Add an iptables rules with a hook to forbid to wordpress to open a port

[zamentur]

As explain here we should improve the security of wordpress_ynh specifically. https://forum.yunohost.org/t/virus-qui-envoie-des-mails-en-masse-spam/3330/5?u=ljf

I suggest to add a owner iptable rules to avoid the user $app to be able to open a port outside. If we don't, a wordpress could send mass mail (like with the perl virus discovered on tomdereub instance).

[maniackcrudelis]

How WordPress user can be able to open a port ? I think it needs a root access to do that ? I read your post on the forum, is it not simply WordPress using the open 25 port ?

About chrooting WordPress, it's really a good idea. But I already tried to do that without success. Considering this issues, I think it can be really a good thing to try again.

[zamentur]

It's possible to specify "user wordpress can't use the port 25" with a owner iptables rules.

When I say open a port I think about a "OUT" rules and not a IN rules.

By default all the packet for an OUT port are accepted.

[maniackcrudelis]

Oh ok, I get it.

but you should consider that wordpress need to send some emails to its users, and maybe to the visitors in case of comments. Of course we can configure wordpress to use the smtp server instead of a simple mail function. But is it more safe in this case ?

[zamentur]

I think the mail function already use the local smtp server.

[maniackcrudelis]

So, considering we have to keep somehow the possibility to send some mails. Is it can be better if wordpress have to use a authenticated connection to postfix to send its mail ? Is it more secure against that kind of threat ?