Linux security tips and tricks

So you want to allow users to upload files to your server? This can be dangerous, very quickly someone will upload a malicious PHP script that allows them access to the directories of your web applications.

Here are some tips and tricks to aid in the safety of your server. We use all of these, and some others that are not included here so that the bad guys can’t figure out all of our security approaches!

 

  1. Enforce SELINUX.

Security Enhanced Linux puts lots of controls in place, and one set of those is what files can be executed by the webserver and what directories the web server can write to.

We start by making all directories under the web application read-only in SELINUX.

If you want to make a directory writable to apache you need to enable that in SELINUX using this command:

chcon -Rv --type=httpd_sys_rw_content_t directory/

You can set other flags, like determining whether code can be executed, where PHP can be run, etc, and you should consult the SELINUX manual for more of those.

If you have issues with a previously working website it is almost certainly the enforcement of SELINUX. It is a pain to get everything right, but it is worth it as it severely restricts the ability of people to compromise the machine.

If you are not sure why SELINUX is suddenly stopping a web site from running, you may be able to figure it out using:

grep httpd /var/log/audit/audit.log | audit2allow

You can also grep for a specific application if that is the issue.

 

  1. File Uploads

File uploads are always the source of the problems. If you don’t allow users to upload files, your site will be a lot more secure. If you do allow users to upload files there are some steps you need to take to enhance security of your web application:

a) do not let them upload php files
b) If you have root access, edit the /etc/httpd/conf/httpd.conf configuration to not allow php scripts in the upload directory. You will need to add these lines to that file:

<Directory "/var/www/html/PATH/TO/FILEs">
     AllowOverride None
     <FilesMatch "(?i)\.(php|php3?|phtml)$">
        Order Deny,Allow
        Deny from All
     </FilesMatch>
     php_flag engine off
</Directory>

and then use:

service httpd restart

to restart the server (obviously set your path appropriately).

c) Only accept a certain type(s) of files, and if possible confirm those types (e.g. our servers typically accept a common format called fasta, and so we can check for that file format. That doesn’t stop the most determined crackers but it is a good start.

d) Only accept Alpha-Numeric characters and only 1 dot as an input for the file name and the extension; in which the file name and also the extension should not be empty at all (regular expression: [a-zA-Z0-9]{1,200}.[a-zA-Z0-9]{1,10}). This should not be the case, but some files are inspected by the filename, and this is a simple measure that protects you.

These are the trivial solutions. There are other, more complex safeguards that you need to take but I am not going to list them here!