Archive for Linux

Apacheに対するSeLinuxの影響

Fedora Core 3 以降のバージョンにおいて、ApacheのHTTPDに対するセキュリティは高まれている。デフォルトのDocumentRoot以外には、script(Perl/PHPなど)からファイルの書き込みはできなくなってしまう。だから、次の設定を行わなければならない。

#setsebool -P httpd_unified 1
#chcon -R -h -t httpd_sys_content_t /target_path/target_doc_dir
#ls -ZR /target_path/target_doc_dir

上に最後のlsというコマンドから、ユーザ自定義のDocumentRootのpolicyを確かめる。あったら、成功!

特に、SELinuxが使われているFCにおいて、自己のWikiや、Wordpressなどを使いたい場合に対して、こういう設定困難が起こる可能性が高いと思う。おそらく、こんなに簡単な設定に対しても、皆には参考になれるかもしれない。

さらに、詳しくのcontent権限設定はここにある。ご覧ください。

Comments

Sambaに対するSELinuxの影響

Fedora7以降におけば、SELinuxが設定されてしまう場合、Sambaを共有ファイルサーバとして、smb.confファイルを配置するときに、どうして設定しても「書き込めない」という状態になっちゃったのです。これは、SELinuxの安全性の影響となってます。解決方法は、次の通りで、設定すれば書き込めるとなるはずです。

# setsebool -P samba_export_all_rw on
# service smb restart

すごく小さな問題点ですけれど、知らなければ、絶対解決できなくなってしまうのです。

Comments (11)

dangers about MySQL

Today, I was very angry because personal MySQL database was threatened by other body’s operations. At the end, I changed my personal MySQL settings at all. For example, the listening port, address, and unix socket and so on. Unfortunately, the gay didn’t admit his falsity. It was much worse that the gay is continuing to try to start the default MySQL service which was installed by OS. It’s crazy and foolish operation because global IP address will be binded with port 3306. As we know, it is one of the highly dangerous tcp ports.

Due to these above, I though it was my fault that I had installed the default mysql-server package via yum tool, which brought us all dangers. Too impatient to wait, I made the decision that uninstall the default mysql-server package immediately. Hope all dangers run away off our important server, basil and fennel.

According to my experiences, please allow me to give you some warning as follows.
1. if unnecessary, please remember that do not use mysql-server.
2. if necessary, please don’t forget to change the default settings.
3. global IP address and port 3306 must be forbidden to bind. try to bind localhost and not port 3306.
4. it’s a good idea to use unix socket instead of direct tcp connection in your applications. such as connecting your database server via “localhost:/path/mysql.sock”, because all latter versions of PHP 3.1.0 support this connection method, especially, when you’re using WordPress.

Good luck, please consider my advices. Thank you.

Comments

care your sshd’s settings

This is also a correlative topic about OS security, but it will focus on sshd’s settings. If your server has no highly secure requirements, please don’t mind of ignoring this topic. Otherwise, please follow me.

Firstly, change the binding port beyond 22 into other not odinary port, in order to escape from attacking port scanning.
Secondly, deny the permission of remote login directly as root user. We can via the general way that use “su -” to login as root after logining as personal username if you are necessary indeed.
Thirdly, frequently examine your system logs to ensure whether there are scanning or login tracks.
Furthermore, I just suggest you give a login allowable IP list to deny any other not permitted addresses. I think it’s the most secure method to your server.

Attempting to set for the second step, please make sure that there is the authentication setting like “PermitRootLogin no” in your sshd_config file.

Comments (4)