Preparandooambiente Prepareoseusistemacomoseguintescript: http://www.douglas.wiki.br/Downloads/scripts/ConfInicialSqueeze.sh Paraquenofaltenenhumpacoteouconfigurao. Vamosprimeirofazerumupdatedenossosrepositrioseaatualizaodetodoosistema: #aptitudeupdate&&aptitudedistupgradey AgoravamosinstalaroApache,mdulodechrooteodebootstrapparamontaranossajaula: #aptitudeinstallapache2libapache2modchrootdebootstrapy Montandoanossajaula: #debootstrapsqueeze/var/chroothttp://ftp.br.debian.org/debian Copiandoaconfiguraodonossosistemaparaajaula: #cpa/etc/resolv.conf/var/chroot/etc/ #cpa/etc/hosts/var/chroot/etc/ #cpa/etc/mime.

types/var/chroot/etc/ #cpa/usr/share/zoneinfo/America/Sao_Paulo/var/chroot/usr/share/zoneinfo/America #cpa/etc/adjtime/var/chroot/etc/ InstalandooApachedentrodajaulaeolocales,poissvezestemosproblemascomidioma,dajpodemos corrigiresteproblema: #chroot/var/chrootaptgetupdate #chroot/var/chrootaptitudedistupgradey #chroot/var/chrootaptgetinstallapache2.2commonapache2utilslocalesy Acertandooidiomadajaula: #sedi's/#pt_BR.UTF8UTF8/pt_BR.UTF8UTF8/'/var/chroot/etc/locale.gen #chroot/var/chrootlocalegen AjustandooPIDdoApacheporcausadenossajaula: #mv/var/run/apache2.pid/var/chroot/var/run/apache2.pid

#lns/var/chroot/var/run/apache2.pid/var/run/apache2.pid ConfigurandooApachenoarquivo/etc/apache2/httpd.conf: #vim/etc/apache2/httpd.conf PidFile/var/run/apache2.pid ChrootDir/var/chroot/ Copiandoossitesparaajaula(casojtenhaalgum): #cpRa/var/www/*/var/chroot/var/www/ Vamostestaroacessonossajaula,vamoseditaroindex.htmldanossajaulaecolocarumvalordiferentedo padroparatermoscertezaqueoApacheestnosmostrandoosdadosdajaula: #echo"TestedechrootnoApache">/var/chroot/var/www/index.html ReiniciaroApache: #/etc/init.d/apache2restart Vamosagoraacessaronossosite: http://ip_servidor Vaiterqueapareceramensagemdetestequecolocamosnajaula. PodemosacompanharoserrosdoApachecomoexemploabaixo: #tailf/var/log/apache2/error.log [FriJun2409:24:232011][notice]Apache/2.2.16(Debian)configuredresumingnormal operations [FriJun2409:35:282011][notice]caughtSIGTERM,shuttingdown [FriJun2409:35:292011][notice]Apache/2.2.16(Debian)configuredresumingnormal operations [FriJun2409:39:092011][notice]caughtSIGTERM,shuttingdown [FriJun2409:39:102011][notice]Apache/2.2.16(Debian)configuredresumingnormal operations

AprimeirapartejestaOK,oApacheesttrabalhandoemmodochroot,agoratemosquefazeroPHP5eo MySQLtrabalharemcomele,evamostambmconfigurarmaisalgunsmdulosparaaseguranadenosso

Apache.

AdicionandosuporteaoPHP,suporteaomod_evasiveeaomod_security InstalandooPHP5,elenoprecisaficarnajaula: #aptitudeinstallphp5libapache2modphp5php5gdphp5psphp5cliphppearphp5gdphp5mysql php5imapphp5mcryptphp5jsony #aptitudeinstallphp5xmlrpcphp5devphp5commonfail2banlibapache2modsecurity2vsftpd postfixmysqlclient5.1mysqlclienty #chroot/var/chrootaptgetinstallimagemagickphp5commony Acertandopermisses: #rmrf/var/chroot/dev/* #forSECin$(echo$(find/var/chroot/typef\(perm04000operm02000\)print))dochmods ${SEC}done #chmodx/var/chroot/bin/su #chmodx/var/chroot/bin/stty ConfigurandoomduloevasiveparanosajudaraprevenirosataquesdotipoDoS: #aptgetinstalllibapache2modevasive #echo"LoadModuleevasive20_module/usr/lib/apache2/modules/mod_evasive20.so"> /etc/apache2/modsavailable/evasive.load Configurandoomdulo/etc/apache2/modsavailable/evasive.conf: #vim/etc/apache2/modsavailable/evasive.conf <IfModulemod_evasive.c> DOSHashTableSize3097 DOSPageCount2 DOSSiteCount50 DOSPageInterval1 DOSSiteInterval1 DOSBlockingPeriod900 DOSWhitelist66.249.65.* DOSWhitelist66.249.66.* #Asultimassoasqueogoogleusaparaindexar. </IfModule> Acertandooidiomadosistema:

