reads server (Apache, SSH, etc.) and uses <code>iptables</code> profiles to block brute-force attempts:</p>
140 <ul>
141 <li><a href="http://www.fail2ban.org/wiki/index.php/Main_Page">Official website</a><a href=".html"></a></li>
142 <li><a href="https://github.com/fail2ban/fail2ban">Source code</a><a href=".html"></a></li>
143 </ul>
144 <h3 id="read-shaarli-logs-to-ban-ips">Read Shaarli logs to ban IPs</h3>
145 <p>Example configuration:</p>
146 <ul>
147 <li>allow 3 login attempts per IP address</li>
148 <li>after 3 failures, permanently ban the corresponding IP adddress</li>
149 </ul>
150 <p><code>/etc/fail2ban/jail.local</code></p>
151 <div class="sourceCode"><pre class="sourceCode ini"><code class="sourceCode ini"><span class="kw">[shaarli-auth][]</span><span class="dt">(.html)</span>
152 <span class="dt">enabled </span><span class="ot">=</span><span class="st"> </span><span class="kw">true</span>
153 <span class="dt">port </span><span class="ot">=</span><span class="st"> https,http</span>
154 <span class="dt">filter </span><span class="ot">=</span><span class="st"> shaarli-auth</span>
155 <span class="dt">logpath </span><span class="ot">=</span><span class="st"> /var/www/path/to/shaarli/data/log.txt</span>
156 <span class="dt">maxretry </span><span class="ot">=</span><span class="st"> </span><span class="dv">3</span>
157 <span class="dt">bantime </span><span class="ot">=</span><span class="st"> -</span><span class="dv">1</span></code></pre></div>
158 <p><code>/etc/fail2ban/filter.d/shaarli-auth.conf</code></p>
159 <div class="sourceCode"><pre class="sourceCode ini"><code class="sourceCode ini"><span class="kw">[INCLUDES][]</span><span class="dt">(.html)</span>
160 <span class="dt">before </span><span class="ot">=</span><span class="st"> common.conf</span>
161 <span class="kw">[Definition][]</span><span class="dt">(.html)</span>
162 <span class="dt">failregex </span><span class="ot">=</span><span class="st"> \s-\s&lt;HOST&gt;\s-\sLogin failed for user.*$</span>
163 <span class="dt">ignoreregex </span><span class="ot">=</span><span class="st"> </span></code></pre></div>
