Security

HomePage > English Wiki Portal > Security

---

General Information

VHCS uses security options build into many of the software packages to keep the system safe from hacking attempts.

Login Session Timeout

The login session timeout can be set up in vhcs2.conf

LOGIN_TIME_OUT = 20

Shared Hosting Secutity System

VHCS delivers a very flexible shared hosting security system.

CGI Scripts per suEXEC

All user CGI scripts run under different system users with suEXEC. The System Group und User IDs are defined as follows:

UserID: vu2001 

GroupID: vu2001

As the VHCS system administrator you can define the minimum group and user information in the vhcs2.conf file:

APACHE_SUEXEC_MIN_UID = 2000

APACHE_SUEXEC_MIN_GID = 2000

Here an example of the standard suEXEC entries for Apache2:

  #User vu2007
  #Group vu2007
  #

  #
  #SuexecUserGroup vu2007 vu2007
  #

  # httpd dmn entry cgi support BEGIN.
  ScriptAlias /cgi-bin/ /var/www/virtual/domain.tld/cgi-bin/
  <Directory /var/www/virtual/domain.tld/cgi-bin>
        AllowOverride None
        #Options ExecCGI
        Order allow,deny
        Allow from all
  </Directory>
  # httpd dmn entry cgi support END.

For more information about Apache Security please goto the Apache Server Homepage

VHCS Control Panel SSL Support

I have my own server run the gui on ssl. Because I see very much questions about the gui through ssl I will post a little howto here.

First make sure we have the needed software:

apt-get install openssl

Now we need to create ssl CA (Certificate Authority) and server certificates for our ssl server. You can use this same method of certificate creating for pop3-ssl and imap-ssl. Will tell more about that at the end.

cd /usr/share/ssl-cert/

Now we're going to create CA index/serial files.

cp /dev/null ca.index
echo '01' >ca.serial

Now we're going to create a CA config file. The CA (Certificate Authority) is the Authority (in this case its yourself, but you can also order certificates with verisign or thawte) that releases the ssl certificate needed for secure http.

My configuration file can be found at http://www.speedfix.nl/ca.config

You don't have to edit anything in ca.config.

Now we have to create the CA key and CA certificate for signing our server certificate.

openssl genrsa -des3 -out ca.key 2048
openssl req -new -x509 -days 3650 -key ca.key -out ca.crt

(use . for everything except the Common Name, which is the name of your Certificate Authority, eg Example Certificate Authority)

For Apache, a key ?example.org.key is generated and used to encrypt a certificate request ?example.org.csr, which is then signed by the Certificate Authority to produce the final certificate ?example.org.crt. The keys must not be password protected, otherwise Apache will hang waiting for a password when it starts up. Replace example.org for your domain.

Generate the server certificate and server key. The FQDN/common name you enter when asked must match with the domain your vhcs gui will be reachable! I used *.example.org because with this wildcard both webmail.example.org and cp.example.org will work with the same certificate.

openssl genrsa -out example.org.key 2048
openssl req -new -key example.org.key -out example.org.csr

Now sign your server's key and certificate with your CA key/certificate

openssl ca -config ca.config -keyfile ca.key -cert ca.crt -out example.org.crt -infiles example.org.csr

Now copy the just created and signed certificate's to apache2's config dir. again, replace example.org by the name you just gave your certifcate's

cp example.org.key /etc/apache2/ssl/
cp example.org.crt /etc/apache2/ssl/

Now add the SSL port (443) to your ports config:

cd /etc/apache2/
nano ports.conf

and add under Listen 80:

Listen 443

Now we are going to make a Virtualhost in apache's config. I use a seperate file for this.

cd /etc/apache2/sites-available/nano gui.conf

This is my config file:

?NameVirtualHost xxx.xxx.xxx.xxx:80
<?VirtualHost cp.example.org:80>
?ServerName cp.example.org
    ?DocumentRoot /var/www/vhcs2/gui
    <Directory /var/www/vhcs2/gui>
        Options Indexes Includes ?FollowSymLinks ?MultiViews
        ?AllowOverride None
        Order allow,deny
        Allow from all
    </Directory>
</?VirtualHost>

<?VirtualHost webmail.example.org:80>
?ServerName webmail.example.org
?DocumentRoot /var/www/vhcs2/gui/tools/webmail
    <Directory /var/www/vhcs2/gui>
        Options Indexes Includes ?FollowSymLinks ?MultiViews
        ?AllowOverride None
        Order allow,deny
        Allow from all
    </Directory>
</?VirtualHost>