#sedi's/#pt_BR.UTF8UTF8/pt_BR.UTF8UTF8/'/etc/locale.gen #localegen Vamosmontarumvirtualhostparatestarmosonossochroot/etc/apache2/sites available/www.douglas.wiki.br: #vim/etc/apache2/sitesavailable/www.douglas.wiki.br <VirtualHost*:80> ServerNamewww.douglas.wiki.br ServerAliasdouglas.wiki.br DocumentRoot"/var/www/website/frontend/" <Directory"/var/www/website/frontend/"> OptionsIndexesFollowSymLinksMultiViews AllowOverrideAll Orderallow,deny allowfromall </Directory> ScriptAlias/cgibin/"/var/www/website/frontend/cgibin/" <Directory"/var/www/website/frontend/cgibin/"> AllowOverrideAll OptionsExecCGIMultiViews+SymLinksIfOwnerMatch Orderallow,deny Allowfromall </Directory> ErrorLog${APACHE_LOG_DIR}/www.douglas.wiki.brerror.log CustomLog${APACHE_LOG_DIR}/www.douglas.wiki.braccess.logcommon ServerSignatureOff IndexIgnore.??**~*#READMERCSCVS*,v*,t* #Possiblevaluesinclude:debug,info,notice,info,error,crit, #alert,emerg. LogLevelinfo </VirtualHost> Montarabasedonossosite: #mkdirp/var/chroot/var/www/website/frontend/cgibin #mkdirp/var/chroot/var/www/website/logs

#lnsf/var/chroot/var/www/website/var/www/website Criandooarquivoindexdeteste: #echo"<?phpphpinfo()?>">/var/www/website/frontend/index.php Incluindooshell/bin/trueparaousurioftp: #echo"/bin/true">>/etc/shells Criandoousurioftpparaonossosite: #useraddmd/var/www/websites/bin/trueusuarioftp Agoravamosdefinirumasenhaparaele: #passwdusuarioftp Carregandoonossositeedescarregandoossitesdefaults: #a2ensitewww.douglas.wiki.br #a2dissitedefault #a2dissitedefaultssl #a2enmodrewrite Agoravamosconfiguraromod_security.Insiranofinaldoarquivo/etc/apache2/apache2.confocontedo abaixo: #vim/etc/apache2/apache2.conf [...] #Finaldoarquivo <IfModulemod_security.c> #TurnthefilteringengineOnorOff SecFilterEngineOn #MakesurethatURLencodingisvalid SecFilterCheckURLEncodingOn #Unicodeencodingcheck SecFilterCheckUnicodeEncodingOff #Onlyallowbytesfromthisrange SecFilterForceByteRange0255

#Onlylogsuspiciousrequests SecAuditEngineRelevantOnly #Thenameoftheauditlogfile SecAuditLog/var/log/apache2/audit_log #Debuglevelsettoaminimum SecFilterDebugLog/var/log/apache2/modsec_debug_log SecFilterDebugLevel0 #Shouldmod_securityinspectPOSTpayloads SecFilterScanPOSTOn #Bydefaultloganddenysuspiciousrequests #withHTTPstatus500 SecFilterDefaultAction"deny,log,status:500" </IfModule> ReiniciaroApache: #/etc/init.d/apache2restart VamosanalisaroslogsdoApache: #tailf/var/log/apache2/error.log PHPDeprecated:Commentsstartingwith'#'aredeprecatedin/etc/php5/apache2/conf.d/ps.ini online1inUnknownonline0 [FriJun2409:50:342011][notice]ModSecurityforApache/2.5.12(http: www.modsecurity.org/)configured. [FriJun2409:50:342011][notice]Apache/2.2.16(Debian)PHP/5.3.37+squeeze1with SuhosinPatchconfiguredresumingnormaloperations [FriJun2409:51:552011][notice]Gracefulrestartrequested,doingrestart PHPDeprecated:Commentsstartingwith'#'aredeprecatedin/etc/php5/apache2/conf.d/ps.ini online1inUnknownonline0 [FriJun2409:51:562011][notice]Apache/2.2.16(Debian)PHP/5.3.37+squeeze1with SuhosinPatchconfiguredresumingnormaloperations [FriJun2410:44:512011][notice]caughtSIGTERM,shuttingdown [FriJun2410:44:532011][notice]ModSecurityforApache/2.5.12(http: www.modsecurity.org/)configured. PHPDeprecated:Commentsstartingwith'#'aredeprecatedin/etc/php5/apache2/conf.d/ps.ini online1inUnknownonline0 [FriJun2410:44:542011][notice]Apache/2.2.16(Debian)PHP/5.3.37+squeeze1with SuhosinPatchconfiguredresumingnormaloperations

