Ways To Secure Your Ubuntu 14.04 Server Running LAMP

Securing your Ubuntu Linux server to become unpredictable, below are some tips to get you going:

I assume you already have LAMP running in your server and you are using Ubuntu 14.04.

If not, refer the following link to setup LAMP stack on Ubuntu.

Linux

Firewalls:

Most security on servers are the ports and this creates a pathway between the outside world and the server its self, why making all these ports available for access when they ain’t necessary? I will be using a package called UFW which is an easy package for configuring IPTABLES.

Install UFW:

sudo apt-get update && apt-get install ufw

On installation this package is disabled, enable using:

sudo ufw enable

And firstly please, add your SSH port ASAP else you get blocked out from your server, adding a port use this:

sudo ufw allow 22
sudo ufw allow 80

That should add a port successfully and make it publicly accessible, you can view list of ports you’ve added with:

sudo ufw status numbered

Remove or block a port, use the remove argument and number of each port you saw in the status with this command:

sudo ufw remove 1

And entirely disable UFW making all port publicly available using:

sudo ufw disable

Disable User Creation:

As a root, disable unauthorized user creation. This will help you as a sysadmin to know users in your system, disable creation of groups and users using:

sudo chattr +i /etc/passwd && sudo chattr +i /etc/group

When to re-enable use:

sudo chattr -i /etc/passwd && sudo chattr -i /etc/group

SSH:

One of the way we become vulnerable is when we are predictable, change SSH Port to your custom apart from 22 by editing /etc/ssh/sshd_config and find (create if not found).

Port 22

Replace with 22 with your custom port, save and restart SSH with:

sudo service ssh restart

Super User:

You have your default user who has the ROOT Privilege why not create another user to handle root and keep the default for security purposes. Create a user:

sudo groupadd users
sudo mkdir /home/newuser && useradd –home /home/newuser –group users –shell /bin/sh newuser
sudo passwd newuser

The above code creates new group called users, creates a directory in /home/ named newuser, creates a new user called newuser and gives him a home in the new created directory and assigns the users group to him and also give him a shell then assign a new password for it. Now add him to sudoers for him to have ROOT access, edit /etc/sudoers then add:

newuser ALL=(ALL:ALL) ALL

Then save. Always login with newuser account.

Apache

In this Apache for things to be easier we are going to be using configs, you just create a config file in /etc/apache2/conf-available like myconf.conf.

Simple Security:

Paste these in myconf.conf:

ServerSignature Off
ServerTokens Prod
Options all -Indexes

Enable headers module using:

sudo a2enmod headers

Then back to myconf.conf and add:

Headers always unset X-Powered-By

The above turns of unnecessary server signature in directory and error pages and shows only Server Product in Server Name header then headers remove X-Powered-By in headers

PHPMyAdmin:

In this, after installing PHPMyAdmin to your server the default URL is yourdomain.com/phpmyadmin which is predictable, why not change this?

Edit /etc/phpmyadmin/apache.conf and find:

Alias /phpmyadmin /usr/share/phpmyadmin

Then replace with:

Alias /newURL /usr/share/phpmyadmin

And save.

Mod Security:

This is a Web Application Firewall (WAF) protecting your Apache server.

Install it:

sudo apt-get install libapache2-modsecurity

Enable the config for Apache to be able to parse it.

sudo cp /etc/modsecurity/modsecurity{-recommended,}

Turn on the SecRuleEngine from DetectionOnly to On, this will put ModSecurity to work not logging only anymore.

SecRuleEngine On

Find SecRequestBodyAccess and turn it Off, leaving it On will fill large logs for you, just don’t access bodies.

SecRequestBodyAccess Off

Other configurations are okay and doing well in my server except you want to go advanced. I have set of rules that works in my server with no issues and is protecting me as I want, activating all will give you issues for sure because simple URLs might be seen malicious in ModSec, so I recommend you activate these rules.

Rules are located in /usr/share/modsecurity-crs/base_rules.

modsecurity_crs_23_request_limits.conf
modsecurity_crs_35_bad_robots.conf
modsecurity_crs_42_tight_security.conf
modsecurity_crs_45_trojans.conf

The above gives you the amount of security you should need, how can you activate a rule? Just create a symbolic link to /usr/share/modsecurity-crs/activated_rules using:

cd /usr/share/modsecurity-crs/
sudo ln -s /usr/share/modsecurity-crs/base_rules/modsecurity_crs_35_bad_robots.conf ./

Once you are done activating the rules, add them to Apache’s config by going back to our myconf.conf and add this line:

<IfModule security2_module>
Include /usr/share/modsecurity-crs/*.conf
Include /usr/share/modsecurity-crs/activated_rules/*.conf

Save and restart Apache, view logs at /var/log/apache2/modsec_audit.log.

DDOS:

Denial of Service Attack works well with Apache, ModSecurity does not have a rule to protect it yet, but a mod is available to handle that which is mod_evasive. It’s an old mod though but still works, install:

sudo apt-get install libapache2-mod-evasive
sudo mkdir /var/log/apache2/mod_evasive && chmod 777 /var/log/apache2/mod_evasive

Then move to edit the config, edit /etc/apache2/mods-available/evasive.conf and change to this:

<IfModule mod_evasive20.c>
DOSHashTableSize 3097 
DOSPageCount 20
DOSSiteCount 100
DOSPageInterval 3
DOSSiteInterval 5
DOSBlockingPeriod 300

DOSEmailNotify "youremail@site.com"
#DOSSystemCommand "su - someuser -c '/sbin/... %s ...'"
DOSLogDir "/var/log/apache2/mod_evasive"
</IfModule>

Save and restart Apache.

Server Token:

Apache Server Token cannot be removed or modified but with help of ModSecurity, it can be done. Just in same myconf.conf add this line to:

SecServerSignature “My Server Signature”

Save and restart.

MySQL

Port: Talking of security in MySQL, I have no much to say or I don’t know much but just changing your port to something unpredictable. Find any occurance of Port = 3306 and replace to your custom, but if you have UFW already working this port can be made publicly inaccessible.

PHP

PHP itself is already secure, security all lies in the server which is Apache we just handled, but still let’s deal with some, all has to do with the php.ini file located in /etc/php5/apache2/php.ini for people using Apache to interpret PHP. FPM guys is located /etc/php5/fpm/php.ini.

Expose PHP: If you check well in the Apache configuration we did above, I already unset the X-Powered-By header which PHP or any other language might set but if you wish to do so with PHP, find this line and set to Off.

expose_php = Off

Errors: Turn off errors so I can’t know your coding structures or your directory structures, it leaks info to other developers turn:

display_errors = Off

Mail X-PHP-Originating-Script Header: This header is included in mails sent with PHP, telling the client the location of the exact script that triggered the mail sending, this isn’t useful to the client but useful for attackers, turn off:

mail.add_x_header = Off

Session Names: Change Session names, as we all know it’s PHPSESSID, be unpredictable…that’s all.

session.name = MYSESSID

In summary, I showed some ways of securing your Ubuntu Server running LAMP.

About the Author:

This article is written by James John, aka Don Jajo, from Nigeria. He is currently a student of Abia State Polytechnic where he study Computer Science. If you have any queries, mail to the author: donjajo4all@gmail.com.

  • Ralf Lang

    If you consider making mysql unaccessible for the outside, just disable networking at all by adding skip-networking to the [mysqld] section of my.cnf and access mysql through unix sockets instead of 127.0.0.1 (localhost) TCP/IP

  • Don Jajo

    Ye, you’re right. Thanks for the add 🙂