-1

This is the first time I had to configure an Unix Server as a remote server for a website based on LAMP. It also need to offer SFTP and GIT support. I read a lot of guides and I wrote down all the steps those I did.

It is working right now. I would like to ask you if there are any security issues in my workflow or how can I improve the security of the system.

Let's start:

On my server there is a user "root" and a user "dev". dev should be able to log-in on the server with sftp, upload and download files to /var/www/html folder. His home folder is /var/www/ and it is chrooted jailed to that folder (I hope!). He does not have write access to /var/www/ but only to /html folder.

This is what I did:

############ LAMP

useradd --home-dir /var/www -g www-data dev 

chown -R dev:www-data /var/www/html && chmod 755 /var/www/html

apt-get install apache2

apt-get install mysql-server php5-mysql

mysql_install_db

mysql_secure_installation

apt-get install php5 libapache2-mod-php5 php5-mcrypt

apt-get install phpmyadmin apache2-utils

nano /etc/apache2/apache2.conf
(add Include /etc/phpmyadmin/apache.conf
 change AllowOverride to All on /var/www/html/)

a2enmod rewrite

apt-get install php5-gd php5-curl php5-xmlrpc php5-pspell

service apache2 restart

nano /etc/phpmyadmin/apache.conf
(add AllowOverride All inside <Directory /usr/share/phpmyadmin>)

nano /usr/share/phpmyadmin/.htaccess
(add AuthType Basic
AuthName "Restricted Files"
AuthUserFile /etc/apache2/.phpmyadmin.htpasswd
Require valid-user)

htpasswd -c /etc/apache2/.phpmyadmin.htpasswd dev

service apache2 restart

############ PHP EMAILS

apt-get install ssmtp
nano /etc/ssmtp/ssmtp.conf
(delete all and replace with (gmail example):
mailhub=smtp.gmail.com:587
UseSTARTTLS=YES
AuthUser=<YOUR-EMAIL>@gmail.com
AuthPass=<YOUR-PASSWORD>
FromLineOverride=YES)

############ FTP WITH SSH

apt-get install vsftpd

apt-get install openssh-server

openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout /etc/ssl/private/vsftpd.pem -out /etc/ssl/private/vsftpd.pem

nano /etc/vsftpd.conf
(local_enable=YES
write_enable=YES
local_umask=022
chroot_local_user=YES
rsa_cert_file=/etc/ssl/private/vsftpd.pem
rsa_private_key_file=/etc/ssl/private/vsftpd.pem
ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
require_ssl_reuse=NO
ssl_ciphers=HIGH)

nano /etc/ssh/sshd_config
(Match group www-data <-- with this I can a broken pipe error on ssh connection
    ChrootDirectory /var/www
    X11Forwarding no
    AllowTcpForwarding no
    ForceCommand internal-sftp
    PasswordAuthentication yes)

etc/init.d/vsftp restart


############ GIT

apt-get install git

git config --global user.name "Name"

git config --global user.email email@email.com

mkdir /var/www/.shh && chown dev:dev /var/www/.ssh/ && chmod 700 /var/www/.ssh

su dev && ssh-keygen -t rsa -b 4096 -C "email@email.com"
(path: /var/www/.ssh/)

cd /var/www/git-repo-sever

git init --bare

Is this safe? Is this a good approach?

Bedo
  • 107
  • 1
  • 6
  • Why do you think you need to run vsftp? – EEAA Apr 05 '16 at 12:48
  • 2
    Usually apache has a `conf.d` directory that is already included by the stock configs. It would be easier to drop a file in there with your include in it rather than editing the stock configs. – chicks Apr 05 '16 at 13:31
  • EEAA to allow dev to connect via sftp client software? – Bedo Apr 05 '16 at 13:59

1 Answers1

1

I think you don't need vsftpd server at all. OpenSSH server allows you to upload files using sftp. You configured vsftpd as ssl enabled ftp server (ftps). read more

Also you can improve your server security using next simple steps:

  • move ssh server to another port ex.Port 422;
  • set PasswordAuthentication no use ssh keys only;
  • setup firewall (for example csf)
Community
  • 1
russam
  • 11
  • 2
  • Thanks. Just a few questions: 1) does OpenSSH without vsftpd allow ftp software like filezilla to connect? 2) If I use ssh keys only, how can I configure it? Each user that want to connect needs to receive the key in a different way (such as email)? 3) Why should a set up a firewall? Close all ports except SSH and HTTP? – Bedo Apr 06 '16 at 10:13
  • 1) Filezilla is able to work with ssh server over sftp. You can read how to setup filezilla [here](https://wiki.filezilla-project.org/Howto). It's simple. – russam Apr 06 '16 at 11:52
  • 2) First - you must add you public keys to `~/.ssh/authorized_keys` file. Restart openssh daemon. Try to connect using keys. Next set `PasswordAuthentication no` on server and restart openssh again. How to create keys [read more here](https://support.rackspace.com/how-to/generating-rsa-keys-with-ssh-puttygen/) 3) csf it's not only firewall. It can help you in many problems on you server. Check out [feature list](http://configserver.com/cp/csf.html) – russam Apr 06 '16 at 12:02
  • More about key creation and ssh use you can read [here](https://www.howtoforge.com/ssh_key_based_logins_putty_p2#-generate-a-privatepublic-key-pair) – russam Apr 06 '16 at 12:09
  • Ah, one more - you don't need to send any keys to any user. They must create keys themselves then send you only public keys. To allow access, you just need add those keys to authorized_keys file on server. – russam Apr 06 '16 at 12:19
  • So what's the difference between password auth and key auth? How can 2 machine do an authentication using only keys and not password? A man in the middle should be able to enter in the comunication... – Bedo Apr 07 '16 at 11:10
  • Hope this will help [SSH password vs. key authentication](http://security.stackexchange.com/a/33383) – russam Apr 07 '16 at 11:52