Docker USER and named volume

To secure docker, we use a specific user instead of root. We add the following code in Dockerfile.

RUN useradd -u 2000 wwwuser
USER wwwuser

Those code create user with uid=2000.
Since host volume is mounted as root user, all files and folders is readonly for user wwwuser. If the wwwuser needs to write files to volume, we can create a named volume for it.

docker volume create --driver local --opt type=tmpfs --opt device=tmpfs  --opt o=uid=2000,gid=2000,size=2g,mode=0750 myHomeVolume

Use the following command to run container

docker run -d -v myHomeVolume:/home/wwwuser --name myapps <image>

TO backup the data, taring all files at ‘/var/lib/docker/volumes/myHomeVolume/_data’ with root.

Secure Apache2 and PHP on Ubuntu 16.04

Create /etc/apache2/sites-available/000-security.conf

$ sudo vi /etc/apache2/sites-available/000-security.conf
# Secure apache website

# Disable Trace HTTP Request
TraceEnable off

# Disable Signature
ServerSignature Off

# Disable Banner
ServerTokens Prod

# If enabled ssl (sudo a2enmod ssl)
# Use only TLS, Disable SSLv2, SSLv3
# SSLProtocol -ALL +TLSv1

# Disable Null and Weak Ciphers
# SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM

# Disable Directory Listing
Options all -Indexes

# If enabled headers (sudo a2enmod headers)
# Disable x-powered by
Header always unset X-Powered-By
$ sudo a2ensite 000-security.conf

On ubuntu 16.04. The default php settings is good. Please make sure settings in php.ini

/etc/php/7.0/fpm/php.ini

/etc/php/7.0/apache2/php.ini

expose_php = Off
display_errors = Off

Reference: https://www.unixmen.com/ways-to-secure-your-ubuntu-14-04-server-running-lamp/

UFW command examples

sudo ufw status
sudo ufw status verbose
sudo ufw status numbered

sudo ufw allow ssh
sudo ufw allow http
sudo ufw allow https
sudo ufw allow mysql

sudo ufw delete allow https

sudo ufw allow to any port 2345
sudo ufw delete allow to any port 2345

sudo ufw allow to any port 2345 proto udp
sudo ufw delete allow to any port 2345 proto udp

sudo ufw allow from 192.168.0.5 to any port 2345
sudo ufw delete allow from 192.168.0.5 to any port 2345

sudo ufw allow from 192.168.0.0/24 to any port 2345
sudo ufw delete allow from 192.168.0.0/24 to any port 2345

UFW, IPTABLES and IP FORWARDING

BY Default, UFW blocks IP Forwarding. To enable packet forwarding, two configuration files will need to be adjusted, in /etc/default/ufw change the DEFAULT_FORWARD_POLICY to “ACCEPT”:

DEFAULT_FORWARD_POLICY="ACCEPT"

Then edit /etc/ufw/sysctl.conf and uncomment:

net/ipv4/ip_forward=1
#for IPv6 forwarding uncomment:
net/ipv6/conf/default/forwarding=1

To enable IPv4 packet forwarding by editing /etc/sysctl.conf and uncomment the following line:

net.ipv4.ip_forward=1
# If you wish to enable IPv6 forwarding also uncomment:
net.ipv6.conf.default.forwarding=1

Execute the sysctl command to enable the new settings in the configuration file:

sudo sysctl -p

Create my-iptables-rules:

$ sudo vi /etc/network/if-up.d/my-iptables-rules
#!/bin/bash
FLAG="/tmp/my-iptables-settings"
if [ -f ${FLAG} ]; then
  echo "Already set my iptables rules. Skip it."
  exit 0
fi

#sample iptables rules
iptables -t nat -A POSTROUTING -s 192.168.0.0/16 -o ppp0 -j MASQUERADE

touch ${FLAG}
exit 0

Reference:https://help.ubuntu.com/lts/serverguide/firewall.html

Securing Linux SSH

$ sudo vi /etc/ssh/sshd_config
# Run ssh on a non-standard port:
Port 2345 # Change the port as you want 

# Disable protocol 1
# Protocol 2,1
Protocol 2

# Prevent root logins:
PermitRootLogin no

# Limit user logins:
AllowUsers alice bob

# Disable password authentication forcing use of keys
PasswordAuthentication no

How to generate your own private key

$ ssh-keygen -t rsa

Add custom security check for protected resources on Magento

Assume catalog needs be protected for register customer and there is an url ‘/secure/url’ which need be protected too.

  1. Modify templete ‘page/html/head.phtml’ and add following code

    <?php
        //check security contents
        echo $this->getLayout()->createBlock('core/template')->setTemplate('page/html/security.phtml')->toHtml();
    ?>
  2. Create a new file ‘page/html/security.phtml’ with the following contents

    <?php
        // check security content
        if (("catalog" === Mage::app()->getRequest()->getModuleName()) || (0 === strpos(Mage::app()->getRequest()->getRequestUri(), '/secure/url'))) {
            if (!($this->helper('customer')->isLoggedIn())){
    ?>
                <script type="text/javascript">
                      window.location.href = "<?php echo $this->getUrl('customer/account/login')?>";
                </script>
    <?php
                die();
            }
        }
    ?>

Get request information for test purpose:

<?php
    echo Mage::app()->getRequest()->getModuleName();
    echo "<br />";
    echo Mage::app()->getRequest()->getControllerName();
    echo "<br />";
    echo Mage::app()->getRequest()->getActionName();
    echo "<br />";
    echo Mage::app()->getRequest()->getRequestUri();
    echo "<br />";
?>

reference:

http://stackoverflow.com/questions/16691546/want-to-call-one-phtml-file-in-another-phtml-file-using-anchor-tag

http://stackoverflow.com/questions/8235282/magento-display-request-url