diff options
author | Arthur <arthur@hoa.ro> | 2016-04-14 14:25:50 +0100 |
---|---|---|
committer | Arthur <arthur@hoa.ro> | 2016-04-14 14:25:50 +0100 |
commit | 62a5ba083d5137feaef9f4293c401521bad603b0 (patch) | |
tree | 4c8b55010ad02d91b524b0cb8cc02ddf318fcaa2 /doc/Server-security.html | |
parent | 9f400b0dad68b82d65692bd6ab6190f6a787fa89 (diff) | |
parent | 5409ade28c5f0acf99dbadd4d95e6f8efda5d395 (diff) | |
download | Shaarli-62a5ba083d5137feaef9f4293c401521bad603b0.tar.gz Shaarli-62a5ba083d5137feaef9f4293c401521bad603b0.tar.zst Shaarli-62a5ba083d5137feaef9f4293c401521bad603b0.zip |
Merge pull request #540 from ArthurHoaro/doc/update20160414
Update docs from Wiki
Diffstat (limited to 'doc/Server-security.html')
-rw-r--r-- | doc/Server-security.html | 166 |
1 files changed, 166 insertions, 0 deletions
diff --git a/doc/Server-security.html b/doc/Server-security.html new file mode 100644 index 00000000..97f93780 --- /dev/null +++ b/doc/Server-security.html | |||
@@ -0,0 +1,166 @@ | |||
1 | <!DOCTYPE html> | ||
2 | <html> | ||
3 | <head> | ||
4 | <meta charset="utf-8"> | ||
5 | <meta name="generator" content="pandoc"> | ||
6 | <meta name="viewport" content="width=device-width, initial-scale=1.0, user-scalable=yes"> | ||
7 | <title>Shaarli – Server security</title> | ||
8 | <style type="text/css">code{white-space: pre;}</style> | ||
9 | <style type="text/css"> | ||
10 | div.sourceCode { overflow-x: auto; } | ||
11 | table.sourceCode, tr.sourceCode, td.lineNumbers, td.sourceCode { | ||
12 | margin: 0; padding: 0; vertical-align: baseline; border: none; } | ||
13 | table.sourceCode { width: 100%; line-height: 100%; } | ||
14 | td.lineNumbers { text-align: right; padding-right: 4px; padding-left: 4px; color: #aaaaaa; border-right: 1px solid #aaaaaa; } | ||
15 | td.sourceCode { padding-left: 5px; } | ||
16 | code > span.kw { color: #007020; font-weight: bold; } /* Keyword */ | ||
17 | code > span.dt { color: #902000; } /* DataType */ | ||
18 | code > span.dv { color: #40a070; } /* DecVal */ | ||
19 | code > span.bn { color: #40a070; } /* BaseN */ | ||
20 | code > span.fl { color: #40a070; } /* Float */ | ||
21 | code > span.ch { color: #4070a0; } /* Char */ | ||
22 | code > span.st { color: #4070a0; } /* String */ | ||
23 | code > span.co { color: #60a0b0; font-style: italic; } /* Comment */ | ||
24 | code > span.ot { color: #007020; } /* Other */ | ||
25 | code > span.al { color: #ff0000; font-weight: bold; } /* Alert */ | ||
26 | code > span.fu { color: #06287e; } /* Function */ | ||
27 | code > span.er { color: #ff0000; font-weight: bold; } /* Error */ | ||
28 | code > span.wa { color: #60a0b0; font-weight: bold; font-style: italic; } /* Warning */ | ||
29 | code > span.cn { color: #880000; } /* Constant */ | ||
30 | code > span.sc { color: #4070a0; } /* SpecialChar */ | ||
31 | code > span.vs { color: #4070a0; } /* VerbatimString */ | ||
32 | code > span.ss { color: #bb6688; } /* SpecialString */ | ||
33 | code > span.im { } /* Import */ | ||
34 | code > span.va { color: #19177c; } /* Variable */ | ||
35 | code > span.cf { color: #007020; font-weight: bold; } /* ControlFlow */ | ||
36 | code > span.op { color: #666666; } /* Operator */ | ||
37 | code > span.bu { } /* BuiltIn */ | ||
38 | code > span.ex { } /* Extension */ | ||
39 | code > span.pp { color: #bc7a00; } /* Preprocessor */ | ||
40 | code > span.at { color: #7d9029; } /* Attribute */ | ||
41 | code > span.do { color: #ba2121; font-style: italic; } /* Documentation */ | ||
42 | code > span.an { color: #60a0b0; font-weight: bold; font-style: italic; } /* Annotation */ | ||
43 | code > span.cv { color: #60a0b0; font-weight: bold; font-style: italic; } /* CommentVar */ | ||
44 | code > span.in { color: #60a0b0; font-weight: bold; font-style: italic; } /* Information */ | ||
45 | </style> | ||
46 | <link rel="stylesheet" href="github-markdown.css"> | ||
47 | <!--[if lt IE 9]> | ||
48 | <script src="//cdnjs.cloudflare.com/ajax/libs/html5shiv/3.7.3/html5shiv-printshiv.min.js"></script> | ||
