Build a secure DedeCMS website in Linux

Directory permission setting the user running on the web server must be different from the user of the Directory owner. for example, if the user running on apache is www, the owner of the website directory setting should not be set to www, instead, it sets users different from www, such as centos. Let's assume that the web server runs as a www user, the website is allocated to the centos user, and the dededecms website root directory permission must be set to the user running the web server and the Directory owner user, for example, if the user running apache is www, the owner of the website directory should not be set to www, but be set to a different user from www, such Centos. Assume that the web server runs as a www user, and the user assigned to the website is CentosThe root directory of the dedecms website is/home/centos/web.

We do not recommend that you set the topic directory in the root directory because it is very troublesome to perform security settings. by default, after installation is complete, the directory settings are as follows:

1. set the website directory owner to centos, the user group to www, the directory to 750, and the file to 640.
Cd/home/centos
Chown-R centos. www web
Find web-type d-exec chmod 750 {}\;
Find web-not-type d-exec chmod 640 {}\;

2. data, templets, uploads, and a images directories. set the read/write and unexecutable permissions;
Set the read/write permissions:
Cd/home/centos/web
Chmod-R 770 data templets uploads a images
Set the unexecutable permission:
Apache settings, add the following code to the apache configuration file (take the data directory as an example, other settings are basically the same ).

Php_flag engine off



Order allow, deny
Deny from all


NginxThe settings are as follows:
Location ~ * ^/(Data | templets | uploads | a | images)/. * \. (php | php5) $
{
Deny all;
}

3. if you do not need a topic, we recommend that you delete the special Directory. you can delete special/index after generating HTML. php then sets this directory as a read-write and non-executable permission. the above describes how to set the read-write and non-executable permissions, which will not be repeated here.

Other precautions

1. Although the install directory has been strictly processed, we recommend that you delete it for security reasons;

2. do not directly use the permissions of the MySQL root user on the website. set an independent MySQL User account for each website. The permission is as follows:
SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, INDEX, ALTER, CREATE TEMPORARY TABLES
Because DEDE does not use stored procedures anywhere, you must disable the permission to EXECUTE stored procedures or FILE operations, such as FILE and EXECUTE.
Assume that the database we created is named centos. MysqlThe database user is centos. Mysql, The password is 123456. the specific setting command is as follows:
Mysql-uroot-p
Mysql> GRANTSELECT, INSERT, UPDATE, DELETE, CREATE, DROP, INDEX, ALTER, createtemporary tables on centossql. * TO centossql @ localhost IDENTIFIEDBY 123456;
Mysql> flush privileges;
Mysql> exit

3. change the dede of the default management directory.

4. follow the background update notification and check whether the latest dedeCMS patch is installed.