HLStats security.. What precautions should I take?

blakerwry

blakerwry

Storage? I am Storage!
Joined
Oct 12, 2002
Messages
4,203
Location
Kansas City, USA
Website
justblake.com
I just setup a stats system for halflife (Counter strike) and had to install several servers and possible security risks to get it working... I'm wondering what precautions I should take.

I installed:
MySQL version 3.23.55
Perl 5.8.0
mod_PHP version 4.3.1 for Apache version 2.0.44

A DBI Perl module DBI-1.14
An SQL Perl module Msql-Mysql-modules-1.2215

and HLStats 1.02

Everything is behind a firewall and only access to port 80/443 (apache HTTP and HTTPS), 21(FTP) and 27020/27021 (the HL servers) is available to the outside world.

I have setup the SQL server permissions so that it only grants access to users (no anonymous) and only those users that are connecting from localhost (no outside connections)

However, I have no idea what I should do with PHP and Perl... are there any Apache settings I need to lock down, any file permissions I should set?

Here's the URL:
http://hje.kicks-ass.net/


Thanks,
-Blake
 
H

honold

Storage is cool
Joined
Nov 14, 2002
Messages
764
you're entrusting your security to the scripts you're running. php and perl themselves are fine.

opening port 21 is only going to allow active ftp, not passive ftp. most of the world is configured to use passive by default. what is the ftpd for? is it really necessary? consider using vsftpd or pure-ftpd if you're not already.
 
blakerwry

blakerwry

Storage? I am Storage!
Joined
Oct 12, 2002
Messages
4,203
Location
Kansas City, USA
Website
justblake.com
The ftp is there for me and some friends who have webspace.

users are locked to their home directories... of course only valid users (no anonymous) are allowed.
 
H

honold

Storage is cool
Joined
Nov 14, 2002
Messages
764
ftpds are a gigantic source of exploits. make sure you're using vsftpd or pure-ftpd.

if you want people to be able to connect to you using pasv (typical) mode, you'll need to tell your ftpd to use a fixed port range for it and open those ports on your firewall.
 
blakerwry

blakerwry

Storage? I am Storage!
Joined
Oct 12, 2002
Messages
4,203
Location
Kansas City, USA
Website
justblake.com
im running ProFTPd version 1.27

description: ProFTPD is an enhanced FTP server with \
# a focus toward simplicity, security, and ease of configuration. \
# It features a very Apache-like configuration syntax, \
# and a highly customizable server infrastructure, \
# including support for multiple 'virtual' FTP servers, \
# anonymous FTP, and permission-based directory visibility.


is this not true?

is pure-ftpd better?
 
blakerwry

blakerwry

Storage? I am Storage!
Joined
Oct 12, 2002
Messages
4,203
Location
Kansas City, USA
Website
justblake.com
hmm... honold, I can't seem to limit people to their home directories with pure-ftpd... (ie: they can login and they automatically goto their home directory, but then they just go up one level and they can see everyone's home.. up another level and they can see everything....)

I've read through the help file, but dont see anything about this...

any ideas?
 
H

honold

Storage is cool
Joined
Nov 14, 2002
Messages
764
for future reference, the behavior you're talking about is called a CHROOT

"-A --chrooteveryone"
 
You must log in or register to reply here.
Top