?NameVirtualHost xxx.xxx.xxx.xxx:443

<?VirtualHost cp.example.org:443>
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/example.org.crt
SSLCertificateKeyFile /etc/apache2/ssl/example.org.key
    ?DocumentRoot /var/www/vhcs2/gui
    <Directory /var/www/vhcs2/gui>
        Options Indexes Includes ?FollowSymLinks ?MultiViews
        ?AllowOverride None
        Order allow,deny
        Allow from all
    </Directory>
?ServerName cp.example.org
</?VirtualHost>

<?VirtualHost webmail.example.org:443>
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/example.org.crt
SSLCertificateKeyFile /etc/apache2/ssl/example.org.key
    ?DocumentRoot /var/www/vhcs2/gui/tools/webmail
    <Directory /var/www/vhcs2/gui>
        Options Indexes Includes ?FollowSymLinks ?MultiViews
        ?AllowOverride None
        Order allow,deny
        Allow from all
    </Directory>
?ServerName webmail.example.org
</?VirtualHost>

Make sure to replace xxx.xxx.xxx.xxx by the IP you want to use and example.org with your domain. As mentioned before, i use the same certificate for both webmail and cp. You need to have a wildcard certificate for this(*.example.org).

As you can see in the config file I use ports after my virtual hosts (cp.example.org:80/cp.example.org:443) to make the config clear if its ssl or not. you can't use non ports virtualhosts and port virtualhost in 1 server. So you will need to edit some tpl files and your existing domains in vhcs2.conf.

First the TPL's:

cd /etc/vhcs2/apache/parts/
nano als_entry.tpl

Replace:

<?VirtualHost {ALS_NAME}>

with:

<?VirtualHost {ALS_NAME}:80>

nano sub_entry.tpl

Replace:

<?VirtualHost {SUB_NAME}>

with:

<?VirtualHost {SUB_NAME}:80>

nano dmn_entry.tpl

Replace:

<?VirtualHost {DMN_NAME}>

with:

<?VirtualHost {DMN_NAME}:80>

Now edit your apache vhcs2.conf:

cd /etc/apache2/sites-available/
nano vhcs2.conf

Now replace all entries like this:

<?VirtualHost *>

with:

<?VirtualHost *:80>

Don't forget to symlink the file /etc/apache2/sites-available/gui.conf to /etc/apache2/sites-enabled/gui.conf. Now symlink /etc/apache2/mods-available/ssl.* to /etc/apache2/mods-enabled/ssl.*

Also make sure the cp.example.org and webmail.example.org are available in your DNS files. If not add them.

Restart apache:

/etc/init.d/apache2 restart

And everything should work. Now I will tell you how to enable ssl on your Courier IMAP and POP3 Server.

cd /usr/share/ssl-cert/
openssl genrsa -out courier.key 2048
openssl req -new -key courier.key -out courier.csr

when asked for the FQDN/Common name enter your mail servers hostname (mail.example.org) for example.

Now sign the courier certificate:

openssl ca -config ca.config -keyfile ca.key -cert ca.crt -out courier.crt -infiles courier.csr

And merge the key and certificate into 1 file:

nano courier.crt

(strip out eveything before the BEGIN CERTIFICATE line)

cat courier.key courier.crt > courier.pem
openssl gendh >> courier.pem

Now install courier ssl packages:

apt-get install courier-imap-ssl courier-pop-ssl courier-ssl

Now set the certificate files in the right place:

cp courier.pem /etc/courier/imapd.pem
cp courier.pem /etc/courier/pop3d.pem

chmod 0600 /etc/courier/imapd.pem
chmod 0600 /etc/courier/pop3d.pem

/etc/init.d/courier-imap-ssl stop
/etc/init.d/courier-imap-ssl start

/etc/init.d/courier-pop-ssl stop
/etc/init.d/courier-pop-ssl start

PHP Security Settings

The Apache2 entries for PHP support allows the domain owners to run scripts only in there on directories. An example of the standard VHCS Configuration for PHP is:

  # httpd dmn entry PHP2 support BEGIN.
      php_admin_value open_basedir "/var/www/virtual/domain.tld/:/usr/share/pear/:/tmp/"
  # httpd dmn entry PHP2 support END.

All Apache entries are based on temples so you can customize configuration to your tastes and styles. As an example you can enable safe_mod on a per site basis using:

  php_admin_value safe_mode on

PHP also gives the opportunity to disable system commands that could be dangerous.

  disable_functions = system,exec,passthru,popen,escapeshellcmd,shell_exec

For more information about PHP Security please goto the PHP Homepage