Three steps to securing LAMP Servers
Maintaining a secure Web server on a Linux platform truly tests your knowledge of server-side in Linux, Apache and PHP. You will have to ensure three features on every installation-it should be easy but powerful to use, it should increase your productivity and on top of these two the server should be secure. Across most installations, LAMP server security is easy if you consistently follow certain fundamental rules.
Hardening Linux OS
The most important step is to harden the Linux OS. There are three areas that need attention to ensure robust Linux OS-the kernel, the MAC and the Firewall.
1- Kernel Hardening
Most intruders aim to break beyond the limited user area and gain access to root areas. The limited user nobody is specific to the Operating System. On Red Hat distros, CentOS, Apache is the default. Usually, www-data is associated with Debian family and Ubuntu.
Mandatory Access Control or MAC for accessing compilers such as gcc, utilities or system configuration files is a feature, which is not required for regular user of a common web server set-up. Mac Tools such as SELinux for RedHat, AppArmor for Ubuntu minimize attacks largely. However, wrong configuration of these would actually do more harm than good, since attackers can easily be compromise your server by using false-positives. This is one of the main reasons for MAC tools to have non-enforcing modes and allow reconfiguration. Alternatively, setting the permissions to 700 for some of the executions and allowing only the root to use them.
3- Protect server with firewall
It is very important that both incoming as well as outgoing traffic from servers to protect it from malicious attacks. Though, incoming traffic is well studied for malicious content, there are times when local executions too could have malicious scripts. Tested and secure method are iptables chains are set to DROP by default. Here, care has to be taken on running the incoming and outgoing connections. Most web scripts need RSS, external APIs and it has to be ensured that these are allowed. There are options, which work similar to iptables firewalls. Scripts can itself be used to generate the rules to maintain and run the firewall. There are software available to help you do this, like Shorewall or one could even explore Firestarter.
Apache Servers are easy to secure with simple installs
Apache servers like nginx or LiteSpeed are very well protected when mod_security, mod_evasive are installed. Additionally, filtering IP addresses of visitors will further secure the web server. For this, most effective would be the mod_httpbl (belonging to Project Honeypot), which is very effective in blocking known malicious-ware.
Another popular usage is the mod_geoip, as it allows access to visitors from certain countries only.
More commonly, PHP is the ideal server-side open-source software. With some resourceful directives, server-side security maintenance is made easy, though precautions have to be taken with some of the shell code executions.
Like us on Facebook
This week Top Posts
- Top Things To Do After Installing Ubuntu 13.10 'Saucy Salamander' : Ubuntu 13.10 Saucy Salamander will be released on coming October 17th with many new salient featur...0 comments |
- Manage Databases And Hosted Servers Remotely With DbNinja : Database administration via command line is bit difficult for newbie system and database administrat...0 comments |
- Setup IT And Asset Management System With GLPI On Debian/Ubuntu : GLPI is the Information Resource-Manager with an additional Administration Interface. You can use it...0 comments |
- How To Configure Linux Clients To Authenticate Using OpenLDAP : This is the continuation of our previous tutorial. In our previous tutorial we learned how to instal...0 comments |
- How To Upgrade From Ubuntu 13.04 Raring To Ubuntu 13.10 Saucy Salamander : Ubuntu 13.10 Saucy will be released on October 17th. Hope it will come with lot of improvements and ...0 comments |
- Install FrostWire 5.6.9 In Elementary OS 'Luna'/ Ubuntu / Linux Mint : FrostWire is a peer-to-peer file sharing program for the gnutella and BitTorrent protocols. FrostWir...0 comments |
- How To Install Linux Kernel 3.12.4 In Ubuntu
- Firefox 26 Has Been Released, How To Install It In Ubuntu And Its Derivates
- How To Install Brasero In Elementary OS ‘Luna’
- Install Sayonara Player In Elementary OS / Ubuntu / Linux Mint
- Manage Databases And Hosted Servers Remotely With DbNinja
- Install FrostWire 5.6.9 In Elementary OS ‘Luna’/ Ubuntu / Linux Mint
- Setup IT And Asset Management System With GLPI On Debian/Ubuntu
- How To Configure Linux Clients To Authenticate Using OpenLDAP
- How To Install Netflix In Ubuntu
- cowsay And fortune Combined Together
This work by unixmen.com is licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License.
Copyright © 2008-2013 Unixmen.com .