Monthly Archives: July 2010

Chroot Apache 2 webbserver in Ubuntu Server 10.04

Introduction
This article is about how you can secure your Apache 2 webbserver. There is several ways to secure your server and this article will take up two ways. The first way is chroot. Chroot does not make your webpages more safe but if there is a hole in the coding on a site your complete system is not compromised.

A chrooted system will not allow anything to leave it’s folder. Lets say that your webbservers root folder is /var/www on a normal system apache you can reach lets say /home from a php-script. When you use chroot you will trick apache to think that /var/www is / instead. So you cannot go outside the new root.

This solution have some problems. Because you cannot go outside the new root you have to create binds to other software that you might be using. (perl, mysql) etc. So a chroot can be alot of trouble if you don’t know what you are doing.

Step 1 – Install module
First we need to install the module for chroot and activate the module

Step 2 – Configure Apache
Now we have to tell apache witch folder we want to chroot into.

Notice the new line ChrootDir that don’t exist in your configuration just add it.

Step 3 – Vhost problems
If you have alot of Vhosts running you have to change all documentRoot to the new path. If the old one was /var/www/site1 the new path is /site1. This can be skipped if you create a symlink instead

Step 4 – MySQL
To get MySQL to work with PHP for example PHP need to be able to reach the mysqld.sock (normal found in /var/run/mysqld/mysqld.sock) but this can be different on your system. To make PHP able to reach it we mount the real directory to the new var/run/mysqld folder inside the chroot.

NOTE: this bind is only temporary when you reboot your server you will lose the bind. This can be fixed by adding it to fstab or just adding the command to the startup process.

Step 5 – PHP
This step might not be nessicary for your configuration but i had to do it to get min to work. Some PHP functions like session_start() wants a folder to store session in. On my server the folder /var/lib/php5 the sessions was stored in. And because of the chroot apache cannot reach the sessions so we have to make a bind here also like we did in step 4.

Step 6 – Restart Apache
If all is correct you should not only need to restart apache and the new chrooted environment should be ready for use.

Possible problems and solutions
If you using the function date in PHP you might the the error

This can be fixed by

Key-Based SSH Logins With PuTTY

This article is about securing your connection to a server. With a normal server running SSH you only need to type in your login and password and then you are in. This type of security is weak against brute-force attacks. But there is a solution to this and it’s named key-based login.

Instead of just using a login and password we will now use a private key. This private key is applied to putty and it will use it when putty is establishing a connection to the server. If you don’t have the private key and the correct login and password you cannot login. As you might notice you need to have the key with you all the time and if you loose it you cannot login. But thats just the price you have to pay for better security and this is probably the best way to secure remote connection with SSH to a server.

This guide will be focused on Windows to Linux connection so we will use PuTTy and PuTTYgen. You can download both from the links below.

Step 1
Open puttygen and create a new key. Just hit generate and then move your mouse around. NOTE: default bits is 1024 if you want more just change it to 2048 or something like that. When the key is generated you can click on save public key and save the key to a folder, then click save private key and save it to the same folder.

step1

Step 2
On the higlighted section you have to copy the text from there and paste it into your server you want to connect to. Goto that user you want to login with’s home folder and paste the text into authorized_keys2. Now this user is the only one that will be able to login. If you want more users to be able to login just repeat this step(s).

Step 3
Now the server is ready for the connection. Now we have to tell PuTTy to use the key when it connects to the server. This is done by going to the section SSH -> Auth and then you can browse your private key.

step2

You should now be able to connect to the server using your new key and the selected password. The username will be the same username as the user we just put the authorized_keys2 folder in.

Step 4
The last step is to turn of regular logins to the server. This is done by editing the sshd_config found in [i]/etc/ssh/sshd.conf[/i] and change it to.

The last thing you need to do is restart the ssh daemon