OpenBsd server

[jggimi]

Quote:

Originally Posted by GarryR

Well I understand that it is for security...

Correct. It is a desirable risk mitigation, as it can limit the impact of a successful attack. Web servers and PHP applications are extremely popular attack vectors. Expect attacks 7x24x365.

In the event of a successful attack, the attacker will not be able to access any files other than those inside /var/www. What the attacker can reach inside that part of the filesystem, or any network connections they may be able to establish or use, should be considered, as these may still be a serious security concern. I've seen database connections from application servers that are tightly restricted to very specific queries, with firewalls between the application server and database server networks.

Quote:

I think at this point my best option is to delete everything I installed, all the php,and data base packages, etc. and start over.

That's up to you, of course.

[PapaParrot]

Well, it will be the 3rd time, "third time's a charm
This currently is the 2nd time, something I really like about OpenBsd,
when I used

Code:

pkg_delete php

for example, it also showed me what
conf files I had modified, and recommended deleting them as well, similar on all
the packages, like mariadb, etc,... and right now this is the problem, the other night
I had made several changes, and something I did really messed it up, I can not remember
exactly everything I had done,..
So any way, the first time, I could not really even access any of the PHP stuff, the second
time, for a while I could to some extent, but the "Mybb" installer, could not access the data base, and in the process of trying to solve that, I broke the entire "localhost", but any way
now, I do have "httpd" working ok again, and it does load the "index.html" just fine, however
the PHP config files, and the database is messed up, it seems like the easiest approach is
to re-install them.
This time , when I create the database I will do that in the /var/www/htdocs dir, hopefully that
will work.
Actually the php, and mybb forum , etc is not essential any way, and it does open a
"can of worms" so to speak as far as security goes on a webserver.
Not counting the forum part is a constant struggle to keep "spamfree", but on that I am pretty
well "experienced", and it is no problem,... in fact I do a lot with Stop Forum Spam, another topic, but any way when they hit my site, they get added to the data base,etc.
The thing of it is, as far as I know none of the other admins are using any BSD, or OpenBsd,
they are all using Linux on the other servers, so I am kind of "on my own", on this,...other then you, nobody has even offered any advice. Well actually I have not asked either, because I know, or am under the impression no body else involved on a admin level is using a BSD, maybe I should ask , though.
Sorry, for kind of rambling and drifting "off topic", but any way as I mentioned when I started
this topic,http://daemonforums.org/showthread.p...0299#post61803

Quote:

PS, I have some additional thoughts, ideas,...but will get into that later.

====
I did read this thread, I found doing some searches, http://daemonforums.org/showthread.php?t=5677 But it is very old, and also does not really apply to what
I have in mind. Also the OP never came back with any responses as to if they got it working, etc.
====
The company that provides the server , I have been using them for a year now, seems
reliable, and very economical, basic. They do not offer any support beyond installing the OS one chooses, and if there is a "mechanical" failure of the HD, of course, then they would replace it, and reinstall the OS. I am responsible for my own backups, all though they do
offer a service for that, at a additional cost.
Any way, for now that is about it, this was to long all ready,... we'll see if the 3rd time is "the charm", I may go ahead and get the real server started as well.
There has not been much showing in my searches, it seems like not very many people are using Open Bsd for a web server, or the one that are , are using "apache" or "nginx", so the tutorials do not apply to "httpd", I do want to try to stick with "httpd", but that might be another option, to try using the Apache or Nginx server packages,.?
thanks

[jggimi]

Why not back up, and explain what it is you actually want to do?

• You linked to a thread on hosting an SSH server, which has nothing to do with PHP, web services, or databases.
• You've mentioned "MyBB" which is one of many web forum applications, and happens to be written in PHP. There have been a lot of CVEs published for it (link).

MyBB isn't packaged for OpenBSD, so installation and provisioning would be entirely your responsibility. A very clear understanding of how the tinker toys all connect together would be valuable.

I'll restate what I stated earlier about database access, because I think it's important:

If an application's database resides within /var/www, a successful attacker may obtain full access to it. If that database resides elsewhere but is connected via the network (Unix-domain socket, loopback, or actual network), careful application design may be able to limit what damage can be done or what data may be exposed. But in this situation, you are limited to what you get from the third party project.

[PapaParrot]

Ok, sorry about that, the thread I linked to, that was my point, It shows up
when I was trying some searches, but it does not apply to what I am doing,
guess I shouldn't have even mentioned it.
====

Quote:

A very clear understanding of how the tinker toys all connect together would be valuable.

Ok, well it is a little more then just "tinker toys" to me, but any way I understand what you mean,..........
Basicly, I want to setup a website, non commercial. I do not want to use any "hosting services", I will do my own "hosting", similar to what I am doing here:
(note, I am not trying to promote my website, but this is the easiest way to explain)
http://http://www.elchanate.org/ I no longer want to use Debian wheezy, and there
is no way I would use any of the newer versions of Debian for a server, but that is a really different topic.
I do enjoy writing, so most of what gets on the website is my own material. However I would
like to have some sort of "forum" software, to make it possible that others can submit or post
things if they wish.
If there is any forum software packaged for OpenBsd, I would be more interested
in using that instead of "myBB" or "phpBB", so far I am not aware of any.
It is a "project" of sorts, and if there are any others that are using Open Bsd, and have interest, I would welcome the "company" so to speak, but the first thing to do (I think)
is setup the server, it will be "dedicated", then the "home page" , forum, etc.
Even if there is no interest, it does not matter. I will PM you with some detail on
that, don't want to say here.