Comopodesernotado,temosumavisosobreotipodecomentrionoarquivodeconfiguraodoPHP5: /etc/php5/apache2/conf.d/ps.ini.Vamoscorrigirisso,stemosquetrocarnalinha1o"#"por"",queotipo decomentrioparaarquivosdeconfiguraodoPHP5: #vim/etc/php5/apache2/conf.d/ps.ini configurationforphppsmodule extension=ps.so VamostambmtiraraassinaturadonossoPHP: #vim/etc/php5/apache2/php.ini [...] expose_php=Off [...] AgorajpodemosreiniciaronossoApachenovamenteparaversevamostermaisalgumavisoouerro: #/etc/init.d/apache2restart Vamosverificaroslogsagora: #tailf/var/log/apache2/error.log [FriJun2410:49:122011][notice]caughtSIGTERM,shuttingdown [FriJun2410:49:142011][notice]ModSecurityforApache/2.5.12(http: www.modsecurity.org/)configured. [FriJun2410:49:152011][notice]Apache/2.2.16(Debian)PHP/5.3.37+squeeze1with SuhosinPatchconfiguredresumingnormaloperations

AdicionandosuporteaoMySQLeconfigurandoovsftpd VamosconfiguraronossoMySQLparaoApacheteracesso: #aptitudeinstallmysqlserver5.1mysqlclient5.1php5mysqly AgoraajustaroMySQL:

#/etc/init.d/mysqlstop #mv/var/run/mysqld/var/chroot/var/run/mysqld #lns/var/chroot/var/run/mysqld/var/run/mysqld JpodemosinicializaronossoMySQL: #/etc/init.d/mysqlstart Ajustaraspermissesdonossosite: #chownRusuarioftp:wwwdata/var/chroot/var/www/website Configurarologrotateparairfazendorotaodoslogsdonossosite,arquivo/etc/logrotate.d/websites: #vim/etc/logrotate.d/websites #/etc/logrotate.d/websites /var/www/website/logs/*.log{ weekly missingok rotate52 compress delaycompress notifempty create640wwwdatawwwdata sharedscripts postrotate /etc/init.d/apache2reload>/dev/null endscript } Configurarovsftdpparapodermossubirosarquivosparaosite,osusuriossomentevopoderveroseu home,elesvoficarpresosdentrodajaula.Abraoarquivo/etc/vsftpd.conf: #vim/etc/vsftpd.conf #/etc/vsftpd.conf listen=YES listen_ipv6=NO anonymous_enable=NO local_enable=YES write_enable=YES local_umask=002 anon_upload_enable=NO anon_mkdir_write_enable=NO

dirmessage_enable=YES use_localtime=YES xferlog_enable=YES connect_from_port_20=NO xferlog_file=/var/log/vsftpd.log xferlog_std_format=YES idle_session_timeout=600 data_connection_timeout=120 nopriv_user=ftp ftpd_banner=BemVindoaoFTPdouglas.wiki.br. deny_email_enable=NO chroot_local_user=YES chroot_list_enable=NO banned_email_file=/etc/vsftpd.banned_emails chroot_list_file=/etc/vsftpd.chroot_list ls_recurse_enable=YES secure_chroot_dir=/var/run/vsftpd/empty pam_service_name=vsftpd rsa_cert_file=/etc/ssl/private/vsftpd.pem

Criandomaisalgunsarquivosnecessrios
Nessearquivospodemoscolocarosusuriosquevopodersairdajaula: #touch/etc/vsftpd.chroot_list Nessearquivopodemoscolocarosemailsquevosernegadospelovsftpd. #touch/etc/vsftpd.banned_emails Vamosreiniciaronossoservio: #/etc/init.d/vsftpdrestart AgoravamostestaroacessoviaFTP: #ftplocalhost Connectedtolocalhost. 220BemVindoaoFTPdouglas.wiki.br. Name(localhost:root):usuarioftp 331Pleasespecifythepassword. Password:senha 230Loginsuccessful.

