Which software is most secure for web-based webhosting?

[steamrent]

I'm trying to set up a webhost account for my friend on my own connection, and I'm running the default install of OpenBSD 5.0 with -stable patches.

So far I'm probably going to install PHP/MySQL because my friend wants to run a forum.

I know how to run my own webserver, but I don't know how to make it usable for someone else, while keeping the system secure. He doesn't know what SSH is, so I need to make the hosting all web interface, logging into my own site and setting up all his website stuff there, etc.

Which software would be best to run on my webserver that is user-friendly but is also the most secure?

[jggimi]

Quote:

Originally Posted by steamrent

....while keeping the system secure...

You will have to define what you mean by "secure". A chrooted webserver will prevent access to the rest of your filesystems, but that alone will not prevent DOS attacks, nor will it prevent poor web application administrative decisions from permitting bad actors from having a free hand within the webserver, including reaching out from the server to whatever it is permitted to reach, such as making their own SQL calls to your back end database.

Define your requirements clearly, so that you can get reasoned advice.

Quote:

He doesn't know what SSH is...

You can instruct him, if there is any advantage to providing a shell as a service.

[steamrent]

Secure in a manner that if the event of my adding additional users ever arises, that the users will not be able to interact with each others' files, nor gain access or information to the rest of the system beyond the web interface that they use to manage their website/files.

SSH would not necessarily be necessary, since I only want this for the user to manage static content pages of their website in an easy to use web interface. Basically solely for adding/deleting .html or .php pages (generally speaking).

Actually, I'm not sure if SSH is required for something like an installation of a vBulletin or phpBB forum. The way I usually do it is via CLI, so I'm not sure how that'd be done otherwise, or if it's possible.

[jggimi]

Quote:

Originally Posted by steamrent

Secure in a manner that if the event of my adding additional users ever arises, that the users will not be able to interact with each others' files, nor gain access or information to the rest of the system beyond the web interface that they use to manage their website/files.

I can't guide you to any specific "web based" file management service. Whatever you end up choosing, if the solutions uses standard "files" then you will be using OpenBSD's FFS filesystem and its file access controls. If you are unfamiliar with how BSD's owner/group/world read/write/execute access controls operate, you will need to learn how this functions, because you will be responsible for setting up access controls.

Quote:

SSH would not necessarily be necessary, since I only want this for the user to manage static content pages of their website in an easy to use web interface. Basically solely for adding/deleting .html or .php pages (generally speaking).

You may find sftp(1), a component of OpenSSH, meets that need. It can be used for secure upload of files.

Quote:

Actually, I'm not sure if SSH is required for something like an installation of a vBulletin or phpBB forum. The way I usually do it is via CLI, so I'm not sure how that'd be done otherwise, or if it's possible.

These and similar web applications are data driven from back end databases, with little in the way of "files" other than for configuration.

[jggimi]

When you use an application's internal security system, you must rely on their code for whatever security it has, or does not have.

Here's an example, just posted here in the News section today. Bugs that impact integrity and security or that provide for additional access vectors are always possible. With OpenBSD's FFS, at least the access controls are audited.

http://www.daemonforums.org/showthread.php?t=6652