{"id":912,"date":"2015-10-16T09:40:17","date_gmt":"2015-10-16T00:40:17","guid":{"rendered":"https:\/\/kusanagi.tokyo\/en-kusanagi8\/?page_id=912"},"modified":"2016-07-28T12:40:06","modified_gmt":"2016-07-28T03:40:06","slug":"security","status":"publish","type":"page","link":"https:\/\/kusanagi.tokyo\/en-kusanagi8\/document\/security\/","title":{"rendered":"Security Recommendations"},"content":{"rendered":"

This guide explains some recommended security measures to perform after installing KUSANAGI.<\/p>\n

1. Enhance security of wp-config.php<\/h2>\n

wp-config.php includes information about database connections and also some critical security information such as the unique authentication key. Therefore, it is important to enhance the security of the wp-config.php file.<\/p>\n

a. Move wp-config.php file to the document root<\/h3>\n

wp-config.php file is generated under the root directory when WordPress is installed.
\nMove wp-config.php to the document root so that the file cannot be accessed directly from outside via URL.<\/p>\n

1. Log in to the virtual machine<\/h4>\n

Use Poderosa or another SSH client software to log in to the virtual machine via SSH.<\/p>\n

Username for login: kusanagi
\nPassword is the one specified when performing \u201ckusanagi init\u201d.<\/p>\n

For Microsoft Azure, use the username and password that were specified during the “Basics” screen<\/a> while launching the VM.<\/p><\/blockquote>\n

