Results 1 to 6 of 6
  1. #1

    About security on Apache...

    Hi all,

    I got a problem... my useres are using the PHPBB forum witch got a big bug... - but how do i fix it, so if my users website is being hacked, the hacker dosn't get access to all the other users directoryes?

  2. #2
    Greetings:

    Check out mod_security at http://www.modsecurity.org/

    Also look at securing your /tmp, /var/tmp, and (if Linux-based) /dev/shm directories.

    Also consider shutting down group and world access to compilers and fetch like utilities.

    Thank you.
    ---
    Peter M. Abraham
    LinkedIn Profile

  3. #3
    Hi,

    I'm using FreeBSD...
    Should mod_Security do the work?

  4. #4
    Join Date
    Sep 2002
    Location
    Nashville, TN
    Posts
    237
    If your using suExec, they shouldn't be able to access anything outside of their home directory (and system tools, which may include a compiler and fetch like utilities; oh, and /tmp). As far as data, you should be safe if your using suExec and have your permissions right. If your just using mod_php, then you defintly could have a big problem as the apache user would have at least read access to everyone else's home directory.

    So, take my thoughts into consideration:

    1) Use suExec for CGI and PHP
    2) Use mod_security, it's just a good thing to do
    3) Secure /tmp, /var/tmp and /dev/shm
    4) Use chkrootkit
    5) Lock down system utilities

    Also, if you know which files contain the bug, just find those files and replace them with the fixed ones (and tell your customers your doing that).

    -Chris

  5. #5
    Greetings:

    Yes, mod_security works on FreeBSD as well as Linux-based servers.

    Thank you.
    ---
    Peter M. Abraham
    LinkedIn Profile

  6. #6
    Join Date
    Apr 2005
    Location
    San Francisco, CA
    Posts
    1,029
    We fighting with PhpBB bugs since version of 2.0.1 using mod_security, securing /tmp and chmod 700 *cc *fetching utils - somehow it's still get in, run fake ebay/paypal sites, start bots for IRC (./pl) - even they cannot do any good, it's just annoying us a lot.

    What we decide to do is REMOVE all installations of PhpBB and ask customers to use VBulletin instead - even guys from PhpBB who "know" all security holes of PhpBB and blame server side setting got hacked (www.phpbb.com) few months ago and whole server just wipe-out.

    So, be aware.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •