Apache folder permissions

You should never have to run a website out of your home directoryEVER. You would otherwise have to give the web server the ability to traverse through /home/ to see the directory structure, but also into /home/$USER/ (your user’s home directory, where we can try and see what else exists in your user directory), as well as any other subfolders in there. A poorly-configured or misconfigured or unpatched web server can cause massive data leakage this way, or loss of credentials and such which would put your personal data and logins on different things at risk. The symlink approach you are using doesn’t help either for the same reason as trying to give Apache permissions to read /home/andre/www/moodle – the web server has to be able to traverse your home directory to get to the location that the symlink in /var/www/html points to, which still poses that security risk.

Continue reading

Advertisements

Install Apache’s mod_security & mod_evasive to prevent DoS/Brute-Force attacks on CentOS

I have been searching for a free open source solution to protect my web application against prying hackers, malicious screen scrapers, illegitimate crawlers, rampant bots and abusive API users. Besides being free and open source, the minimum requirement is that the solution can identify rogue user IP addresses and blacklist them if necessary. Preferably, the solution can also protect (somewhat) against denial-of-service (DOS) attack and implement API rate limiting.

Continue reading