Wiki/Maintenance and Security
|Maintenance and security|
|Project leader||José Moreno Retamero|
|Objective||Maintenance and security of wiki Linux server|
|Research Domain||Internet - IoPTS|
|Keywords||Maintenance, Security, Linux, Semantic MediaWiki|
Factpage of Project IT-help
The web server is visible for everybody. Taking a look to LocalSettings.php file which is stored in "/var/www/mediawiki"
Log files stored in "/var/log/apache2", we find that the folder "/apache2" is only full accesible by owner, only read and execute by groups and no access by others
- /apache2 --> drwxr-x--- 2 root adm
Inside this folder we find the following log files (other files were created for testing):
* access.log --> -rw-r----- 1 root adm 1.2G * error.log --> -rw-r----- 1 root adm 15G * other_vhosts_access.log --> -rw-r----- 1 root adm 690 * other_vhosts_access.log.1 --> -rw-r----- 1 root adm 2.3K
Therefore, the owner have access to copy, rename, erase or change permisions over these files. Groups are able to enter to the folder but they will only can read the log files insde. Other users will not even have access to the "/apache2" folder, where the log files are stored. So, for my user, I only have access to this folder executing "sudo" command.
Old access.log analysis
I got some statistics which was exported as an "html" file. I decided to store it in my personal server ( sorry if sometimes is down ) because really do not know if I have permission to upload content on the web server ( I dont mean linux permissions ) I also stored the stadistics in my personal path of the ssh account if we see convenient upload it to the wiki web server:
New access.log and error.log files created
This new files contains the 100 last lines of the previous .log files.
There are two insteresting files inside "/etc" which are "hosts.allow" and "hosts.deny". The way to edit them for ssh white/blacklist is:
* /etc/hosts.deny sshd: ALL
* /etc/hosts.allow (Two different ways to express) sshd:2.148.*.*-2.151.*.* AS WELL AS sshd:22.214.171.124/255.252.0.0 ...
- Wildcard to allow all "Norway" --> File with all the ip ranges for Norway attached, I think all address detailed below are included:Media:Norway_ipranges.pdf
** UNIK - 193.*.*.* can use ssh ** Telenor (mobile) ** Altibox (network) ** IP range of Norway?
NOTE: We need to make to change the content of the ipranges file to the correct format: http://ip2cidr.com/
Other good alternative for the Black/White list is Fail2Ban: http://www.fail2ban.org/wiki/index.php/Main_Page
Allowed users are included on the "sshd_config" file stored in "/etc/ssh". Note that root user is not allowed.
"sshd_config" is stored in "/etc/ssh", I suggest some personal recomendations that could make a more secure configuration:
* "ListenAddress" is commented but maybe it's using "0.0.0.0", it means listen on all interfaces, including external ones. Using local address, such as "192.168.1.0", we are only listening internal address,then we should configure port forwarding on the router to let the server have access to internet. * "PermitRootLogin" no. Disable root login and create another user with root privileges. * "IgnoreUserKnownHosts yes" is commented. We should uncomment it to ignore the users "~/.ssh/known_hosts" because "HostBasedAuthentication" and "RhostRSAauthentication" are disabled.
run saidar to get information on the smwiki system - look slike that 1 GByte of memory is too little (only 217 MByte free) - the system is currently paging in/paging out
I experienced some problems on the server, probably caused by memory:
- The web server seemed down but i had access to ssh, so I loged in and I realized that it was very slow(almost 5min to login)
- I run "top" command and i saw "kswapd0" process consuming most of the CPU resources(70%) and memory(40MB free).
- I restarted apache and got an mediawiki error when tried to access to the web:
CWI has a problem Sorry! This site is experiencing technical difficulties. Try waiting a few minutes and reloading. (Can't contact the database server: Can't connect to local MySQL server through socket '/var/run/mysqld/mysqld.sock' (111) (localhost))
- I restarted the server and got everything working again.
Backup is currently performed by an automatic script to the user account of Zahid. Suggest to "live swap" to the macmini.unik.no (@Josef). - any ideas on how to?
We currently run Mediawiki 1.17.0 with PHP 5.3.10-1ubuntu3.2 (apache2handler) and MySQL 5.5.24-0ubuntu0.12.04.1, see Special:Version
My suggestion is that we first install a virtual machine on the UNIK server, and then start from scratch with a new version of Mediawiki/Semantic Mediawiki, thus we can ensure that we always have a running version.
Installing new virtual machine with:
* Ubuntu 12.04.2 * MediaWiki 1.20.3 * PHP 5.4.13 * MySQL 5.6.10