Web Server Cheatsheet

From Ye Ole Stash
Jump to: navigation, search

Performance Settings To Play with

  • echo 1 > /proc/sys/net/ipv4/tcp_tw_reuse
  • net.core.somaxconn=1024 or higher (I have found this helps in select high traffic situations although I think there is a better way to do what this does)
Can lower server load by reusing tcp TIME_WAIT connections.
  • Cache (wp_cache, apc cache, and others)
  • reverse proxy
  • load balancing (ipvs and others)

Security

  • Some of these are not good for high traffic environments evaluate before deploying!
  • Suexec or php_safemode
  • URL_Fopen Off
  • expose_php=Off
  • Limit SSL to V3 and TLS (webtest for the BEAST TLS/SSL exploit is at https://www.ssllabs.com/ssldb/analyze.html)
  • Suhosin or php safemode
  • Disable unneeded php modules/Apache Modules to limit exposure and save system resources.
  • SELinux
  • MOD Security
  • Inotify or other to notify when select files change (config files, php.ini, config.php and others)
  • chattr +i - files to keep them from being changed
  • using open_basedir to limit exposure (php_admin_value open_basedir $DIR)
  • PHPIDS phpids.org
  • Use of scripts or inotify to regularlly verify images files are not web executable code. For example a "image" file with say a .jpg extentsion is uploaded but is really a malicous php script. The unix `file` command will catch this and then the file can be moved to a non-web accessible direcotry and set chmod -x to ensure it cannot be executed.

Wordpress

  • Protect against user enumeration (nmap -v -p80 --script http-wordpress-enum $SITE is one example) using this simple change to httpd.conf (this will make it for all sites or via .htaccess (not recommended) or a individual site config). 
<Files wp-login.php>
AuthName "Stuff"
AuthType Basic
AuthUserFile /usr/local/apache/authfiles/$COOLFILENAME
require valid-user
</Files>
Retrieved from "http://www.misterx.org/wiki/index.php/Web_Server_Cheatsheet"
Personal tools