Koozali.org: home of the SME Server

Contribs.org Forums => General Discussion => Topic started by: Tillebeck on February 19, 2014, 07:34:28 PM

Title: best security practice or inhancements like mod_security
Post by: Tillebeck on February 19, 2014, 07:34:28 PM

I have allways thought of the SME Server as a secure server... at least if yum update is run on a regular basis :-)

Is it more secure?
Question arrised after a clients Dedian server got hacked. None of mine SME servers ever got hacked... Have I been lucky or is the SME server 'better' when it comes to security? I have had SME servers with no majer modifications and no hacks for something like 10 years.

After looking into the Debion hack it was a php-cgi exploit Pharma Google hack. Recommandations to avoid it are amoing others:

• remove php-cgi
• install mod_security

But, SME server uses php-cgi as default, right? And no guide in wiki about mod_security so that is probably not used by particularly many SME server users...

Any good to disable php-cgi and install mode_security? Anything else that is good to do? How can SME Server get along with php cgi and no mod_security and still never be hacked?

Great server, isn't it :-) Just looking for an explanation for the succes in not beeing hacked and maybe a way to enhance it even more.

Title: Re: best security practice or inhancements like mod_security
Post by: mmccarn on February 21, 2014, 02:03:27 PM

php-cgi:
php-cgi was used by the PHP5 (http://wiki.contribs.org/PHP5) contrib for SME 7 to provide PHP5 to ibays.
There was a well-publicized vulnerability in php-cgi a while back, followed by quite a bit of discussion on the forums that included suggestions on what to do.

Personally I stick with SME server because I feel like the devs are *very* serious about security.

I recognize that every contrib or web application I install transfers security responsibility to me as the server administrator -- but the SME devs:
* have configured the core components with security in mind
* keep the core components up-to-date
* update the core configuration settings when appropriate
...which makes a huge difference in the security of the servers.

The cost, of course, is flexibility -- it's a bit harder to do whatever you want on a SME server, but in exchange you get increased security.

Title: Re: best security practice or inhancements like mod_security
Post by: CharlieBrady on February 21, 2014, 11:09:18 PM

Quote from: Tillebeck on February 19, 2014, 07:34:28 PM

But, SME server uses php-cgi as default, right?

No. It uses mod_php, to run webmail, and any PHP enabled i-bays.

Title: Re: best security practice or inhancements like mod_security
Post by: Tillebeck on March 04, 2014, 10:59:23 AM

Thanks a lot for the info.