RemotesystemtypeisUNIX. Usingbinarymodetotransferfiles. ftp>ls 200PORTcommandsuccessful.ConsiderusingPASV. 150Herecomesthedirectorylisting. drwxrxrx31001334096Jun2410:41frontend drwxrxrx21001334096Jun2410:44logs 226DirectorysendOK. ftp>quit 221Goodbye. Comopodesernotado,conseguimosacessaronossoservidornormalmentecomousurioquecriamos.

ConfigurandooFail2baneajustandooApache AgoravamosconfiguraroFail2banparacuidardenossoservidor: #vim/etc/fail2ban/jail.conf #/etc/fail2ban/jail.conf [DEFAULT] ignoreip=127.0.0.1,10.0.0.0/23 bantime=600 maxretry=3 backend=polling destemail=douglas@douglas.wiki.br banaction=iptablesmultiport mta=sendmail protocol=tcp action_=%(banaction)s[name=%(__name__)s,port=\"%(port)s\",protocol=\"%(protocol)s] action_mw=%(banaction)s[name=%(__name__)s,port=\"%(port)s\",protocol=\"%(protocol)s] %(mta)swhois[name=%(__name__)s,dest=\"%(destemail)s\",protocol=\"%(protocol)s] action_mwl=%(banaction)s[name=%(__name__)s,port=\"%(port)s\",protocol=\"%(protocol)s] %(mta)swhoislines[name=%(__name__)s,dest=\"%(destemail)s\",logpath=%(logpath)s] action=%(action_mwl)s [ssh] enabled=true port=ssh filter=sshd logpath=/var/log/auth.log maxretry=3

[pamgeneric] enabled=true filter=pamgeneric port=all banaction=iptablesallports port=anyport logpath=/var/log/auth.log maxretry=3 [sshddos] enabled=true port=ssh filter=sshdddos logpath=/var/log/auth.log maxretry=3 [apache] enabled=true port=http,https filter=apacheauth logpath=/var/log/apache*/*error.log maxretry=3 [dominio.com.br] enabled=true port=http,https filter=apacheauth logpath=/var/www/website/logs/*error.log maxretry=3 [vsftpd] enabled=true port=ftp,ftpdata,ftps,ftpsdata filter=vsftpd logpath=/var/log/vsftpd.log maxretry=3 [postfix] enabled=true port=smtp,ssmtp filter=postfix logpath=/var/log/mail.log [sasl]

enabled=true port=smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s filter=sasl logpath=/var/log/mail.log Reiniciaroservioparaqueonossoservidorestejacomumagenteanalisandooslogsebloqueandoquando necessrio: #/etc/init.d/fail2banrestart AgoravamosfazermaisalgunsajustesemnossoApache.Abraedeixecomoabaixooarquivo /etc/apache2/conf.d/security: #vim/etc/apache2/conf.d/security [...] ServerTokensProd [...] ServerSignatureOff Enajaulatambm: #vim/var/chroot/etc/apache2/conf.d/security [...] ServerTokensProd [...] ServerSignatureOff AgorasreiniciaroApache: #/etc/init.d/apache2restart Esacessarositeem: http://www.douglas.wiki.br

Referncias
WelcometoTheApacheSoftwareFoundation! Welcome!TheApacheHTTPServerProject FrontPageHttpdWiki

FAQHttpdWiki ReportingSecurityProblemswithApacheTheApacheHTTPServerProject ApacheHTTPServerVersion2.2 PHP:InstallationonUnixsystemsManual PHP:InstallationandConfigurationManual PHP:Apache2.xonUnixsystemsManual MySQL::Theworld'smostpopularopensourcedatabase MySQL::MySQLDownloads(GenerallyAvailable) MySQL::DeveloperZone MySQL::MySQLDocumentation:MySQLReferenceManuals vsftpdSecure,fastFTPserverforUNIXlikesystems Indexof/users/cevans/untar/vsftpd2.3.4onvsftpd.beasts.org:21 ManpageofVSFTPD.CONF Aurium::UsandoChroot BestPracticesforUNIXchroot()Operations Criaodeambientesemchroot pt_BR/DebootstrapDebianWiki InstallingnewDebiansystemswithdebootstrap Fail2ban.org MANUAL08Fail2ban Artigotambmpublicadoem: ServidorWebApacheEnjaulado+DebianSqueezedouglas.wiki.br