I have a web application needs write access to certain folders on a LAMP server.
Since suPHP / suEXEC escalate operations to an account you specify, it seems like your server is no more secure because a hacker could still compromise your site (you just get to pick the user).
Is this any more secure than granting www-data write access on those specific files / folders?
On a privately owned server with one website, is there any reason the files/directories within /var/www can't be group owned by www-data?
My understanding is that security risks with www-data having write access only arise if you have multiple websites running on the same box.
On a private server with an application that needs write access (Wordpress), is it better to add Apache's web user (www-data) to the "developers" group that owns /var/www or use fastcgi / suphp instead to escalate privileges?
Note: the only users in the "developers" group are admins. Permissions would need to be 775 for folders and 664 for files if the group solution (above) is used.
To enforce the following permissions on files in /var/www, can I use the commands chmod u+s and chmod g+s?
Permissions:
chown -R root:web /var/www chmod -R g+rw /var/www
On my LAMP servers, do either of the firewall interfaces (ufw or apt) allow you to setup rate limiting to automatically ban brute force attempts (e.g. via SSH)? Or, is it best to install fail2ban in conjunction with strict firewall rules?
I'm interested in building two fault tolerant/redundant NFS servers with failover at Amazon EC2. I'm familiar with tools/technologies like DRBD, Heartbeat, etc. Does Amazon provide any specific way of achieving this through their platform?
A suitable example might be that files are kept on a separate, redundant EBS -- if a failure occurs, a new instance is automatically launched from a pre-built AMI, the EBS volume is mounted, and the IP address is transitioned seamlessly.
Is this possible? Are there better platforms than Amazon? Can you give me a broad idea of the underlying architecture we're talking about to pull this off?
I'd like to install ClamAV on my Ubuntu Servers (LAMP). Is it good to go (as a daemon) out-of-the-box, or does it need some configuration? Do I need to add a line to my crontab to update virus signatures?
I run multiple Linux (Ubuntu) web servers and am looking for a convenient way to keep tabs on important log files. I'd like to monitor pertinent LAMP logs as well as server accesses/logins.
Are there any convenient tools/utilities that will (a) rotate log files, (b) compress them, and (c) email or archive them for later viewing?
Can I create the following CNAMEs with "mydomain.com" to effectively whitelabel "mydnsprovider.com"'s nameservers?
ns1.mydomain.com CNAME --> ns1.mydnsprovider.com
ns2.mydomain.com CNAME --> ns2.mydnsprovider.com
...
We currently operate multiple LAMP servers (clustered) and have several VirtualHost config files.
We don't want to have to SCP the file between servers (SPOF). Is that the best bet?
Is it possible to create a fault tolerant, redundant NFS server (e.g. master/slave)?
Several of my web servers mount their WEBroot directories from a single NFS server (which is regularly backed up). Just trying to remove any SPOFs.
I use Amazon's Elastic Load Balancer (ELB) to route traffic between several web servers that host multiple websites (virtual hosts). The web servers act as front-ends (drones) and pull data off of shared NFS/DB servers.
To implement SSL on these websites, I know Amazon allows SSL Termination on the ELB to convert HTTPS requests to standard HTTP on the back-end. Does this work for multiple websites? Can you associate several SSL certificates with a single ELB?
Are there any issues using Amazon's Elastic Load Balancer to forward requests to multiple EC2 instances that use name-based virtual hosting? In other words, is the HTTP header forwarded properly so Apache can determine which files to serve?
I have multiple folders in /var/www for different websites -- Apache uses name-based Virtual Hosts (Ubuntu Server). Suppose I want to allow someone to access their /var/www/user directory, but not cd out of it and be able to traverse the system.
I found information about an OpenSSH Jail here: http://antitese.org/sshjail/
Has anyone used/implemented something like this? Is there a better way aside from basic permissions to control this?
I have a clustered Ubuntu server layout. Is there a way to configure filesystem synchronization only when a change is made/file is modified (to save resources)?
I want to make all folders in a directory chmod to 755 and individual files to chmod 644. Is there a way I can use umask (e.g. umask 022) to specify these permissions in the future?
Thanks in advance.
Our company owns multiple tld's for our corporate domain (e.g. company.com, company.net, etc.). Currently, we operate the main website at "company.com".
To have "company.net" et al forward/redirect to "company.com", should we use a 301 redirect or setup a ServerAlias in Apache's virtual host directive (we use name-based virtual hosting on Ubuntu Server).
Are there any SEO penalties from one approach vs. the other (e.g. Google thinking you have multiple sites with the same contact + flagging it as spam)?
Thanks for the help.
I have SSH key-based authentication setup to connect to a remote server from my Macbook Air. The private key was originally stored in ~/.ssh/id_rsa, but I have since moved that file to a secure external HD. I deleted the file from the ~/.ssh directory as well (in theory, no one would be able to connect without the private key on that external HD).
However, when I try to connect to my remote host via ssh (ssh [email protected]), it happily connects (without the external w/ the keyfile plugged in). It does say "last logged in at" at the prompt, so is my Mac caching the keyfile somewhere?
Are there any good front end tools to manage a BIND9 server? I'd like to offer users the ability to have a login and manage their hosted zones.
I notice Apache is running multiple processes on my LAMP server (ubuntu 10.10). I'm just running a Wordpress site with MySQL as a database. It seems like www-data is running apache2 more than it should (using too much memory too), am I correct:
ID Owner Size Command
31200 www-data 251236 kB /usr/sbin/apache2 -k start
20678 www-data 250948 kB /usr/sbin/apache2 -k start
25781 www-data 248888 kB /usr/sbin/apache2 -k start
31045 www-data 248844 kB /usr/sbin/apache2 -k start
19926 www-data 246480 kB /usr/sbin/apache2 -k start
20749 www-data 239380 kB /usr/sbin/apache2 -k start
32616 www-data 238632 kB /usr/sbin/apache2 -k start
8846 mysql 238128 kB /usr/sbin/mysqld
24178 www-data 234228 kB /usr/sbin/apache2 -k start
32618 www-data 232344 kB /usr/sbin/apache2 -k start
32615 www-data 232204 kB /usr/sbin/apache2 -k start
19805 root 208156 kB /usr/sbin/apache2 -k start