Quote:

I'll restate what I stated earlier about database access, because I think it's important:

If an application's database resides within /var/www, a successful attacker may obtain full access to it. If that database resides elsewhere but is connected via the network (Unix-domain socket, loopback, or actual network), careful application design may be able to limit what damage can be done or what data may be exposed. But in this situation, you are limited to what you get from the third party project.

Ok, yes I am aware of that, and it is a concern. So any way, "scratch that idea"( puting the data base inside /var/www.

Quote:

My self>>> This time , when I create the database I will do that in the /var/www/htdocs dir, hopefully that
will work.

thanks again,...

[PapaParrot]

I deleted everything and started over, and
I stumbled on to this :
https://thecyberrecce.net/2017/01/15...riadb-and-php/
And then it also goes into a detailed tutorial on installing WordPress, have not tried that part yet.
The first part on starting the web server, seems to work pretty well, except there are some minor typos,
One : where it says to use

Code:

/etc/rc.d/php56-fpm start

, I needed to use :

Code:

/etc/rc.d/php56_fpm start

Also the httpd.conf example, needed some minor adjustments,..
But after all said and done it seemed to be a pretty good tutorial, so far any way,
everything went pretty smoothly.
================================================== ======
Also I am still thinking about the other options we discussed, by PM, the "Drupal" idea sounds
really good, there even is some spam preventing software available for Drupal,
https://www.stopforumspam.com/mods#link_drupal
Like I mentioned , I have never used Drupal, but also, never have tried Wordpress either, I am not a big fan of WordPress, but that would be another topic...

[PapaParrot]

I managed to install Drupal7 to the PC and localhost. It was pretty easy,
but there were a couple of "hoops", I am about to take a nap, but will get back later
with some more details.
============== Edited===========
The installer for Drupal was pretty good, and the few "hoops" were not to hard because
the installer was clear about what was missing or needed to be change.
the php.ini needs to have the gd extension, as well as the mysql and mysqli

Code:

; If you only provide the name of the extension, PHP will look for it in its
; default extension directory.
extension=mysql.so
extension=mysqli.so
extension=gd.so

Then :
Under the [mbstring] section , I had to modify these:

Code:

lines:1771 thru 173
; The precedence is: default_charset < intput_encoding < mbsting.http_input
; http://php.net/mbstring.http-input
mbstring.http_input = pass
#==== next : 
#line 1784
mbstring.http_output = pass
#======and finally
#This was the part that was confusing
#1792 line 
; http://php.net/mbstring.encoding-translation
; mbstring.encoding_translation = off
# The default was like this:   mbstring.encoding_translation = On
# simply changing it to off, was not enough, I had the place the (  ;  ) to disable it completely.

But all in all it was pretty easy.
Also restarting the services:

Code:

/etc/rc.d/httpd -f -d restart

/etc/rc.d/php56_fpm restart

After modify the php.ini, restarting httpd, and fpm is supposed to work, but I still had to reboot.
So even if one runs the restart commands, and no change, I suggest trying to reboot as well.
I imagine that may vary on different machines.
==== edit again===
Note: I just used the "sqlite" option, ......for the db .

[PapaParrot]

I stumbled on to this while doing some searches:
https://fak3r.com/2016/12/05/howto-s...ure-webserver/
The part that caught my interest:

Quote:

Configuring the webserver

Now for my ‘secret-sauce’, we’re going to use my long running project nginx-globals to lock down our NGINX and SSL configs far more than they are by default. (bonus, recently updated to support Let’s Encrypt out of the box!) Checkout the repo:

The author offers a "script" at git hub, that supposedly does the configuring for
the user,...this sound appealing , for someone like me.
However, at the same time I do know one needs to be care full, and it is not wise
to install any kind of scripts if I do not understand what the script actually does,..
I have not yet tried downloading the script, and I don't know that I would understand
it well enough to know if it is safe or not.
If any one else has any feed back on this , it would be welcome
thanks.

[jggimi]

If you don't understand what any script does, in complete detail, and why, you should contact the author and ask.

I see an awful lot of "how to" guides for Linux users on the Internet with ... instructions like this:

$ curl http://<some random script>.sh | sudo bash

I'm security-minded. I would never do something like this. EVER. And blindly downloading and running someone's self-proclaimed "secret-sauce" would be pretty much the same thing. Just two steps instead of one.

[PapaParrot]

Exactly, I did leave a note in the "comments" asking if the author is still active with this,
When I configured the httpd, the thought did occur to me, one could create a script that did
the configuring, for future use in case a re-install, or installing to a new machine etc.
When I have a chance I am going to look at the script, and see, maybe it will even make sense to
me.