security.html 9.0 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181
  1. <html lang="en">
  2. <head>
  3. <meta charset="utf-8" />
  4. <title>Chamilo Security Guide</title>
  5. <link rel="stylesheet" href="../web/assets/bootstrap/dist/css/bootstrap.css" type="text/css" media="screen,projection" />
  6. <link rel="stylesheet" href="default.css" type="text/css" media="screen,projection" />
  7. <link rel="shortcut icon" href="../favicon.ico" type="image/x-icon" />
  8. </head>
  9. <body>
  10. <div class="container">
  11. <h1>Chamilo LMS: Security Guide</h1>
  12. <a href="index.html">Documentation</a> &gt; Security Guide
  13. <p>We recommend you don't take security issues too lightly. Chamilo is security-audited at least once a year,
  14. but you're never too sure. This list is a work in progress. Feel free to recommend additional measures by
  15. sending us an e-mail at info@chamilo.org.</p>
  16. <h2><b>Contents</b></h2>
  17. <ol>
  18. <li><a href="#1.Disclosing-server-info">Disclosing server info</a></li>
  19. <li><a href="#2.Keeping-up-to-date">Keeping up to date</a></li>
  20. <li><a href="#3.Using-safe-browsers">Using safe browsers</a></li>
  21. <li><a href="#4.Moving-config-file">Moving your configuration file out of the web directory</a></li>
  22. <li><a href="#5.Files-permissions">Restricting files permissions</a></li>
  23. <li><a href="#6.HSTS">HTTP Headers Security</a></li>
  24. </ol>
  25. <h2><a name="1.Disclosing-server-info"></a>1. Disclosing server info</h2>
  26. <p>
  27. It is considered a safer behaviour not to disclose server information from your Chamilo page. In order to avoid
  28. both web server and PHP information disclosure, you might want to take the following actions:
  29. </p>
  30. <ul>
  31. <li>Locate the <i>ServerTokens</i> setting inside your Apache configuration and set it to "Prod"</li>
  32. <li>Locate the <i>ServerSignature</i> setting inside your Apache configuration and set it to "Off"</li>
  33. <li>Locate the <i>expose_php</i> setting inside your PHP configuration and set it to "Off"</li>
  34. <li>Reload Apache</li>
  35. </ul>
  36. <h2><a name="2.Keeping-up-to-date"></a>2. Keeping up to date</h2>
  37. <p>
  38. Make sure you check <a href="http://support.chamilo.org/projects/chamilo-18/wiki/Security_issues">our security
  39. issues page</a> from time to time.
  40. Subscribe to our free security alerts mailing-list:
  41. <a href="http://lists.chamilo.org/listinfo/security">http://lists.chamilo.org/listinfo/security</a> or that you
  42. follow our security Twitter feed: <a href="http://twitter.com/chamilosecurity">http://twitter.com/chamilosecurity</a>.
  43. </p>
  44. <h2><a name="3.Using-safe-browsers"></a>3. Using safe browsers</h2>
  45. <p> Additionally to lacking the implementation of features that really improve the quality of your browsing the
  46. Internet, older browsers tend to have many unresolved security flaws. Using an old browser, you put in danger the
  47. security of your computer and the data it contains, but you can also put others in danger by letting crackers take
  48. control of it and attacking others.</p>
  49. <p>To avoid being a risk to yourself and others, you should download and install a recent browser. We recommend
  50. <a href="http://www.getfirefox.com" target="_blank">the latest stable version of Firefox</a>.</p>
  51. <h2><a name="4.Moving-config-file"></a>4. Moving your configuration file out of the web directory</h2>
  52. <p>It is considered unsafe to leave the configuration file inside the app/config/ directory, as it will be directly
  53. accessible for all users, which could lead crackers to download it, uninterpreted, and read through your
  54. configuration, which could lead to illicit
  55. access to your database if that one isn't well protected and many other stuff we'd prefer to avoid. To secure it,
  56. move the configuration file out of your web directory. If your Chamilo installation is in /var/www/, move your
  57. configuration to /etc/chamilo/configuration.php, for example. Then create a new app/config/configuration.php
  58. file, open it, and write the following:</p>
  59. <pre>
  60. &lt;?php
  61. require '/etc/chamilo/configuration.php';
