diff options
author | nodiscc <nodiscc@gmail.com> | 2017-07-04 21:37:30 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2017-07-04 21:37:30 +0200 |
commit | 5b25a9635fe808bc1c4f3eee8cdf8485115da75d (patch) | |
tree | d5c46525f3c739d9c63de860427e0b3cadd688e5 /doc/md/Server-security.md | |
parent | d5d22a6d07917865c44148ad76f43c65a929a890 (diff) | |
parent | 8bf94136e10c64496711c8f66a4f58f89c515360 (diff) | |
download | Shaarli-5b25a9635fe808bc1c4f3eee8cdf8485115da75d.tar.gz Shaarli-5b25a9635fe808bc1c4f3eee8cdf8485115da75d.tar.zst Shaarli-5b25a9635fe808bc1c4f3eee8cdf8485115da75d.zip |
Merge pull request #772 from nodiscc/rtfd
Generate HTML documentation using MkDocs
Diffstat (limited to 'doc/md/Server-security.md')
-rw-r--r-- | doc/md/Server-security.md | 73 |
1 files changed, 73 insertions, 0 deletions
diff --git a/doc/md/Server-security.md b/doc/md/Server-security.md new file mode 100644 index 00000000..8df36f46 --- /dev/null +++ b/doc/md/Server-security.md | |||
@@ -0,0 +1,73 @@ | |||
1 | ## php.ini | ||
2 | PHP settings are defined in: | ||
3 | - a main configuration file, usually found under `/etc/php5/php.ini`; some distributions provide different configuration environments, e.g. | ||
4 | - `/etc/php5/php.ini` - used when running console scripts | ||
5 | - `/etc/php5/apache2/php.ini` - used when a client requests PHP resources from Apache | ||
6 | - `/etc/php5/php-fpm.conf` - used when PHP requests are proxied to PHP-FPM | ||
7 | - additional configuration files/entries, depending on the installed/enabled extensions: | ||
8 | - `/etc/php/conf.d/xdebug.ini` | ||
9 | |||
10 | ### Locate .ini files | ||
11 | #### Console environment | ||
12 | ```bash | ||
13 | $ php --ini | ||
14 | Configuration File (php.ini) Path: /etc/php | ||
15 | Loaded Configuration File: /etc/php/php.ini | ||
16 | Scan for additional .ini files in: /etc/php/conf.d | ||
17 | Additional .ini files parsed: /etc/php/conf.d/xdebug.ini | ||
18 | ``` | ||
19 | |||
20 | #### Server environment | ||
21 | - create a `phpinfo.php` script located in a path supported by the web server, e.g. | ||
22 | - Apache (with user dirs enabled): `/home/myself/public_html/phpinfo.php` | ||
23 | - `/var/www/test/phpinfo.php` | ||
24 | - make sure the script is readable by the web server user/group (usually, `www`, `www-data` or `httpd`) | ||
25 | - access the script from a web browser | ||
26 | - look at the _Loaded Configuration File_ and _Scan this dir for additional .ini files_ entries | ||
27 | ```php | ||
28 | <?php phpinfo(); ?> | ||
29 | ``` | ||
30 | |||
31 | ## fail2ban | ||
32 | `fail2ban` is an intrusion prevention framework that reads server (Apache, SSH, etc.) and uses `iptables` profiles to block brute-force attempts: | ||
33 | - [Official website](http://www.fail2ban.org/wiki/index.php/Main_Page) | ||
34 | - [Source code](https://github.com/fail2ban/fail2ban) | ||
35 | |||
36 | ### Read Shaarli logs to ban IPs | ||
37 | Example configuration: | ||
38 | - allow 3 login attempts per IP address | ||
39 | - after 3 failures, permanently ban the corresponding IP adddress | ||
40 | |||
41 | `/etc/fail2ban/jail.local` | ||
42 | ```ini | ||
43 | [shaarli-auth] | ||
44 | enabled = true | ||
45 | port = https,http | ||
46 | filter = shaarli-auth | ||
47 | logpath = /var/www/path/to/shaarli/data/log.txt | ||
48 | maxretry = 3 | ||
49 | bantime = -1 | ||
50 | ``` | ||
51 | |||
52 | `/etc/fail2ban/filter.d/shaarli-auth.conf` | ||
53 | ```ini | ||
54 | [INCLUDES] | ||
55 | before = common.conf | ||
56 | [Definition] | ||
57 | failregex = \s-\s<HOST>\s-\sLogin failed for user.*$ | ||
58 | ignoreregex = | ||
59 | ``` | ||
60 | |||
61 | ## Robots - Restricting search engines and web crawler traffic | ||
62 | |||
63 | Creating a `robots.txt` with the following contents at the root of your Shaarli installation will prevent _honest_ web crawlers from indexing each and every link and Daily page from a Shaarli instance, thus getting rid of a certain amount of unsollicited network traffic. | ||
64 | |||
65 | ``` | ||
66 | User-agent: * | ||
67 | Disallow: / | ||
68 | ``` | ||
69 | |||
70 | See: | ||
71 | - http://www.robotstxt.org/ | ||
72 | - http://www.robotstxt.org/robotstxt.html | ||
73 | - http://www.robotstxt.org/meta.html | ||