49 | <![endif]--> | ||
50 | </head> | ||
51 | <body> | ||
52 | <div id="local-sidebar"> | ||
53 | <ul> | ||
54 | <li><a href="Home.html">Home</a></li> | ||
55 | <li>Installation | ||
56 | <ul> | ||
57 | <li><a href="Download.html">Download</a></li> | ||
58 | <li><a href="Server-requirements.html">Server requirements</a></li> | ||
59 | <li><a href="Server-configuration.html">Server configuration</a></li> | ||
60 | <li><a href="Server-security.html">Server security</a></li> | ||
61 | <li><a href="Shaarli-installation.html">Shaarli installation</a></li> | ||
62 | <li><a href="Shaarli-configuration.html">Shaarli configuration</a></li> | ||
63 | <li><a href="Plugin-installation-&-configuration.html">Plugin installation & configuration</a></li> | ||
64 | </ul></li> | ||
65 | <li><a href="Docker.html">Docker</a></li> | ||
66 | <li><a href="Plugin-list.html">Plugin list</a></li> | ||
67 | <li><a href="Usage.html">Usage</a> | ||
68 | <ul> | ||
69 | <li><a href="Sharing-button.html">Sharing button</a> (bookmarklet)</li> | ||
70 | <li><a href="Browsing-and-Searching.html">Browsing and Searching</a></li> | ||
71 | <li><a href="Firefox-share.html">Firefox share</a></li> | ||
72 | <li><a href="RSS-feeds.html">RSS feeds</a></li> | ||
73 | </ul></li> | ||
74 | <li>How To | ||
75 | <ul> | ||
76 | <li><a href="Backup,-restore,-import-and-export.html">Backup, restore, import and export</a></li> | ||
77 | <li><a href="Upgrade-from-original-sebsauvage/Shaarli.html">Upgrade from original sebsauvage/Shaarli</a></li> | ||
78 | <li><a href="Copy-an-existing-installation-over-SSH-and-serve-it-locally.html">Copy an existing installation over SSH and serve it locally</a></li> | ||
79 | <li><a href="Create-and-serve-multiple-Shaarlis-(farm).html">Create and serve multiple Shaarlis (farm)</a></li> | ||
80 | <li><a href="Download-CSS-styles-from-an-OPML-list.html">Download CSS styles from an OPML list</a></li> | ||
81 | <li><a href="Datastore-hacks.html">Datastore hacks</a></li> | ||
82 | </ul></li> | ||
83 | <li><a href="Troubleshooting.html">Troubleshooting</a></li> | ||
84 | <li><a href="Development.html">Development</a> | ||
85 | <ul> | ||
86 | <li><a href="GnuPG-signature.html">GnuPG signature</a></li> | ||
87 | <li><a href="Coding-guidelines.html">Coding guidelines</a></li> | ||
88 | <li><a href="Directory-structure.html">Directory structure</a></li> | ||
89 | <li><a href="3rd-party-libraries.html">3rd party libraries</a></li> | ||
90 | <li><a href="Plugin-System.html">Plugin System</a></li> | ||
91 | <li><a href="Release-Shaarli.html">Release Shaarli</a></li> | ||
92 | <li><a href="Security.html">Security</a></li> | ||
93 | <li><a href="Static-analysis.html">Static analysis</a></li> | ||
94 | <li><a href="Theming.html">Theming</a></li> | ||
95 | <li><a href="Unit-tests.html">Unit tests</a></li> | ||
96 | </ul></li> | ||
97 | <li>About | ||
98 | <ul> | ||
99 | <li><a href="FAQ.html">FAQ</a></li> | ||
100 | <li><a href="Community-&-Related-software.html">Community & Related software</a></li> | ||
101 | <li><a href="TODO.html">TODO</a></li> | ||
102 | </ul></li> | ||
103 | </ul> | ||
104 | </div> | ||
105 | <h1 id="server-security">Server security</h1> | ||
106 | <h2 id="php.ini">php.ini</h2> | ||
107 | <p>PHP settings are defined in:</p> | ||
108 | <ul> | ||
109 | <li>a main configuration file, usually found under <code>/etc/php5/php.ini</code>; some distributions provide different configuration environments, e.g. | ||
110 | <ul> | ||
111 | <li><code>/etc/php5/php.ini</code> - used when running console scripts</li> | ||
112 | <li><code>/etc/php5/apache2/php.ini</code> - used when a client requests PHP resources from Apache</li> | ||
113 | <li><code>/etc/php5/php-fpm.conf</code> - used when PHP requests are proxied to PHP-FPM</li> | ||
114 | </ul></li> | ||
115 | <li>additional configuration files/entries, depending on the installed/enabled extensions: | ||
116 | <ul> | ||
117 | <li><code>/etc/php/conf.d/xdebug.ini</code></li> | ||
118 | </ul></li> | ||
119 | </ul> | ||
