SERVER REQUIREMENTS

The server should have the following specs installed:

  • apache
  • no hard limit on the OS. Linux (Redhat, Debian, SuSe, Ubuntu), FreeBSD 4.11+, OpenBSD.
  • mysql 4.x. or 5.x (mysql 3.x is not supported anymore)
  • php4 (or higher). 5.x recommended
    (with Zend Engine v1.3.0+ and Zend Optimizer v. 3.x).
  • php libraries required: GD2.x with JPEG support, CURL, PCRE
  • ZendOptimizer 3.x
  • Image::Magick 6.x with JPEG support
  • tar, gzip (from shell only)
  • zip (accessible from apache too) - required only if you want to use the automated create-zip-from-gallery function in MAS

Apache/PHP configuration:

  • MAS needs to have permissions to execute shell commands through php code (i.e. exec(); system(); passthru() and chmod must be allowed).
    Running of php scripts through the php executable (CLI) is also required.
  • PHP should be installed as a module, not as CGI (Server API: Apache)
  • php must be installed as CLI too, and the CLI version must be compiled with Zend Optimizer as well.
  • safe mode = off (both as a local and master value).
  • allow_url_fopen = off (nor required but highly recommended for security reasons).
  • sessions must be supported
  • error_reporting must be set to not display notices (E_ALL ^ E_NOTICE) or disabled at all.
  • if there are open_basedir restrictions in effect, then the parent directory of the document root selected for the MAS installation must be allowed as a master value - for the MAS domain and for every other domain on the server which would be using MAS.
  IMPORTANT SECURITY PRECAUTIONS:


Restrict MAS administrator accounts by IP address:
It is highly recommended that you use the new option for limiting the MAS access by IP address. Simply put your home and office static IPs in the designated text area when you edit your account. This way your MAS system will be best secured against unauthorized access. Whenever you happen to travel and need to access your MAS from a different IP, put up a support ticket and our team will grant you access.

Restrict SSH server access:
The SSH access to your server running MAS should be restricted by IP as well. Upon installation we will provide you with the list of IP addresses that Mansion staff will use for support/setup. Also to minimize the risk of leaking passwords, we recommend you setup the SSH access for Mansion using the 3072-bit RSA public key located here.

PHP configuration:
There are two php configuration settings which, if enabled, present a possible security risk.
If you have not done so yet, we recommend you contact your hosting company immediately and ask them to set in php.ini:

allow_url_fopen = false
register_globals = false

You should be aware that these settings have no effect on MAS, but in rare cases it could potentially affect other 3rd party scripts running on your server, if they were programmed to rely on these settings being on. Most often these are redirecting/authorization scripts for accessing leased feeds and/or forum scripts.
Nevertheless, the recommended practice is to turn them off, then modify any scripts relying on it and make them connect to external servers using CURL, PEAR or other libraries in a more secure way. Having allow_url_fopen enabled, is a potential possibility for attackers to execute and drop malicious scripts gaining unauthorized access to resources at your server.
   Copyright © 2003-2008 Mansion Productions. All rights reserved.