Security issues of Apache + Proftpd Virtual Hosts

1. proftpd creates a hostuser/hostuser account. All users are mapped to this account.

The owner of the htdocs/hosts directory is also hostuser.

In this way, the property of the File Uploaded using FTP is hostuser (644 755 ).

Lock the FTP user in the home directory.

Apache runs with nobody (it is better to use an independent apache user) to read the hostuser script file.

For the directories to be written to uploads and cache, you must set 777 and set its subdirectories cyclically. The two directories disable script execution (. htaccess: php_flag engine off ). In this way, even if the hacker uploads the webshell to these two directories, it cannot be executed.

In this way, the owner of the new files in the cache or uploads will be nobody.

The cache directory must restrict external access.

There is a problem here, that is, apache generated files and directories 644 and 755. When proftpd runs with hostuser: hostuser, the user cannot delete contents in cache or uploads.

Solution:

(1) In the PHP program, the chmod files and directories are respectively 666 and 777.

Taking adodb as an example, you need to modify the 1681 line if (! Mkdir ($ dir, 0771) and adodb-csvlib.inc.php file 287 rows chmod ($ tmpname, 0644); two places

(2) Let the user clear the cache and uploads IN THE SYSTEM

2. PHP safe_mode. Its main function is to check whether the current script is consistent with the owner of the file to be read/written or modified during file read/write. If the script is inconsistent, the modification is rejected.

However, if the current script owner is hostuser and the owner is nobody, delete the files in the uploads directory. Once safe_mode is enabled, the files cannot be written.

Therefore, safe_mode is disabled by default,

The alternative solution is:

Php_admin_value open_basedir/docroot restrict each user to access only their own files. Here, docroot is the root directory of the program, not the cache or uploads directory under the program. PHP programs cannot access the root directory.

3. (may not be guaranteed) All PHP scripts can filter out Remote Code Execution and Local File Include attacks. Otherwise, the hacker may still read the password in config. php, or directly read and write the content in the cache or uploads directory.

The cache directory cannot store data such as user passwords.

4. Set expose_php to off, so that php will not disclose the PHP version number in the http file header.