TOPIC:

Hello,

We have installed Xerte (3.0) onto a Linux server which is using Apache. The server will be Internet-facing, so we (obviously) want to ensure that it is as secure as we can make it, but there seems to be no mention of any particular security aspects in the Xerte documentation.

We have removed the 'setup' directory, but have also restricted access to the 'upgrade.php' file (no access to anyone) and 'management.php' (access by specific IP's).

I see that the 'database.php' file contains the database access userid and password, and wondered if this might be pushed out of the web document root and use a 'require_once' somewhere (index.php?) instead?

Secondly we are wondering if turning off (Apache) indexing would cause any problems for Xerte?

The 'import' directory has already been moved out of the web document root (and we have ClamAV running, although yet to be tested with file uploads).

Is there anything else we should do (or could try) to secure Xerte?

Thanks,

John.

I see no reason why switching off indexing should matter to Xerte.

Also, see config.php, line 84 to move database.php out of the web folder.

John,

I'd definitely be interested in seeing an outline of your changes to the code to beef up security. We need to overhaul the management area at some point in the future and given the concerns over security that IT departments have, if we could build in a way to make this manageable without requiring end user code changes then i'd say that this would be a useful feature.

Not that i'm saying that any of these parts of Xerte have security issues, but having these features available could be the convincing factor for some...

Just one thing, with management.php IP restriction, if you found yourself off campus then you would be unable to login and fix things, that is unless you add the range that is given to your VPN clients.

John

John Smith wrote: I'd definitely be interested in seeing an outline of your changes to the code to beef up security.

Ah. We haven't actually changed the code for security, except to move the database file out of the web document root. To a large extent it has been what can we do without changing the code.

Disabling indexing globally, and moving the database.php file out of the document root have had no adverse effects at all. (Although the latter is probably not really required since it is just PHP, and not directly visible as such to users.)

Although this doesn't protect the server itself as such, we have configured Apache to use SSL with HSTS enabled, only TLS protocols available and HIGH (3DES) and elliptic curve ciphers. Apache rewrite rules force users over the HTTPS route.

As already mentioned, all access to 'upgrade.php' has been denied. We'll enable this as and when required. Access to 'management.php' is IP restricted. If remote access is required, then the use of VPN, and a short-term reconfiguration with the VPN IP address can be done. A little messy, but we don't envisage this scenario happening very often. Access to the 'website_code/php/management' directory is likewise IP restricted. There is no access to the '/error_logs' directory. Anyone needing to see the error logs has to go through the '/management.php' route.

Since we use Shibboleth for authentication, access to various directories requires authentication. This, in effect, means that users can't do anything useful without hitting one of these directories.

We have extended the 'error log' ability (function 'receive_message') a little in that when a user logs in (via Shibboleth) an entry is written to a LOGINS error log. Likewise when they log out an entry is written. Failed login attempts are also recorded in the same log, and are shown in red (oooh!) just to try and make them stand out a bit more. In no case is the password recorded. The IP address and userid are always recorded. This to some extent provides us with an audit trail of who logged in and when.

We have also modified access to the 'management' area in that logins and logouts are recorded in a MGMT error log. Again, failed logins are also recorded. And again no passwords are recorded, and since there is only one valid userid that too is not recorded. The user IP address is recorded, and the userid used if the login attempt was unsuccessful. Failed logins here also appear in red. We have also included a log entry whenever someone 'saves' something (clicks the 'Save' button). At the moment this only applies to 'site' changes, and 'templates' I think. It should really be used whenever anything is changed/saved - licences, user accounts etc. Again it provides a bit of auditing of what was done, when and possibly by whom.

For the Shibboleth login, we have removed the userid and password boxes from the login page because they are not required. We have also removed the 'demo' link on the login page since we don't want non-authenticated users using that and (possibly) slowing the server down. The link itself has been moved to the 'Other resources' section for logged in users (so basically our users can still see the demo, they just have to login first). This way the login page presents nothing usable to users. (The main picture and copyright notice are still there, and the links to opensource, xerte and apereo are still there since they take the user away from our server.) A look at this link will show you.

For PHP itself, we have set the 'open_basedir' which, again, hasn't caused any problems. This obviously needs to include the document root, and any external directories that may be used. We have wondered if the 'allow_url_fopen' and 'allow_url_include' options could be set, but for the moment haven't touched these. Again, they may not be required if the code does not make use of URLs with fopen/include, but if some PHP is uploaded which makes use of these then it could offer some protection.

The MySQL setup only allows local server access to the database. There is no external access allowed at all.

Given that Xerte has plugins for ClamAV and filetype checking, we will make use of these. These still need to be tested though, and should provide a major part of the security since they should prevent anything nasty getting onto the server in the first place. We have modified the call to ClamAV to include options such as '--detect-pua' and '--detect-broken'. These, as well as the 'clamscan' pathname, should be configurable though via the management page.

Other than that I cannot think of any more we have really done on the security side of things. Standard server things such as setting up the local firewall, stopping/removing unwanted services, only local access via SSH keys, installing security software, monitoring software, patching etc are applied to all our servers.


John.

I forgot to mention about SELinux. Our XOT server is running CentOS 7, which comes with SELinux enabled. Although the use of SELinux is still very contentious among sysadmins, we have left it enabled on all our servers. Any SELinux denial messages are written to the '/var/log/audit/audit.log' file and we monitor this (using 'swatch') for denied messages. Hence if a process is having a problem because of SELinux we are made aware of it. We then tend to maintain a local policy for the relevant process (using 'audit2allow'). This then provides the process with the required permissions. It can take a bit of time getting the local policies initially set up, but once done then SELinux is not a problem. In addition some permissions can be provided simply by setting one of the SELinux booleans (see 'getsebool' and 'setsebool'). The output of audit2allow will inform you if this is possible. If you want to test if SELinux is causing a problem then you can temporarily disable it using the 'setenforce' command.

In our case local SELinux policies are required for Apache and ClamAV. (We have others as well but I cannot remember if they related to Xerte or not.) However, there are only a couple of entries in each so nothing really taxing. Overall, for us, SELinux did give some denial messages initially, but once we had the policies in place we have had no further problems.


John.