If you install Chisimba on a production site, there are some security measures that should be taken at the level of the server it is running on as a means to reduce security risks. One of these is to disable directory listings. This is done in the sites-available file on Apache in Ubuntu 11.04 or 11.10.
This file has the following structure:
Options Indexes FollowSymLinks MultiViews
allow from all
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Allow from all
All that is necessary is to delete the word Indexes as highlighted in red above, save the file. Repeat this for any other virtual hosts you have, and restart Apache.
Apache mod_security is a web application 'firewall' that runs as a module within Apache web server. If you are running your Chisimba installation on Apache, as recommended by Kenga and the Chisimba developers, then you can use mod_security to reduce certain common threats. This installation was done on Digital Ocean cloud and on Rackspace cloud. I am not sure if this is necessary, but I first enabled the multiverse repository (vi /etc/apt/sources.list) and run apt-get update as per your normal practice.
STEP 1. Install mod_security
Open a terminal and paste the following into it (CTRL_SHIFT_V)
sudo apt-get install libapache2-modsecurity
STEP 2. Create a directory for mod_security inside the Apache2 directory.
In the terminal, paste the following
sudo cd /etc/apache2/
sudo mkdir modsecurity
STEP 3. Create the configuration file for mod_security
In your terminal, type or paste
sudo vi /etc/apache2/conf.d/modsecurity.conf
press "i" for insert, and paste the following (making sure you remove the spaces at the beginning of the line first)
Press "<ESC>:wq" to save and exit.
STEP 4. Copy the mod_security rule set to a useful location
Execute the following commands in the terminal
sudo cp -R /usr/share/modsecurity-crs/base_rules/* .
STEP 5. Make a correction to one of the rules
Open this rule set in vi
and find the line
SecRule REQBODY_ERROR "!@eq 0"
and replace it with
SecRule REQBODY_PROCESSOR_ERROR "!@eq 0"
Save the file and close it ("<ESC>:wq").
STEP 6. Restart now the Apche web server with the command below
service apache2 restart
STEP 7. Check if the mod_security module is loaded using the command
cat /var/log/apache2/error.log | grep modsecurity
The output of this command should include the following:
[notice] ModSecurity for Apache/2.6.0 (http://www.modsecurity.org/) configured.
While mod_security is a good addition to your security arsenal, you should not rely on it for everything. Taking other sensible precautions that are commonly taken with web applications is also necessary to protect your site, and ultimately your users from potential threats.