From 53ed6d7d1e678d7486337ce67a2f17b30bac21ac Mon Sep 17 00:00:00 2001 From: nodiscc Date: Thu, 26 Jan 2017 18:52:54 +0100 Subject: Generate HTML documentation using MkDocs (WIP) MkDocs is a static site generator geared towards building project documentation. Documentation source files are written in Markdown, and configured with a single YAML file. * http://www.mkdocs.org/ * http://www.mkdocs.org/user-guide/configuration/ Ref. #312 * remove pandoc-generated HTML documentation * move markdown doc to doc/md/, * mkdocs.yml: * generate HTML doc in doc/html * add pages TOC/ordering * use index.md as index page * Makefile: remove execute permissions from generated files * Makefile: rewrite htmlpages GFM to markdown conversion using sed: awk expression aslo matched '][' which causes invalid output on complex links with images or code blocks * Add mkdocs.yml to .gitattributes, exclude this file from release archives * Makefile: rename: htmldoc -> doc_html target * run make doc: pull latest markdown documentation from wiki * run make htmlpages: update html documentation --- doc/md/Server-security.md | 73 +++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 73 insertions(+) create mode 100644 doc/md/Server-security.md (limited to 'doc/md/Server-security.md') diff --git a/doc/md/Server-security.md b/doc/md/Server-security.md new file mode 100644 index 00000000..8df36f46 --- /dev/null +++ b/doc/md/Server-security.md @@ -0,0 +1,73 @@ +## php.ini +PHP settings are defined in: +- a main configuration file, usually found under `/etc/php5/php.ini`; some distributions provide different configuration environments, e.g. + - `/etc/php5/php.ini` - used when running console scripts + - `/etc/php5/apache2/php.ini` - used when a client requests PHP resources from Apache + - `/etc/php5/php-fpm.conf` - used when PHP requests are proxied to PHP-FPM +- additional configuration files/entries, depending on the installed/enabled extensions: + - `/etc/php/conf.d/xdebug.ini` + +### Locate .ini files +#### Console environment +```bash +$ php --ini +Configuration File (php.ini) Path: /etc/php +Loaded Configuration File: /etc/php/php.ini +Scan for additional .ini files in: /etc/php/conf.d +Additional .ini files parsed: /etc/php/conf.d/xdebug.ini +``` + +#### Server environment +- create a `phpinfo.php` script located in a path supported by the web server, e.g. + - Apache (with user dirs enabled): `/home/myself/public_html/phpinfo.php` + - `/var/www/test/phpinfo.php` +- make sure the script is readable by the web server user/group (usually, `www`, `www-data` or `httpd`) +- access the script from a web browser +- look at the _Loaded Configuration File_ and _Scan this dir for additional .ini files_ entries +```php + +``` + +## fail2ban +`fail2ban` is an intrusion prevention framework that reads server (Apache, SSH, etc.) and uses `iptables` profiles to block brute-force attempts: +- [Official website](http://www.fail2ban.org/wiki/index.php/Main_Page) +- [Source code](https://github.com/fail2ban/fail2ban) + +### Read Shaarli logs to ban IPs +Example configuration: +- allow 3 login attempts per IP address +- after 3 failures, permanently ban the corresponding IP adddress + +`/etc/fail2ban/jail.local` +```ini +[shaarli-auth] +enabled = true +port = https,http +filter = shaarli-auth +logpath = /var/www/path/to/shaarli/data/log.txt +maxretry = 3 +bantime = -1 +``` + +`/etc/fail2ban/filter.d/shaarli-auth.conf` +```ini +[INCLUDES] +before = common.conf +[Definition] +failregex = \s-\s\s-\sLogin failed for user.*$ +ignoreregex = +``` + +## Robots - Restricting search engines and web crawler traffic + +Creating a `robots.txt` with the following contents at the root of your Shaarli installation will prevent _honest_ web crawlers from indexing each and every link and Daily page from a Shaarli instance, thus getting rid of a certain amount of unsollicited network traffic. + +``` +User-agent: * +Disallow: / +``` + +See: +- http://www.robotstxt.org/ +- http://www.robotstxt.org/robotstxt.html +- http://www.robotstxt.org/meta.html -- cgit v1.2.3