1 files changed, 73 insertions, 0 deletions
diff --git a/doc/md/Server-security.md b/doc/md/Server-security.md
new file mode 100644
index 00000000..8df36f46
--- /dev/null
+++ b/doc/md/Server-security.md
@@ -0,0 +1,73 @@
+## php.ini
+PHP settings are defined in:
+- a main configuration file, usually found under `/etc/php5/php.ini`; some distributions provide different configuration environments, e.g.
+    - `/etc/php5/php.ini` - used when running console scripts
+    - `/etc/php5/apache2/php.ini` - used when a client requests PHP resources from Apache
+    - `/etc/php5/php-fpm.conf` - used when PHP requests are proxied to PHP-FPM
+- additional configuration files/entries, depending on the installed/enabled extensions:
+    - `/etc/php/conf.d/xdebug.ini`
+### Locate .ini files
+#### Console environment
+```bash
+$ php --ini
+Configuration File (php.ini) Path: /etc/php
+Loaded Configuration File:         /etc/php/php.ini
+Scan for additional .ini files in: /etc/php/conf.d
+Additional .ini files parsed:      /etc/php/conf.d/xdebug.ini
+```
+#### Server environment
+- create a `phpinfo.php` script located in a path supported by the web server, e.g.
+    - Apache (with user dirs enabled): `/home/myself/public_html/phpinfo.php`
+    - `/var/www/test/phpinfo.php`
+- make sure the script is readable by the web server user/group (usually, `www`, `www-data` or `httpd`)
+- access the script from a web browser
+- look at the _Loaded Configuration File_ and _Scan this dir for additional .ini files_ entries
+```php
+<?php phpinfo(); ?>
+```
+## fail2ban
+`fail2ban` is an intrusion prevention framework that reads server (Apache, SSH, etc.) and uses `iptables` profiles to block brute-force attempts:
+- [Official website](http://www.fail2ban.org/wiki/index.php/Main_Page)
+- [Source code](https://github.com/fail2ban/fail2ban)
+### Read Shaarli logs to ban IPs
+Example configuration:
+- allow 3 login attempts per IP address
+- after 3 failures, permanently ban the corresponding IP adddress
+`/etc/fail2ban/jail.local`
+```ini
+[shaarli-auth]
+enabled  = true
+port     = https,http
+filter   = shaarli-auth
+logpath  = /var/www/path/to/shaarli/data/log.txt
+maxretry = 3
+bantime = -1
+```
+`/etc/fail2ban/filter.d/shaarli-auth.conf`
+```ini
+[INCLUDES]
+before = common.conf
+[Definition]
+failregex = \s-\s<HOST>\s-\sLogin failed for user.*$
+ignoreregex = 
+```
+## Robots - Restricting search engines and web crawler traffic
+Creating a `robots.txt` with the following contents at the root of your Shaarli installation will prevent _honest_ web crawlers from indexing each and every link and Daily page from a Shaarli instance, thus getting rid of a certain amount of unsollicited network traffic.
+```
+User-agent: *
+Disallow: /
+```
+See:
+- http://www.robotstxt.org/
+- http://www.robotstxt.org/robotstxt.html
+- http://www.robotstxt.org/meta.html

diff --git a/doc/md/Server-security.md b/doc/md/Server-security.md new file mode 100644 index 00000000..8df36f46 --- /dev/null +++ b/doc/md/Server-security.md
@@ -0,0 +1,73 @@
	1	## php.ini
	2	PHP settings are defined in:
	3	- a main configuration file, usually found under `/etc/php5/php.ini`; some distributions provide different configuration environments, e.g.
	4	- `/etc/php5/php.ini` - used when running console scripts
	5	- `/etc/php5/apache2/php.ini` - used when a client requests PHP resources from Apache
	6	- `/etc/php5/php-fpm.conf` - used when PHP requests are proxied to PHP-FPM
	7	- additional configuration files/entries, depending on the installed/enabled extensions:
	8	- `/etc/php/conf.d/xdebug.ini`
	9
	10	### Locate .ini files
	11	#### Console environment
	12	```bash
	13	$ php --ini
	14	Configuration File (php.ini) Path: /etc/php
	15	Loaded Configuration File: /etc/php/php.ini
	16	Scan for additional .ini files in: /etc/php/conf.d
	17	Additional .ini files parsed: /etc/php/conf.d/xdebug.ini
	18	```
	19
	20	#### Server environment
	21	- create a `phpinfo.php` script located in a path supported by the web server, e.g.
	22	- Apache (with user dirs enabled): `/home/myself/public_html/phpinfo.php`
	23	- `/var/www/test/phpinfo.php`
	24	- make sure the script is readable by the web server user/group (usually, `www`, `www-data` or `httpd`)
	25	- access the script from a web browser
	26	- look at the _Loaded Configuration File_ and _Scan this dir for additional .ini files_ entries
	27	```php
	28	<?php phpinfo(); ?>
	29	```
	30
	31	## fail2ban
	32	`fail2ban` is an intrusion prevention framework that reads server (Apache, SSH, etc.) and uses `iptables` profiles to block brute-force attempts:
	33	- [Official website](http://www.fail2ban.org/wiki/index.php/Main_Page)
	34	- [Source code](https://github.com/fail2ban/fail2ban)
	35
	36	### Read Shaarli logs to ban IPs
	37	Example configuration:
	38	- allow 3 login attempts per IP address
	39	- after 3 failures, permanently ban the corresponding IP adddress
	40
	41	`/etc/fail2ban/jail.local`
	42	```ini
	43	[shaarli-auth]
	44	enabled = true
	45	port = https,http
	46	filter = shaarli-auth
	47	logpath = /var/www/path/to/shaarli/data/log.txt
	48	maxretry = 3
	49	bantime = -1
	50	```
	51
	52	`/etc/fail2ban/filter.d/shaarli-auth.conf`
	53	```ini
	54	[INCLUDES]
	55	before = common.conf
	56	[Definition]
	57	failregex = \s-\s<HOST>\s-\sLogin failed for user.*$
	58	ignoreregex =
	59	```
	60
	61	## Robots - Restricting search engines and web crawler traffic
	62
	63	Creating a `robots.txt` with the following contents at the root of your Shaarli installation will prevent _honest_ web crawlers from indexing each and every link and Daily page from a Shaarli instance, thus getting rid of a certain amount of unsollicited network traffic.
	64
	65	```
	66	User-agent: *
	67	Disallow: /
	68	```
	69
	70	See:
	71	- http://www.robotstxt.org/
	72	- http://www.robotstxt.org/robotstxt.html
	73	- http://www.robotstxt.org/meta.html