Wiki/Maintenance and Security

From its-wiki.no

Jump to: navigation, search
Project: IT-help
Maintenance and security
Web:
Project leader José Moreno Retamero
Project Participants
Start Date 2013/02/19
End Date 2013/08/31
Supported by UNIK
Objective Maintenance and security of wiki Linux server
Research Domain Internet - IoPTS
Keywords Maintenance, Security, Linux, Semantic MediaWiki

Factpage of Project IT-help


Web server

The web server is visible for everybody. Taking a look to LocalSettings.php file which is stored in "/var/www/mediawiki"

Log files

Access rights

Log files stored in "/var/log/apache2", we find that the folder "/apache2" is only full accesible by owner, only read and execute by groups and no access by others

  • /apache2 --> drwxr-x--- 2 root adm

Inside this folder we find the following log files (other files were created for testing):

* access.log                   --> -rw-r----- 1 root adm  1.2G
* error.log                    --> -rw-r----- 1 root adm   15G
* other_vhosts_access.log      --> -rw-r----- 1 root adm   690
* other_vhosts_access.log.1    --> -rw-r----- 1 root adm  2.3K

Therefore, the owner have access to copy, rename, erase or change permisions over these files. Groups are able to enter to the folder but they will only can read the log files insde. Other users will not even have access to the "/apache2" folder, where the log files are stored. So, for my user, I only have access to this folder executing "sudo" command.

Old access.log analysis

I got some statistics which was exported as an "html" file. I decided to store it in my personal server ( sorry if sometimes is down ) because really do not know if I have permission to upload content on the web server ( I dont mean linux permissions ) I also stored the stadistics in my personal path of the ssh account if we see convenient upload it to the wiki web server:

http://chemachin.dyndns.tv/WikiReport/

New access.log and error.log files created

This new files contains the 100 last lines of the previous .log files.

SSH

Black/White List

There are two insteresting files inside "/etc" which are "hosts.allow" and "hosts.deny". The way to edit them for ssh white/blacklist is:

    * /etc/hosts.deny
    sshd: ALL
    * /etc/hosts.allow (Two different ways to express)
                sshd:2.148.*.*-2.151.*.* 
    AS WELL AS  sshd:2.148.0.0/255.252.0.0
    ...
  • Wildcard to allow all "Norway" --> File with all the ip ranges for Norway attached, I think all address detailed below are included:Media:Norway_ipranges.pdf
    ** UNIK - 193.*.*.*  can use ssh
    ** Telenor (mobile)
    ** Altibox (network)
    ** IP range of Norway?

NOTE: We need to make to change the content of the ipranges file to the correct format: http://ip2cidr.com/

Other good alternative for the Black/White list is Fail2Ban: http://www.fail2ban.org/wiki/index.php/Main_Page

Allowed users

Allowed users are included on the "sshd_config" file stored in "/etc/ssh". Note that root user is not allowed.

SSH Suggestions

"sshd_config" is stored in "/etc/ssh", I suggest some personal recomendations that could make a more secure configuration:

    * "ListenAddress" is commented but maybe it's using "0.0.0.0", it means listen on all interfaces, including external ones. Using local address, such as "192.168.1.0", 
    we are only listening internal address,then we should configure port forwarding on the router to let the server have access to internet.
    * "PermitRootLogin" no. Disable root login and create another user with root privileges.
    * "IgnoreUserKnownHosts yes" is commented. We should uncomment it to ignore the users "~/.ssh/known_hosts" because "HostBasedAuthentication" and "RhostRSAauthentication" are disabled.

Server Info

Memory

run saidar to get information on the smwiki system - look slike that 1 GByte of memory is too little (only 217 MByte free) - the system is currently paging in/paging out

I experienced some problems on the server, probably caused by memory:

- The web server seemed down but i had access to ssh, so I loged in and I realized that it was very slow(almost 5min to login)

- I run "top" command and i saw "kswapd0" process consuming most of the CPU resources(70%) and memory(40MB free).

- I restarted apache and got an mediawiki error when tried to access to the web:

              CWI has a problem
              Sorry! This site is experiencing technical difficulties.
              Try waiting a few minutes and reloading.
              (Can't contact the database server: Can't connect to local MySQL server through socket '/var/run/mysqld/mysqld.sock' (111) (localhost))

- I restarted the server and got everything working again.

Server Backup

Backup is currently performed by an automatic script to the user account of Zahid. Suggest to "live swap" to the macmini.unik.no (@Josef). - any ideas on how to?

Server Update

We currently run Mediawiki 1.17.0 with PHP 5.3.10-1ubuntu3.2 (apache2handler) and MySQL 5.5.24-0ubuntu0.12.04.1, see Special:Version

My suggestion is that we first install a virtual machine on the UNIK server, and then start from scratch with a new version of Mediawiki/Semantic Mediawiki, thus we can ensure that we always have a running version.

Installing new virtual machine with:

    * Ubuntu 12.04.2
    * MediaWiki 1.20.3
    * PHP 5.4.13
    * MySQL 5.6.10