Admin Manual - Running a Secure Web Server
From PikaDocs
It is important to operate the Pika CMS web server in a secure manner and to not take any unnecessary security risks. This section examines some steps that can be taken to make the system more secure.
| Table of contents |
Using SSL Encryption
SSL (Secure Sockets Layer) is a encryption technology that can be used to mask any communication between a web server and a web browser. Use of SSL can prevent any third party from eavesdropping on a Pika CMS session. Since passwords and confidential client information are often transmitted while using Pika CMS, SSL should always be used whenever the software is used over a public network like the Internet. On private networks, like a LAN or a WAN, the use of SSL is not essential but encouraged.
Strong Passwords
It is very important to use strong passwords to protect Pika CMS user accounts, operating system accounts, and MySQL accounts. Strong passwords are not easily guessable, and are not single words that might be discovered by automated "dictionary attack" software. Strong passwords have a few number characters in them, and may even use both upper case and lower case letter characters.
File Permissions
The PHP files that comprise Pika CMS should be secured to help prevent accidental or intentional tampering. Most should be set to be editable only by the pika user account. The following commands will set the file permissions:
chown -R pika /home/pika/sitename/*chmod -R 644 /home/pika/sitename/*
There are two exceptions to this rule: the Apache process needs write access to the file config/settings.php so configuration settings can be saved, and to the dropbox/ directory to store PDF and RTF files generated by users. One option is to change these files to belong to the same group that Apache runs under (typically apache), then give write permission to both the file owner and group. The following commands will add the pika user to the apache group (suggested but not mandatory), give write access to all Pika CMS files only to the pika account, except settings.php and dropbox/ which will also be editable by the Apache process:
usermod -G apache pikachgrp apache /home/pika/sitename/config/settings.phpchmod 666 /home/pika/sitename/config/settings.phpchgrp apache /home/pika/sitename/dropbox/chmod 666 /home/pika/sitename/dropbox/
Another alternative is to set these two files to be world-writable. This should never be used if other users will be logging into the server; they will be able to edit the settings file!
chown -R pika /home/pika/sitename/*chmod -R 644 /home/pika/sitename/*chmod 666 /home/pika/sitename/config/settings.phpchmod 666 /home/pika/sitename/dropbox/
MySQL Permissions
MySQL offers a security mechanism which can be used to limit access to the database. It may be useful to set up a dedicated MySQL user account for Pika CMS that is only given permissions to perform SELECT, INSERT, UPDATE and DELETE operations. These are the only SQL commands needed by Pika CMS, so it makes sense to limit the system to these operations at the database level. A MySQL user account with these permissions can be created with the following commands:
mysql -u root -p pikamysql> GRANT SELECT, INSERT, UPDATE, DELETE ONpika.* TO pika_www IDENTIFIED BY 'password';mysql> FLUSH PRIVILEGES;mysql> exit
Once the MySQL user account is created, change the database username and password on the system settings screen to match the new account. A dedicated MySQL user account should also be used to limit ODBC users to only the operations they require. Multiple accounts can be used if different users need different levels of access. A detailed discussion of the MySQL security system is beyond the scope of this document, but the following commands will set up an account for running ODBC reports that only has read access to the database:
mysql -u root -p pikamysql> GRANT SELECT ONpika.* TO reports IDENTIFIED BY 'password';mysql> FLUSH PRIVILEGES;mysql> exit
