dkeats.com

If you install Chisimba on a production site, there are some security measures that should be taken at the level of the server it is running on as a means to reduce security risks. One of these is to disable directory listings. This is done in the sites-available file on Apache in Ubuntu 11.04 or 11.10.

This file has the following structure:

<VirtualHost *:80>
    ServerAdmin webmaster@localhost

    DocumentRoot /var/www
    <Directory />
        Options FollowSymLinks
        AllowOverride All
    </Directory>
    <Directory /var/www/>
        Options Indexes FollowSymLinks MultiViews
        AllowOverride All
        Order allow,deny
        allow from all
    </Directory>

    ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
    <Directory "/usr/lib/cgi-bin">
        AllowOverride None
        Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
        Order allow,deny
        Allow from all
    </Directory>

</VirtualHost>
 

All that is necessary is to delete the word Indexes as highlighted in red above, save the file. Repeat this for any other virtual hosts you have, and restart Apache.
 

Apache mod_security is a web application 'firewall' that runs as a module within Apache web server.  If you are running your Chisimba installation on Apache, as recommended by Kenga and the Chisimba developers, then you can use mod_security to reduce certain common threats. This  installation was done on Digital Ocean cloud and on Rackspace cloud. I am not sure if this is necessary, but I first enabled the multiverse repository (vi /etc/apt/sources.list) and run apt-get update as per your normal practice.

STEP 1. Install mod_security

Open a terminal and paste the following into it (CTRL_SHIFT_V)

    sudo apt-get install libapache2-modsecurity

STEP 2. Create a directory for mod_security inside the Apache2 directory.

In the terminal, paste the following

    sudo cd /etc/apache2/

    sudo mkdir modsecurity

STEP 3. Create the configuration file for mod_security

In your terminal, type or paste

    sudo vi /etc/apache2/conf.d/modsecurity.conf

press "i" for insert, and paste the following (making sure you remove the spaces at the beginning of the line first)

    ## /etc/init.d/apache2/conf.d/modsecurity.conf
    Include modsecurity/*.conf

Press "<ESC>:wq" to save and exit.

STEP 4. Copy the mod_security rule set to a useful location

Execute the following commands in the terminal

    cd /etc/apache2/modsecurity
    sudo cp -R /usr/share/modsecurity-crs/base_rules/* .

STEP 5. Make a correction to one of the rules

Open this rule set in vi

    vi modsecurity_crs_20_protocol_violations.conf

and find the line

   SecRule REQBODY_ERROR "!@eq 0"

and replace it with

   SecRule REQBODY_PROCESSOR_ERROR "!@eq 0"

Save the file and close it ("<ESC>:wq").

STEP 6. Restart now the Apche web server with the command below

     service apache2 restart

STEP 7. Check if the mod_security module is loaded using the command

    cat /var/log/apache2/error.log | grep modsecurity

The output of this command should include the following:

    [notice] ModSecurity for Apache/2.6.0 (http://www.modsecurity.org/) configured.

While mod_security is a good addition to your security arsenal, you should not rely on it for everything. Taking other sensible precautions that are commonly taken with web applications is also necessary to protect your site, and ultimately your users from potential threats.