diff options
author | ArthurHoaro <arthur@hoa.ro> | 2016-04-14 14:20:23 +0200 |
---|---|---|
committer | ArthurHoaro <arthur@hoa.ro> | 2016-04-14 15:18:25 +0200 |
commit | 5409ade28c5f0acf99dbadd4d95e6f8efda5d395 (patch) | |
tree | 4c8b55010ad02d91b524b0cb8cc02ddf318fcaa2 /doc/Server-security.md | |
parent | 9f400b0dad68b82d65692bd6ab6190f6a787fa89 (diff) | |
download | Shaarli-5409ade28c5f0acf99dbadd4d95e6f8efda5d395.tar.gz Shaarli-5409ade28c5f0acf99dbadd4d95e6f8efda5d395.tar.zst Shaarli-5409ade28c5f0acf99dbadd4d95e6f8efda5d395.zip |
Update docs from Wiki
Diffstat (limited to 'doc/Server-security.md')
-rw-r--r-- | doc/Server-security.md | 60 |
1 files changed, 60 insertions, 0 deletions
diff --git a/doc/Server-security.md b/doc/Server-security.md new file mode 100644 index 00000000..0d16e284 --- /dev/null +++ b/doc/Server-security.md | |||
@@ -0,0 +1,60 @@ | |||
1 | #Server security | ||
2 | ## php.ini | ||
3 | PHP settings are defined in: | ||
4 | - a main configuration file, usually found under `/etc/php5/php.ini`; some distributions provide different configuration environments, e.g. | ||
5 | - `/etc/php5/php.ini` - used when running console scripts | ||
6 | - `/etc/php5/apache2/php.ini` - used when a client requests PHP resources from Apache | ||
7 | - `/etc/php5/php-fpm.conf` - used when PHP requests are proxied to PHP-FPM | ||
8 | - additional configuration files/entries, depending on the installed/enabled extensions: | ||
9 | - `/etc/php/conf.d/xdebug.ini` | ||
10 | |||
11 | ### Locate .ini files | ||
12 | #### Console environment | ||
13 | ```bash | ||
14 | $ php --ini | ||
15 | Configuration File (php.ini) Path: /etc/php | ||
16 | Loaded Configuration File: /etc/php/php.ini | ||
17 | Scan for additional .ini files in: /etc/php/conf.d | ||
18 | Additional .ini files parsed: /etc/php/conf.d/xdebug.ini | ||
19 | ``` | ||
20 | |||
21 | #### Server environment | ||
22 | - create a `phpinfo.php` script located in a path supported by the web server, e.g. | ||
23 | - Apache (with user dirs enabled): `/home/myself/public_html/phpinfo.php` | ||
24 | - `/var/www/test/phpinfo.php` | ||
25 | - make sure the script is readable by the web server user/group (usually, `www`, `www-data` or `httpd`) | ||
26 | - access the script from a web browser | ||
27 | - look at the _Loaded Configuration File_ and _Scan this dir for additional .ini files_ entries | ||
28 | ```php | ||
29 | <?php phpinfo(); ?> | ||
30 | ``` | ||
31 | |||
32 | ## fail2ban | ||
33 | `fail2ban` is an intrusion prevention framework that reads server (Apache, SSH, etc.) and uses `iptables` profiles to block brute-force attempts: | ||
34 | - [Official website](http://www.fail2ban.org/wiki/index.php/Main_Page)[](.html) | ||
35 | - [Source code](https://github.com/fail2ban/fail2ban)[](.html) | ||
36 | |||
37 | ### Read Shaarli logs to ban IPs | ||
38 | Example configuration: | ||
39 | - allow 3 login attempts per IP address | ||
40 | - after 3 failures, permanently ban the corresponding IP adddress | ||
41 | |||
42 | `/etc/fail2ban/jail.local` | ||
43 | ```ini | ||
44 | [shaarli-auth][](.html) | ||
45 | enabled = true | ||
46 | port = https,http | ||
47 | filter = shaarli-auth | ||
48 | logpath = /var/www/path/to/shaarli/data/log.txt | ||
49 | maxretry = 3 | ||
50 | bantime = -1 | ||
51 | ``` | ||
52 | |||
53 | `/etc/fail2ban/filter.d/shaarli-auth.conf` | ||
54 | ```ini | ||
55 | [INCLUDES][](.html) | ||
56 | before = common.conf | ||
57 | [Definition][](.html) | ||
58 | failregex = \s-\s<HOST>\s-\sLogin failed for user.*$ | ||
59 | ignoreregex = | ||
60 | ``` | ||