Security Issues for Apache+Proftpd Virtual Hosts

1. Proftpd creates a hostuser/hostuser account, and all users are mapped to this account.

The htdocs/hosts directory owner is also hostuser

The file attribute uploaded by the user using FTP is hostuser (644 755).

Lock the user to your home directory.

Apache runs with nobody (better for independent apache users), read the script file for hostuser.

For the directories uploads and caches to be written, you must set 777 and cycle through its subdirectories. Two directories prohibit script execution (.htaccess:php_flag engine off). This way, even if a hacker uploads a webshell to these two directories, it cannot be executed.

The owner of the new file in the cache or uploads will be nobody

The cache directory is restricted from external access.

There is a problem here, that is, the files and directories generated by apache 644 and 755. When proftpd is run as hostuser:hostuser, the user cannot delete the contents of the cache or uploads.

Solution:

(1) The chmod file and directory in the PHP program are 666 and 777 respectively

Take adodb as an example, you need to modify the adodb.inc.php file. 1681 lines if (!mkdir($dir,0771)) and adodb-csvlib.inc.php file 287 lines chmod($tmpname,0644); two places

(2) let the user empty in the system Cache and uploads

2. PHP safe_mode, its main function is to check whether the current script and the owner of the file to be read or written or modified are consistent when reading and writing files. If they are inconsistent, they refuse to modify.

However, if the current script owner is hostuser, delete the file in the uploads directory where the owner is nobody. Once safe_mode is turned on, you cannot write it.

So safe_mode is not turned on by default,

The alternative is:

php_admin_value open_basedir /docroot restricts each user to access only their own files. The docroot here is the root directory of the program, not the cache or uploads directory under the program. If it is not the root directory, the PHP program cannot be accessed.

3. (Not guaranteed) All PHP scripts can filter Remote Code Execution and Local File Include attacks. Otherwise, the hacker may still read the password in config.php, or directly read and write the contents of the cache or uploads directory.

The data in the cache directory cannot be stored like a user password.

4. expose_php is set to off, so php will not reveal the version number of PHP in the http file header.