www.bonsaiframework.com
Page tree
Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 29 Next »

Install PHP

Install the PHP Packages

sudo apt-get install php5

As of Ubuntu 12 (an maybe even earlier), the installer will automatically restart Apache2 for you.

Verify

Quickly verify that everything works by creating a php info file with your favourite editor,

sudo vi /var/www/info.php # On public site do not use such an obvious file name

Put in the following contents,

<?php
phpinfo();
?> 

Save the file and browser to file using a browser. You can use either the IP Address or the valid Domain Name. For example, http://173.194.75.94/info.php or http://www.krypton.com/info.php which should show a purple and grey PHP informational screen.

Secure the PHP

The security posture is from an administrative perspective and not for shared hosting.

Determine if this actually increases security - http://www.suphp.org/Home.html. suPHP and LiteSpeed make the most sense for shared hosting.

This article indicates that suphp is slow as it makes php run as a cgi. Instead a poster recommended using what is available with mod_php - http://serverfault.com/questions/279938/should-i-use-suphp-or-mod-php-for-shared-hosting. Along this thread another poster recommends, http://mpm-itk.sesse.net/ which allows vhosts to be run under different uid and gid.

This restricts the php process to specific directories - http://help.godaddy.com/article/1616

A great discussion on using permissions, same conclusion I was coming to using www-data group - http://unix.stackexchange.com/questions/30879/what-user-should-apache-and-php-be-running-as-what-permissions-should-var-www

Restrict the Execution of PHP to a Specific Folder

Edit, vi /etc/php5/apache2/php.ini to only allow execution of php scripts in specific directories.

; open_basedir, if set, limits all file operations to the defined directory
; and below.  This directive makes most sense if used in a per-directory
; or per-virtualhost web server configuration file. This directive is
; *NOT* affected by whether Safe Mode is turned On or Off.
; http://php.net/open-basedir
open_basedir = /home/www.krypton.com/www/blog/:/home/www.earth.com/www/blog/

This helps minimizes the amount of damage that can be done in the event that the system is compromised to the specified directory.

Restart Apache for the changes to take effect,

sudo service apache2 restart

You will now find that php scripts will only run in the designated directories specified in php.ini.

Install MySQL

sudo apt-get install mysql-server 

For the root administration database password, use the standard password algorithm based on the server name.

Connect PHP to MySQL

Install the necessary libraries so that PHP will be able to connect to MySQL.

sudo apt-get install php5-mysql 

Create the Accounts in MySQL

Connect into MySQL,

mysql -u root -p 

Enter the following MySQL commands,

CREATE DATABASE wpkryptondb;
GRANT ALL PRIVILEGES ON wpkryptondb.* TO 'wpkryptonuser'@'localhost' IDENTIFIED BY 'password';
FLUSH PRIVILEGES;
EXIT

Adjust the variables for your application.

wpkryptondb - Name of the database for the WordPress application instance. We use the domain name of the website.

wpkryptonuser - User account for accessing the database.

localhost - Address of the database server. In this example, the database is on the same server so use localhost.

password - Change to password using algorithm based on name of the website domain, in this case krypton.

Database Admins will not like granting all privileges. After the initial setup is done we will restrict to more minimal privileges.

 

Setup WordPress

Install WordPress

Using the target application account, in our case we will use serveradmin, download and install WordPress,

su - serveradmin
cd ~
wget http://wordpress.org/latest.tar.gz
tar -xvpf latest.tar.gz
mv wordpress blog # We do not need to make the technology obvious.
mv blog /home/www.krypton.com/www/

Setup File Permissions

Following along the lines of allowing groups to manage their own WordPress instance log in a a sudo enabled user,

cd /home/www.krypton.com/www/
sudo chown -R www-data:wgkrypton ./blog/
sudo chmod -R o-rwx ./blog/ # No users except nobody and those belong to the group wgkrypton will be granted access.
sudo chmod -R u-w ./blog/
sudo chmod -R g+w ./blog/   # Any user belonging to the wgkrypton group can manage the site

...I may need to setup masking to maintain these permissions...

Configure WordPress

  • Create config file for database access
  • Set URL
  • ...

Lock Down WordPress

WordPress and PHP simply due to the model is inherently insecure when compared to more Enterprise solutions.

As such the Bonsai Framework takes an administrator approach to managing and securing WordPress. It is strongly recommended to not use a co-hosting model for multiple clients that require privacy. This is especially problematic if clients are granted shell access. It becomes very complex to protect one client from gaining access to another client's WordPress data.

WordPress updates through the built in admin interface will fail unless the restrictions are relaxed. With this security approach, privileges must be temporarily be granted as part of the upgrade process.

Restrict WordPress Database Account

As part of good application security, the WordPress database account should only be granted minimal privileges.

Connect into MySQL,

mysql -u root -p 

Enter the following MySQL commands,

REVOKE ALL PRIVILEGES, GRANT OPTION FROM 'wpkryptonuser'@'localhost';
GRANT SELECT, INSERT, UPDATE ON wpkryptondb.* TO 'wpkryptonuser'@'localhost' IDENTIFIED BY 'password';
FLUSH PRIVILEGES;
EXIT

Adjust the variables for your application.

wpkryptondb - Name of the database for the WordPress application instance. We use the domain name of the website.

wpkryptonuser - User account for accessing the database.

localhost - Address of the database server. In this example, the database is on the same server so use localhost.

password - Change to password using algorithm based on name of the website domain, in this case krypton.

Verify the changes took effect,

SHOW GRANTS FOR 'wpkryptonuser'@'localhost';

 

File Permissions

Adapted from the WordPress article Hardening WordPress we take the approach of creating accounts for select developers or release managers.

wp-config.php - holds the database password and should be locked down.

Covered on the Ubuntu WordPress guide, for automatic updates to occur, the folder and all its files and sub-folders must be owned by www-data with write access. I'm not sure we will take this approach. I think I'd rather update manually.

Repeat for the second instance.

FAQ

Why do some of the php5 installations say to use install libapache2-mod-php5?

No need, it is included with the php5 package.

What is the difference between the php5  and libapache2-mod-php5 packages?

Nothing I can see. It just looks like php5 is an overarching package name.

References

Setup

Ubuntu Server Documentation - https://help.ubuntu.com/12.04/serverguide/php5.html

Security

Has some ok details around suPHP - https://help.ubuntu.com/community/ApacheMySQLPHP#Installing_MYSQL_with_PHP_5

Some good notes on securing PHP from Symantec - http://www.symantec.com/connect/articles/securing-php-step-step

Start some good security practices for WordPress - http://www.howtospoter.com/web-20/wordpress/triple-p-of-total-wordpress-security

 

  • No labels