Making Apache secure on Ubuntu 14.04
Solution 1
I run my own LAMP servers on Ubuntu connected to the Internet, so I always follow the same guidelines. Usually, I'll check the following :
- In Apache, remove the documentation or at least don't present it to trough the web server (by removing the link
/etc/apache2/conf-enabled/apache2-doc.conf
) - In Apache, be sure that unnecessary modules are not loaded. With Ubuntu, this is done by removing the links in the
/etc/apache2/mods-enabled
. Each link point to a file in the/etc/apache2/mods-available
directory that loads and configure a module at a time. - You may want to review and enable the
/etc/apache2/conf-available/security.conf
. They propose some security tips, that are not activated by default : - Denying access to the whole filesystem except for the directories that you would explicitly allow later
- modifying the server banner to give as less as possible information on the running software.
- In PHP, check that you don't print too much logging information on the screen in case of error (parameters in the section Error handling and logging of the
/etc/php4/apache2/php.ini
file. The comments in the file give a lot of information on what is preferable to do) -
No need to expose your MySQL server to the Internet. By default, in Ubuntu, the Mysql server listen only on localhost. Check
/etc/mysql/my.cnf
in the section mysqld for the parameter bind-address. It should be on 127.0.0.1 :bind-address = 127.0.0.1
Don't install more services on this server than what you need.
- Don't forget to apply update when they arrive.
- Don't rely only on the configuration of the LAMP server only, don't forget you also have to put run a PHP application that can introduce some security threats (input validation and all this stuff to avoid typing SQL query in input field to retrieve from the DB more information that you would have given yourself, ...)
These are the first things on the top of my mind. Of course you can find more detailed howto and guides on the Internet :
Solution 2
Here is what I generally do after a LAMP setup:
(for development use, not production
)
-
Disable apache2 from starting automatically:
sudo update-rc.d apache2 disable
When you want to use, you may start it by:
sudo service apache2 start
-
Disable mysql from starting automatically:
echo "manual" | sudo tee /etc/init/mysql.override
When you want to use, you may start it by:
sudo service mysql start
-
Block incoming ports 80 & 3306 on firewall to secure your LAMP from invasion:
sudo iptables -A INPUT -p tcp --dport 80 -j DROP sudo iptables -A INPUT -p tcp --dport 3306 -j DROP
(As a matter of fact, I block all the incoming ports except a few critical ones, but Linux security is a different topic!)
Rog
Budding website designer and forum host. Very very new to Linux and Ubuntu but loving it. I do a lot of programming in various languages including PHP, C#, VB, HTML and all that web stuff too which is probably where I am most experienced. I have a lot of projects on my back burners all the time it seems !
Updated on September 18, 2022Comments
-
Rog over 1 year
I am wanting to host a small site at home and have installed Apache etc like this :
sudo apt-get update
sudo apt-get install tasksel
sudo tasksel install lamp-server
That all worked and everything is up and running.
Now I am used to working with XAMPP to develop and I did not want to use that live as many references said it was not very secure.
So my question is, now that I have Apache/PHP & MySql installed by the above method; how is the level of security by default ?
Is there ways to make it more secure and perhaps a check-list or run-down of any changes that might be recommended ?
Clarification : the LAMP server would be a live site, not one in development.
-
Dan almost 10 yearsWhat do you want to secure? It all depends on the requirements. All possible ways to generally secure apache are most likely done by default. If you find a security issue in your apache installation you should report it as bug so it would be fixed. Some stuff you can do can be is to enable SSL, make sure your code is as secure as it can be, etc.
-
Rinzwind almost 10 years
sudo apt-get install tasksel
andsudo tasksel install lamp-server
->sudo apt-get install lamp-server^
does the same and saves you installing tasksel ;) -
Rog almost 10 years@Dan I just mean generally secure. Coming from XAMPP and after seeing many negative comments about it's use in a live situation made me concerned. If this LAMP install is generally the way to go then that satisfies me. I try my best to write secure code.
-
Rog almost 10 years@Rinzwind Thanks for that - I'm very new to Ubuntu and Linux, getting there though :)
-
Benoit almost 10 yearsYou can also power off the server, the security will be total. Seriously, you think that by starting manually your service(s) that they are more secure ? If you run a web site using an old version of SSL subject to the Heartbleat bug, when your web server will be running, you will have problem, having started it manually or automatically. Of course you can block access to port 443 too !
-
Prahlad Yeri almost 10 years@Benoit - As I said, I block all incoming ports to my machine, so how can the heartbleed bug affect me? As for the manual start, thats more for a performance gain than security. In any case, the OP has a development setup, so whats the need to always keep these services running, anyway?
-
Prahlad Yeri almost 10 yearsAnd btw, a basic premise of security is that you keep up with security updates. Even that would solve your heartbleed issue.
-
Rog almost 10 yearsThank you Prahlad for your reply. I think I miscommunicated - it is true that I use XAMPP for development - but the Linux machine where I set up LAMP would actually be used live albeit by only a few people. Well I can say only a few people, but we all know what the internet can be like ! Benoit - turning it off would be the ultimate in security I agree lol
-
Prahlad Yeri almost 10 years@Rog - Even in that case, you can make creative use of iptables (or other firewall software you may have) to allow traffic to apache and mysql ports from only trusted sources.
-
Dan almost 10 yearsBy the way, there is no need to run echo as root. Only
tee
needs to be run as root.echo "manual" | sudo tee /etc/init/mysql.override
would suffice. -
Prahlad Yeri almost 10 yearsRight you are @Dan. I've corrected it.
-
Rog almost 10 yearsthank you very much, this is just the advice and check list that I needed to get started and give me more peace of mind. I have therefore marked this as the answer. Cheers :)
-
Dan almost 10 yearsYou can use the
a2disconf
anda2dismod
commands to disable a configuration file or an apache module. It's safer than removing the links manually. I tend to avoid runningrm
assudo
when possible.