2. Switch to root user<\/h4>\n

Enter the following to switch to root user.<\/p>\n

$ su -<\/code><\/pre>\n
You will be asked for a password. Enter the password for root user.
\n* The root user password is the one defined when the virtual machine was launched on the cloud service.<\/small><\/p>\n
For Microsoft Azure, enter the following to switch to root user.<\/p>\n
$ sudo su -<\/code><\/pre>\n
You will be asked for a password. Enter the password used for SSH login.<\/p><\/blockquote>\n
3. Go to the directory where wp-config.php is located<\/h4>\n
Go to the directory where wp-config.php is located.
\nEnter the following.<\/p>\n
# cd \/home\/kusanagi\/kusanagi_html(*1)\/DocumentRoot<\/code><\/pre>\n
(*1) Enter the name of the profile created in “WordPress Provisioning”<\/a>.<\/small><\/p>\n
4. Move wp-config.php up one level<\/h4>\n
Move the wp-config.php file up one level. Enter the following.<\/p>\n
# mv wp-config.php ..\/<\/code><\/pre>\n
5. Go up one level from current directory<\/h4>\n
Go up one level from the current directory and confirm that wp-config.php has been moved correctly. Enter the following.<\/p>\n
# cd ..<\/code><\/pre>\n
6. Confirm wp-config.php file is present<\/h4>\n
Check that \u201cwp-config.php\u201d file is in the document root.
\nEnter the following to show the list of files in the directory. Make sure wp-config.php is in the list.<\/p>\n
# ll<\/code><\/pre>\n
If the file is there, then the transfer is successful.<\/p>\n
7. Check display of the website<\/h4>\n
Access the URL of the website from your browser.
\nIf the front page of the website displays without any problems, then WordPress is operating normally after the transfer of wp-config.php<\/p>\n
b. Set limited permission<\/h3>\n
If you used KUSANAGI to install WordPress, the owner of wp-config.php is httpd (group is www) and the permission is 666 (rw-rw-rw-) by default.<\/p>\n
You can increase the security by changing the owner of wp-config.php and set the permission as low as possible.<\/p>\n
* The following procedures are based on the assumption that wp-config.php has been moved to the document root as shown in the previous step.<\/small><\/p>\n
1. Log in to the virtual machine<\/h4>\n
Use Poderosa or another SSH client software to log in to the virtual machine via SSH.<\/p>\n
2. Switch to root user<\/h4>\n
Enter the following to switch to root user.<\/p>\n
$ su -<\/code><\/pre>\n
You will be asked for a password. Enter the password for root user.
\n* The root user password is the one defined when the virtual machine was launched on the cloud service.<\/small><\/p>\n
For Microsoft Azure, enter the following to switch to root user.<\/p>\n
$ sudo su -<\/code><\/pre>\n
You will be asked for a password. Enter the password used for SSH login.<\/p><\/blockquote>\n
3. Go to the directory wp-config.php is located<\/h4>\n
Enter the following to go to the directory where wp-config.php is located.<\/p>\n
# cd \/home\/kusanagi\/kusanagi_html(*1)<\/code><\/pre>\n
(*1) Enter the name of the profile created in “WordPress Provisioning”<\/a>.<\/small><\/p>\n
4. Change the owner of wp-config.php<\/h4>\n
Enter the following to change the owner from web server to kusanagi user.<\/p>\n
# chown kusanagi.www wp-config.php<\/code><\/pre>\n
5. Change permission for wp-config.php<\/h4>\n
After changing the owner, change the permission of wp-config.php to \u201c440 (r-- r-- ---)\u201d to make it unwritable.
\nEnter the following.<\/p>\n
# chmod 0440 wp-config.php<\/code><\/pre>\n
6. Check the permission<\/h4>\n
Make sure the permission of wp-config.php has been changed. Enter the following to show the list of files in the directory and their permissions. Check the permission of wp-config.php.<\/p>\n
# ll<\/code><\/pre>\n
If the permission of wp-config.php is stated as \u201cr-- r-- ---\u201d, then the change is successful.<\/p>\n
7. Check the display of the site<\/h4>\n
Access the URL of the website from your browser.
\nIf the front page of the website displays without any problems, then WordPress is operating normally after the permission change.<\/p>\n
2. Restrict access to WordPress dashboard<\/h3>\n
Prevent unauthorized login from a third party to WordPress dashboard through Basic authentication and restricted IP access.<\/p>\n
In KUSANAGI, there are 2 web servers (Nginx and Apache) installed and you can switch to either of them. Follow the next procedures and the settings will function correctly on both servers.<\/p>\n
a. Specify IP address allowed for access on Nginx<\/h4>\n
Enter the following to open Nginx configuration file.<\/p>\n
# vi \/etc\/nginx\/conf.d\/[profile name(*1)]_http.conf<\/code><\/pre>\n
(*1) Name of profile created by “kusanagi provision” command.
\nExample: vi \/etc\/nginx\/conf.d\/kusanagi_html_http.conf<\/p>\n
In line 43,
\nchange \u201callow 0.0.0.0\/0;\u201d to the allowed IP address.
\nExample:allow xxx.xxx.xxx.xxx;<\/p>\n
* If you don\u2019t use Basic authentication, please comment out lines 46 and 47. (Add \u201c#\u201d to the beginning of the lines)<\/small><\/p>\n
At the time of WordPress provisioning, a configuration file is also created for SSL. Thus, the following procedures are also needed.
\nEnter the following to open Nginx configuration file.<\/p>\n
# vi \/etc\/nginx\/conf.d\/[profile name (*1)]_ssl.conf<\/code><\/pre>\n
(*1) Name of profile created by “kusanagi provision” command.
\nExample: vi \/etc\/nginx\/conf.d\/kusanagi_html_ssl.conf<\/p>\n
In line 54
\nchange \u201callow 0.0.0.0\/0;\u201d to the allowed IP address.
\nExample: allow xxx.xxx.xxx.xxx;<\/p>\n
* If you don\u2019t use Basic authentication, please comment out lines 57 and 58. (Add \u201c#\u201d to the beginning of the lines)<\/small><\/p>\n
If you are using Nginx and want to reflect the change immediately, please run \u201ckusanagi nginx\u201d command.
\nThe next time Nginx is launched as the web server, only the specified IP address is allowed to directly access WordPress dashboard.<\/p>\n
* Refer to \u201cc. .htpasswd settings\u201d for how to set up username and password for Basic authentication.<\/p>\n
b. Specify IP address permitted for access to Apache<\/h4>\n
Enter the following to open \u201c.htaccess\u201d file under the document root.<\/p>\n
# vi \/home\/kusanagi\/[profile name (*1)]\/DocumentRoot\/.htaccess<\/code><\/pre>\n
(*1) Name of profile created by “kusanagi provision” command.
\nExample: vi \/home\/kusanagi\/kusanagi_html\/DocumentRoot\/.htaccess<\/p>\n