120 | <h3 id="locate-.ini-files">Locate .ini files</h3> | ||
121 | <h4 id="console-environment">Console environment</h4> | ||
122 | <div class="sourceCode"><pre class="sourceCode bash"><code class="sourceCode bash">$ <span class="kw">php</span> --ini | ||
123 | <span class="kw">Configuration</span> File (php.ini) <span class="kw">Path</span>: /etc/php | ||
124 | <span class="kw">Loaded</span> Configuration File: /etc/php/php.ini | ||
125 | <span class="kw">Scan</span> for additional .ini files in: /etc/php/conf.d | ||
126 | <span class="kw">Additional</span> .ini files parsed: /etc/php/conf.d/xdebug.ini</code></pre></div> | ||
127 | <h4 id="server-environment">Server environment</h4> | ||
128 | <ul> | ||
129 | <li>create a <code>phpinfo.php</code> script located in a path supported by the web server, e.g. | ||
130 | <ul> | ||
131 | <li>Apache (with user dirs enabled): <code>/home/myself/public_html/phpinfo.php</code></li> | ||
132 | <li><code>/var/www/test/phpinfo.php</code></li> | ||
133 | </ul></li> | ||
134 | <li>make sure the script is readable by the web server user/group (usually, <code>www</code>, <code>www-data</code> or <code>httpd</code>)</li> | ||
135 | <li>access the script from a web browser</li> | ||
136 | <li><p>look at the <em>Loaded Configuration File</em> and <em>Scan this dir for additional .ini files</em> entries</p> | ||
137 | <div class="sourceCode"><pre class="sourceCode php"><code class="sourceCode php"><span class="kw"><?php</span> <span class="fu">phpinfo</span><span class="ot">();</span> <span class="kw">?></span></code></pre></div></li> | ||
138 | </ul> | ||
139 | <h2 id="fail2ban">fail2ban</h2> | ||
140 | <p><code>fail2ban</code> is an intrusion prevention framework that reads server (Apache, SSH, etc.) and uses <code>iptables</code> profiles to block brute-force attempts:</p> | ||
141 | <ul> | ||
142 | <li><a href="http://www.fail2ban.org/wiki/index.php/Main_Page">Official website</a><a href=".html"></a></li> | ||
143 | <li><a href="https://github.com/fail2ban/fail2ban">Source code</a><a href=".html"></a></li> | ||
144 | </ul> | ||
145 | <h3 id="read-shaarli-logs-to-ban-ips">Read Shaarli logs to ban IPs</h3> | ||
146 | <p>Example configuration:</p> | ||
147 | <ul> | ||
148 | <li>allow 3 login attempts per IP address</li> | ||
149 | <li>after 3 failures, permanently ban the corresponding IP adddress</li> | ||
150 | </ul> | ||
151 | <p><code>/etc/fail2ban/jail.local</code></p> | ||
152 | <div class="sourceCode"><pre class="sourceCode ini"><code class="sourceCode ini"><span class="kw">[shaarli-auth][]</span><span class="dt">(.html)</span> | ||
153 | <span class="dt">enabled </span><span class="ot">=</span><span class="st"> </span><span class="kw">true</span> | ||
154 | <span class="dt">port </span><span class="ot">=</span><span class="st"> https,http</span> | ||
155 | <span class="dt">filter </span><span class="ot">=</span><span class="st"> shaarli-auth</span> | ||
156 | <span class="dt">logpath </span><span class="ot">=</span><span class="st"> /var/www/path/to/shaarli/data/log.txt</span> | ||
157 | <span class="dt">maxretry </span><span class="ot">=</span><span class="st"> </span><span class="dv">3</span> | ||
158 | <span class="dt">bantime </span><span class="ot">=</span><span class="st"> -</span><span class="dv">1</span></code></pre></div> | ||
159 | <p><code>/etc/fail2ban/filter.d/shaarli-auth.conf</code></p> | ||
160 | <div class="sourceCode"><pre class="sourceCode ini"><code class="sourceCode ini"><span class="kw">[INCLUDES][]</span><span class="dt">(.html)</span> | ||
161 | <span class="dt">before </span><span class="ot">=</span><span class="st"> common.conf</span> | ||
162 | <span class="kw">[Definition][]</span><span class="dt">(.html)</span> | ||
163 | <span class="dt">failregex </span><span class="ot">=</span><span class="st"> \s-\s<HOST>\s-\sLogin failed for user.*$</span> | ||
164 | <span class="dt">ignoreregex </span><span class="ot">=</span><span class="st"> </span></code></pre></div> | ||
165 | </body> | ||
166 | </html> | ||