Making Apache secure on Ubuntu 14.04

14.04 server apache2 mysql lamp
11,431

Solution 1

I run my own LAMP servers on Ubuntu connected to the Internet, so I always follow the same guidelines. Usually, I'll check the following :

  • In Apache, remove the documentation or at least don't present it to trough the web server (by removing the link /etc/apache2/conf-enabled/apache2-doc.conf)
  • In Apache, be sure that unnecessary modules are not loaded. With Ubuntu, this is done by removing the links in the /etc/apache2/mods-enabled. Each link point to a file in the /etc/apache2/mods-available directory that loads and configure a module at a time.
  • You may want to review and enable the /etc/apache2/conf-available/security.conf. They propose some security tips, that are not activated by default :
  • Denying access to the whole filesystem except for the directories that you would explicitly allow later
  • modifying the server banner to give as less as possible information on the running software.
  • In PHP, check that you don't print too much logging information on the screen in case of error (parameters in the section Error handling and logging of the /etc/php4/apache2/php.ini file. The comments in the file give a lot of information on what is preferable to do)

  • No need to expose your MySQL server to the Internet. By default, in Ubuntu, the Mysql server listen only on localhost. Check /etc/mysql/my.cnf in the section mysqld for the parameter bind-address. It should be on 127.0.0.1 :

    bind-address = 127.0.0.1

  • Don't install more services on this server than what you need.

  • Don't forget to apply update when they arrive.
  • Don't rely only on the configuration of the LAMP server only, don't forget you also have to put run a PHP application that can introduce some security threats (input validation and all this stuff to avoid typing SQL query in input field to retrieve from the DB more information that you would have given yourself, ...)

These are the first things on the top of my mind. Of course you can find more detailed howto and guides on the Internet :

Solution 2

Here is what I generally do after a LAMP setup: (for development use, not production)

  • Disable apache2 from starting automatically:

    sudo update-rc.d apache2 disable

    When you want to use, you may start it by:

    sudo service apache2 start

  • Disable mysql from starting automatically:

    echo "manual" | sudo tee /etc/init/mysql.override

    When you want to use, you may start it by:

    sudo service mysql start

  • Block incoming ports 80 & 3306 on firewall to secure your LAMP from invasion:

    sudo iptables -A INPUT -p tcp --dport 80 -j DROP
sudo iptables -A INPUT -p tcp --dport 3306 -j DROP

    (As a matter of fact, I block all the incoming ports except a few critical ones, but Linux security is a different topic!)

Share:
11,431
Rog
Author by

Rog

Budding website designer and forum host. Very very new to Linux and Ubuntu but loving it. I do a lot of programming in various languages including PHP, C#, VB, HTML and all that web stuff too which is probably where I am most experienced. I have a lot of projects on my back burners all the time it seems !

Updated on September 18, 2022

Comments

  • Rog
    Rog over 1 year

    I am wanting to host a small site at home and have installed Apache etc like this :

    1. sudo apt-get update
    2. sudo apt-get install tasksel
    3. sudo tasksel install lamp-server

    That all worked and everything is up and running.

    Now I am used to working with XAMPP to develop and I did not want to use that live as many references said it was not very secure.

    So my question is, now that I have Apache/PHP & MySql installed by the above method; how is the level of security by default ?

    Is there ways to make it more secure and perhaps a check-list or run-down of any changes that might be recommended ?

    Clarification : the LAMP server would be a live site, not one in development.

    • Dan
      Dan almost 10 years
      What do you want to secure? It all depends on the requirements. All possible ways to generally secure apache are most likely done by default. If you find a security issue in your apache installation you should report it as bug so it would be fixed. Some stuff you can do can be is to enable SSL, make sure your code is as secure as it can be, etc.
    • Rinzwind
      Rinzwind almost 10 years
      sudo apt-get install tasksel and sudo tasksel install lamp-server -> sudo apt-get install lamp-server^ does the same and saves you installing tasksel ;)
    • Rog
      Rog almost 10 years
      @Dan I just mean generally secure. Coming from XAMPP and after seeing many negative comments about it's use in a live situation made me concerned. If this LAMP install is generally the way to go then that satisfies me. I try my best to write secure code.
    • Rog
      Rog almost 10 years
      @Rinzwind Thanks for that - I'm very new to Ubuntu and Linux, getting there though :)
  • Benoit
    Benoit almost 10 years
    You can also power off the server, the security will be total. Seriously, you think that by starting manually your service(s) that they are more secure ? If you run a web site using an old version of SSL subject to the Heartbleat bug, when your web server will be running, you will have problem, having started it manually or automatically. Of course you can block access to port 443 too !
  • Prahlad Yeri
    Prahlad Yeri almost 10 years
    @Benoit - As I said, I block all incoming ports to my machine, so how can the heartbleed bug affect me? As for the manual start, thats more for a performance gain than security. In any case, the OP has a development setup, so whats the need to always keep these services running, anyway?
  • Prahlad Yeri
    Prahlad Yeri almost 10 years
    And btw, a basic premise of security is that you keep up with security updates. Even that would solve your heartbleed issue.
  • Rog
    Rog almost 10 years
    Thank you Prahlad for your reply. I think I miscommunicated - it is true that I use XAMPP for development - but the Linux machine where I set up LAMP would actually be used live albeit by only a few people. Well I can say only a few people, but we all know what the internet can be like ! Benoit - turning it off would be the ultimate in security I agree lol
  • Prahlad Yeri
    Prahlad Yeri almost 10 years
    @Rog - Even in that case, you can make creative use of iptables (or other firewall software you may have) to allow traffic to apache and mysql ports from only trusted sources.
  • Dan
    Dan almost 10 years
    By the way, there is no need to run echo as root. Only tee needs to be run as root. echo "manual" | sudo tee /etc/init/mysql.override would suffice.
  • Prahlad Yeri
    Prahlad Yeri almost 10 years
    Right you are @Dan. I've corrected it.
  • Rog
    Rog almost 10 years
    thank you very much, this is just the advice and check list that I needed to get started and give me more peace of mind. I have therefore marked this as the answer. Cheers :)
  • Dan
    Dan almost 10 years
    You can use the a2disconf and a2dismod commands to disable a configuration file or an apache module. It's safer than removing the links manually. I tend to avoid running rm as sudo when possible.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How do I completely uninstall LAMP Server and start fresh?
MySQL not starting in Xampp
WARNING: Module mcrypt ini file doesn't exist under /etc/php/7.2/mods-available
Upgrading MySQL 5.5 to MySQL 5.6 on Ubuntu 14.04 LTS
Website not loading - LAMP - index.php
Connecting phpmyadmin to separate MySQL server
The best LAMP Stack with a GUI for Web Dev
phpmyadmin not found
How to install lamp server with php 5.3 on ubuntu 16.04?
Remove/re-install LAMP with current versions on Ubuntu 18.04