aboutsummaryrefslogtreecommitdiffhomepage
path: root/doc/Server-security.md
diff options
context:
space:
mode:
Diffstat (limited to 'doc/Server-security.md')
-rw-r--r--doc/Server-security.md60
1 files changed, 60 insertions, 0 deletions
diff --git a/doc/Server-security.md b/doc/Server-security.md
new file mode 100644
index 00000000..0d16e284
--- /dev/null
+++ b/doc/Server-security.md
@@ -0,0 +1,60 @@
1#Server security
2## php.ini
3PHP settings are defined in:
4- a main configuration file, usually found under `/etc/php5/php.ini`; some distributions provide different configuration environments, e.g.
5 - `/etc/php5/php.ini` - used when running console scripts
6 - `/etc/php5/apache2/php.ini` - used when a client requests PHP resources from Apache
7 - `/etc/php5/php-fpm.conf` - used when PHP requests are proxied to PHP-FPM
8- additional configuration files/entries, depending on the installed/enabled extensions:
9 - `/etc/php/conf.d/xdebug.ini`
10
11### Locate .ini files
12#### Console environment
13```bash
14$ php --ini
15Configuration File (php.ini) Path: /etc/php
16Loaded Configuration File: /etc/php/php.ini
17Scan for additional .ini files in: /etc/php/conf.d
18Additional .ini files parsed: /etc/php/conf.d/xdebug.ini
19```
20
21#### Server environment
22- create a `phpinfo.php` script located in a path supported by the web server, e.g.
23 - Apache (with user dirs enabled): `/home/myself/public_html/phpinfo.php`
24 - `/var/www/test/phpinfo.php`
25- make sure the script is readable by the web server user/group (usually, `www`, `www-data` or `httpd`)
26- access the script from a web browser
27- look at the _Loaded Configuration File_ and _Scan this dir for additional .ini files_ entries
28```php
29<?php phpinfo(); ?>
30```
31
32## fail2ban
33`fail2ban` is an intrusion prevention framework that reads server (Apache, SSH, etc.) and uses `iptables` profiles to block brute-force attempts:
34- [Official website](http://www.fail2ban.org/wiki/index.php/Main_Page)[](.html)
35- [Source code](https://github.com/fail2ban/fail2ban)[](.html)
36
37### Read Shaarli logs to ban IPs
38Example configuration:
39- allow 3 login attempts per IP address
40- after 3 failures, permanently ban the corresponding IP adddress
41
42`/etc/fail2ban/jail.local`
43```ini
44[shaarli-auth][](.html)
45enabled = true
46port = https,http
47filter = shaarli-auth
48logpath = /var/www/path/to/shaarli/data/log.txt
49maxretry = 3
50bantime = -1
51```
52
53`/etc/fail2ban/filter.d/shaarli-auth.conf`
54```ini
55[INCLUDES][](.html)
56before = common.conf
57[Definition][](.html)
58failregex = \s-\s<HOST>\s-\sLogin failed for user.*$
59ignoreregex =
60```