Secure LAMP server for production use

linux apache-2.2 mysql php lamp
5,294

Solution 1

These recommendations are off of the top of my head and not intended to be comprehensive.

Check out Bastille, it's a series of scripts that implements best practices in Linux.

Don't send authentication data over plaintext protocols. For example, disable FTP. If you send authentication data via Apache, use SSL.

Disable and remove any unnecessary software including the GUI interface.

Audit any files with the SUID bit set and remove. (This will severely limit non-root abilities. Understand the implications for each individual change.)

Audit public writable directories and remove the writable bit. (Leave /tmp alone.)

Avoid running any daemon as root.

Research all multi-user software that listens on sockets in detail for security best practices.

Avoiding adding users to the system is one of the best approaches. Multi-user systems require greater attention to detail.

Enforce password standards. For example: minimum 10 characters, non-alphanumeric characters, using letters and numbers. This is to make brute forcing more difficult in case of password file compromise. Enforce this via the system.

Lock out users after 5 failed authentication attempts with a minimum of 10 minute lockout. Maintain a password history so users can't use the past 5 passwords.

If you have a larger environment, using network segregation with multiple subnets to isolate risk is an absolute requirement. If a smaller environment, running a firewall on the local system to limit exposure is recommended. For example, only allowing SSH to your IP. tcpwrappers can be used too for an extra layer. (/etc/hosts.allow, /etc/hosts.deny)

And, of course, keeping all software up to date. Especially public facing daemons.

With SSH:

  • Disable SSH protocol 1
  • Only allow root authentication without-password (only keypair)

With Apache:

  • Disable any modules that are not needed
  • Disable .htaccess and public directories
  • Disable FollowSymlink and any unnecessary options
  • Do not install PHP if you don't need it.

With MySQL:

  • Disable default users.
  • Don't use wildcard hosts.
  • Be sure to set unique host for every user.
  • Don't listen on tcp unless necessary. (Unusually unavoidable.)
  • Limit application user privileges as much as possible. (SELECT,INSERT,UPDATE,DELETE ideal for write and SELECT for read)

I'd recommend researching php.ini tuning for security specifically. It's riskier software by default.

Bastille

Solution 2

Here is a good article that you can use as a base for your setup and change accordingly to your ditribution: http://it.toolbox.com/blogs/rayheffer/how-to-build-a-secure-lamp-web-server-with-centos-5-36786

Share:
5,294

Related videos on Youtube

WalterJ89
Author by

WalterJ89

Currently going to the University of the Fraser Valley for my Degree in Computer Information Systems.

Updated on September 17, 2022

Comments

  • WalterJ89
    WalterJ89 almost 2 years

    What is the procedure for securing a Linux, Apache, MySQL, PHP Server (or even Perl) for production use?

    Other than setting the MySQL password and the root password for Linux what other (maybe not so obvious) steps should be taken?

    Also what steps can I take, if I was going to be extra paranoid, that may not normally be necessary?

    This is for a basic single site use but must be secure.

  • aschufo
    aschufo over 14 years
    But basically, do not load modules you don't explicitly need, hide all version numbers and debug/informations pages, create a mysql user for each application with hardened passwords, always have people work on your server using regular user account and make them sudo if they need root permissions, use a firewall like iptables and only open ports based on what you absolutely need to come inside your box... That plus latest patches will already give you quite a secure setup.
  • sumar
    sumar over 14 years
    This article is not good. Disabling selinux, nothing about hardening mysql, disabling unnecessary apache modules...
  • ALex_hha
    ALex_hha almost 11 years
    I will suggest to read cyberciti.biz/tips/php-security-best-practices-tutorial.html for php tunning

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Apache2 and PHP5 won't work together
What are the benefits of installing XAMPP vs [LAMP from repository] on Ubuntu Linux?
How to fetch ./configure parameters used at last time?
.htaccess RewriteCond for REMOTE_ADDR while behind Load Balancer?
RSA certificate configured for SERVER does NOT include an ID which matches the server name
Why not use a WAMP stack?
Package Requires: libcurl.so.3
How to fix Ubuntu Forbidden issue on localhost?
PHP - Unable to load dynamic library '/usr/lib64/php/modules/
Unable to locate package php5-curl