  62. </pre>
  63. <p>
  64. This will prevent direct access to your settings and make it seem totally the same to Chamilo.
  65. </p>
  66. <h2><a name="5.Files-permissions"></a>5. Restricting files permissions</h2>
  67. <p>Making all the Chamilo files world-writable will help you install quickly, and it solves many
  68. issues for people without much admin experience. However, it's more
  69. secure to make a distinct user owner of all the chamilo files and folders,
  70. and only give read access to the web server to all files, and write access
  71. only to the directories previously mentioned.</p>
  72. <p>This way, these files need
  73. only be readable and writable by the Apache process owner, not by the
  74. entire world. It would also be advisable to make all writable directory
  75. refuse the interpretation of PHP files (except for the root of the courses
  76. directories).</p>
  77. <p>Don't hesitate to hire an experienced administrator to do that,
  78. it might be a bit more expensive now, but you'll be happy not to have to loose
  79. all of your data to a hacker who attacked your site.</p>
  80. <p>Only the following directories have required (or optional) write
  81. permissions from the web server:<br />
  82. <ul>
  83. <li>app/cache/</li>
  84. <li>app/courses/</li>
  85. <li>app/home/</li>
  86. <li>app/logs/</li>
  87. <li>app/upload/</li>
  88. <li>main/default_course_document/images/</li>
  89. <li>main/lang/ (optional, only for sublanguages)</li>
  90. <li>web/css/ (optional, only for switching CSS through the web)</li>
  91. </ul>
  92. <br />
  93. Because these directories have "write by the web server" permissions,
  94. it is important to prevent the execution of PHP scripts from those
  95. directories (because a specially-crafted attack could end up allowing
  96. the upload of a PHP script to one of these). To do that, taking into
  97. account we authorize overrides through .htaccess, we need to set
  98. something that a .htaccess file cannot revert, and we need to set it
  99. for each of those directories. This can be done as follows inside
  100. your VirtualHost definition in Apache, where "/var/www/URL/" is the path of your VirtualHost web root:<br />
  101. <pre>
  102. &lt;Directory /var/www/URL/app/cache&gt;
  103. php_admin_value engine Off
  104. &lt;/Directory&gt;
  105. &lt;Directory /var/www/URL/app/courses&gt;
  106. php_admin_value engine Off
  107. &lt;/Directory&gt;
  108. &lt;Directory /var/www/URL/app/home&gt;
  109. php_admin_value engine Off
  110. &lt;/Directory&gt;
  111. &lt;Directory /var/www/URL/app/logs&gt;
  112. php_admin_value engine Off
  113. &lt;/Directory&gt;
  114. &lt;Directory /var/www/URL/app/upload&gt;
  115. php_admin_value engine Off
  116. &lt;/Directory&gt;
  117. &lt;Directory /var/www/URL/app/Resources/public/css>
  118. php_admin_value engine Off
  119. &lt;/Directory&gt;
  120. &lt;Directory /var/www/URL/main/default_course_document/images&gt;
  121. php_admin_value engine Off
  122. &lt;/Directory&gt;
  123. &lt;Directory /var/www/URL/main/lang&gt;
  124. php_admin_value engine Off
  125. &lt;/Directory&gt;
  126. &lt;Directory /var/www/URL/web/css&gt;
  127. php_admin_value engine Off
  128. &lt;/Directory&gt;
  129. </pre>
  130. For Nginx, this would look like the following rules. However, do
  131. remember that Nginx interprets rules in order of appearance, so these
  132. rules would have to be at the top of your location rules to take the
  133. highest priority:
  134. <pre>
  135. location ~ ^/app/(cache|courses|home|logs|upload|Resources/public/css)/.*\.ph(p[3457]?|t|tml|ar)$ {
  136. deny all;
  137. }
  138. location ~ ^/main/default_course_document/images/.*\.ph(p[3457]?|t|tml|ar)$ {
  139. deny all;
  140. }
  141. location ~ ^/main/lang/.*\.ph(p[3457]?|t|tml|ar)$ {
  142. deny all;
  143. }
  144. location ~ ^/web/css/.*\.ph(p[3457]?|t|tml|ar)$ {
  145. deny all;
  146. }
  147. </pre>
  148. <br />
  149. <hr />
  150. <h2><a name="6.HSTS">HTTP Headers Security</a></h2>
  151. <p>A relatively recent development in web security, HTTP headers can be modified either
  152. from the web server or from the application (like Chamilo) to increase the security
  153. of your visitors.</p>
  154. <p>These implies several aspects, from simple to complex, to deal with, from stuff like
  155. indicating which websites you say media or libraries can be loaded from, to adding
  156. extra info about your SSL certificate to make sure a hacked certification authority
  157. will not immediately make your certificate useless.</p>
  158. <p>In Chamilo 1.11.6, we have added several parameters, together with recommendations,
  159. to main/install/configuration.dist.php, that you are free to use or ignore,
  160. depending on the level of security you want to achieve.</p>>
  161. <p>To check your portal for possible improvements in terms of headers security,
  162. we highly recommend the <a href="https://securityheaders.io/">securityheaders.io</a>
  163. website. If you want to read more about CSP and all related headers
  164. security techniques, check <a href="https://scotthelme.co.uk/">Scott Helme's blog</a>.
  165. <h2>Authors</h2>
  166. <ul>
  167. <li>Yannick Warnier, Zend Certified PHP Engineer, BeezNest Belgium SPRL,
  168. <a href="mailto:yannick.warnier@beeznest.com">yannick.warnier@beeznest.com</a></li>
  169. </ul>
  170. </div>
  171. </body>
  172. </html>