In line 8
\nChange “Allow from all” to the allowed IP address
\nExample: Allow from xxx.xxx.xxx.xxx<\/p>\n
* If you don\u2019t use Basic authentication, please comment out lines 10, 11 and 12. (Add \u201c#\u201d at the beginning of the lines)<\/small><\/p>\n
The next time Apache is launched as the web server, only the specified IP address is allowed to directly access WordPress dashboard.<\/p>\n
* Refer to \u201cc.\u00a0 .htpasswd settings\u201d for how to set up username and password for Basic authentication.<\/p>\n
c. .htpasswd\u201d settings<\/h4>\n
Follow the procedures to create .htpasswd file and set up username and password for Basic authentication.<\/p>\n
1. Create .htpasswd file<\/h4>\n
Both in Nginx and Apache, the \u201c.htpasswd\u201d file is set to refer to a common path by default.
\nCreate \u201c.htpasswd\u201d file in the specified path.<\/p>\n
Enter the following.<\/p>\n
# htpasswd -c \/home\/kusanagi\/.htpasswd [username]<\/code><\/pre>\n
Then enter a password.
\nRe-enter the same password to confirm.<\/p>\n
Enter the username and password for the Basic authentication. If the dashboard is displayed with no problem, then the configuration is successful.<\/p>\n
3. Restrict IP access to the server<\/h3>\n
You can specify the IP and host that are allowed to connect to hosts.allow file and hosts.deny file. This will deny access to the server from other IP addresses and hosts except the allowed ones.<\/p>\n
    \n
  • hosts.allow
    \nSpecify conditions for access permission.<\/li>\n
  • hosts.deny
    \nSpecify conditions for access denial.<\/li>\n<\/ul>\n
    The settings will be applied in the following order.<\/p>\n
      \n
    1. If the access matches the conditions set in hosts.allow file, then the access is allowed.<\/li>\n
    2. If the access matches the conditions set in hosts.deny file, then the access is denied.<\/li>\n
    3. If the access does not match either condition set in hosts.allow or hosts.deny files, then the access is allowed.<\/li>\n<\/ol>\n
      Use the following format for both hosts.allow file and hosts.deny file.<\/p>\n
      Service Name: host name or IP address\r\nExample) ssh:192.168.1.0<\/code><\/pre>\n
      a. Allow access by hosts.allow<\/h4>\n
      Specify the IP addresses or host names that are allowed access.<\/p>\n
      1. Go to directory where hosts.allow is located<\/h5>\n
      Enter the following.<\/p>\n
      # cd \/etc\/<\/code><\/pre>\n
      2. Open hosts.allow file<\/h5>\n
      Go to \u201c\/etc\/\u201d directory and open hosts.allow file.
      \nEnter the following.<\/p>\n
      # vi hosts.allow<\/code><\/pre>\n
      3. Describe conditions for allowed access<\/h5>\n
      Describe the conditions for allowed access to the server.<\/p>\n
      Example\r\nall:192.168.1.10\r\nall:192.168.10.\r\nall:.ucom.ne.jp<\/code><\/pre>\n
      Add conditions and then save the file.
      \nPlease pay close attention when entering numbers, because if you enter a wrong number in the conditions, you won\u2019t be allowed access.<\/p>\n
      b. Deny access by hosts.deny<\/h4>\n
      Deny all access.
      \nThe hosts.deny file is in the same layer of hosts.allow file.<\/p>\n
      1. Open hosts.deny file<\/h5>\n
      Open hosts.deny file.
      \nEnter the following.<\/p>\n
      # vi hosts.deny<\/code><\/pre>\n
      2. Description to deny any access<\/h5>\n
      Add the following description to deny all access.<\/p>\n
      all:all<\/code><\/pre>\n
      Now, only access from the IP address and host name specified in “a. Allow access by hosts.allow” are allowed.
      \nSave the file after making changes.<\/p>\n
      4. Other directory permission settings<\/h3>\n
      In KUSANAGI, permission of the following directories is 777 (rwx rwx rwx). Change the permission to 755 (rwx rw- rw-).<\/p>\n
      \u30fbDocument root (\/home\/kusanagi\/[profile name]\/DocumentRoot)
      \n\u30fbwp-content directory (\/home\/kusanagi[profile name]\/DocumentRoot\/wp-content)<\/p>\n
      a. Change permission for DocumentRoot<\/h4>\n
      Enter the following and go to the directory where DocumentRoot is located.<\/p>\n
      # cd \/home\/kusanagi\/kusanagi_html(*1)<\/code><\/pre>\n
      (*1) Enter the name of the profile created by “kusanagi provision” command.<\/small>
      \nThen, enter the following.<\/p>\n
      # chmod 0755 DocumentRoot<\/code><\/pre>\n
      b. Change permission for wp-content directory<\/h4>\n
      Next, change the permission for wp-content directory.
      \nEnter the following and go to the directory where wp-content directory is located.<\/p>\n
      # cd DocumentRoot<\/code><\/pre>\n
      Then, enter the following.<\/p>\n
      # chmod 0755 wp-content<\/code><\/pre>\n
      The directory permission is now successfully changed.<\/p>\n","protected":false},"excerpt":{"rendered":"
      This guide explains some recommended security measures to perform after installing KUSANAGI. 1. Enhance security of wp-config.php wp-config.php includes information about database connections and also some critical security information such as the unique authentication key. Therefore, it is important to enhance the security of the wp-config.php file. a. Move wp-config.php file to the document root […]<\/p>\n","protected":false},"author":2,"featured_media":0,"parent":784,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_acf_changed":false,"footnotes":""},"class_list":["post-912","page","type-page","status-publish","hentry"],"acf":[],"_links":{"self":[{"href":"https:\/\/kusanagi.tokyo\/en-kusanagi8\/wp-json\/wp\/v2\/pages\/912","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/kusanagi.tokyo\/en-kusanagi8\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/kusanagi.tokyo\/en-kusanagi8\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/kusanagi.tokyo\/en-kusanagi8\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/kusanagi.tokyo\/en-kusanagi8\/wp-json\/wp\/v2\/comments?post=912"}],"version-history":[{"count":33,"href":"https:\/\/kusanagi.tokyo\/en-kusanagi8\/wp-json\/wp\/v2\/pages\/912\/revisions"}],"predecessor-version":[{"id":1935,"href":"https:\/\/kusanagi.tokyo\/en-kusanagi8\/wp-json\/wp\/v2\/pages\/912\/revisions\/1935"}],"up":[{"embeddable":true,"href":"https:\/\/kusanagi.tokyo\/en-kusanagi8\/wp-json\/wp\/v2\/pages\/784"}],"wp:attachment":[{"href":"https:\/\/kusanagi.tokyo\/en-kusanagi8\/wp-json\/wp\/v2\/media?parent=912"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}