Linux Web Server Security Thread

Collapse
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • dlite922
    Recognized Expert Top Contributor
    • Dec 2007
    • 1586
    #1

    Linux Web Server Security Thread

    There's copious amount of information on the internet about how to secure your web server against script kiddies and junior hackers. As a beginner, it all looks scattered and sometimes conflict (or two ways of doing the same thing apparently) and can't really decide the copy paste scripts are really good for me.

    I'm building my CentOS server and would like everyone to contribute on the common things you would to secure the webserver. I'm not really looking for how to's here but list of tasks. I'd like to stick to security for the most part.

    Topic: Linux Webserver (LAMP) Security

    I'll start with the basics:

    #] Strong passwords!

    #] Get all security updates

    #] Do not allow root access in SSH and FTP, and perhaps change the default port 22 to something else, like 8877 and add ListenAddress

    #] Lock down all ports not used in iptables (Any other tips on IP tables? good links?)

    #] Create another user and do not use root, the other user should be in the sudoer file, perhaps can execute only certain commands

    #] (Sort of Security): Do not boot to X-Windows, use runlevel 3, see inittab file. you can always start x-windows by typing "startx", saves memory.



    I'm sure there's many more, but that's what I can think of right now, please suggest anything and everything you can so we can have a good collection here.

    Thanks!



    Dan




    4. Get all security updates
    Tags: None
    • Nepomuk
      Recognized Expert Specialist
      • Aug 2007
      • 3111
      #2
      Hi Dan!

      Security updates... CentOS is a RedHat distribution if I remember correctly, so it will probably use YUM as an updater. You can edit /etc/yum/yum-updatesd.conf (change the entry do_update no to do_update yes) to make it install updates automatically. That would be for all of your software, not just security stuff.

      About ssh: You should have a look at /etc/ssh/sshd_config and the sshd manpage. One thing that may be interesting to you is the DenyUsers and AllowUsers option - a black- or whiltelist. Find out more here.

      I'm no expert when it comes to iptables, but this article looks like it should help you with quite a few issues.

      sudo: I'm going to write an entry to the Tips and Tricks thread about editing the sudoers file soon, so I won't write much about that right now. Of course, you can always check the sudoers manpage.

      Booting? If you're using Grub as a boot manager, add something like
      Code:
      kernel /boot/vmlinuz-2.6.xx ro root=/dev/hda6 3
      (changing it to your actual vmlinuz-2.6.xx of course) to /boot/grub/menu.lst and set it as standard. That way, you can still boot with a GUI if you want to.

      Greetings,
      Nepomuk

        Comment

        • micmast
          New Member
          • Mar 2008
          • 144
          #3
          You might also have to secure your apache installation:
          first check if the TRACK / TRACE methods are enabled, this is true by default on a debian system. Not sure for a CentOS machine.
          To check:
          > nc localhost 80
          TRACE / HTTP/1.0
          via: hello
          (enter a few times)

          If the server returns that he doesn' tknow this function, you are good. If not you have 2 options:
          1. add TraceEnable off to your configuration file
          2. add a rewrite condition, also in your configuration file:
          RewriteEngine on
          RewriteCond %{REQUEST_METHO D} !^(GET|POST|HEA D)$
          RewriteRule .* - [F]

          When you install php, you might want to change a few settings, like magic quotes (first line of defense against cross site scripting & sql injections) and you might want to put it in safe mode (some functions however will not work, so you might want to verify what is best for you, more information can be found here: PHP: Safe Mode - Manual)

          Next your mysql server, I would advice to take a good look at the standard tables that are inserted when installing mysql. You might not need all of them. Also create a very solid root account, with an insanely difficult password.
          Last item make sure only connections from the localhost are allowed, unless you really really really need other hosts to communicate with your server.

          As for system hardening, you could consider running your entire LAMP server in a chroot environment ( http://www.howtoforge.com/chrooted_d...ubuntu_desktop ), this will ensure that your users only have access to a system that has no extra data except the necesarry files to run the lamp server. An extra note on the chroot environment, please check that there are no executables that don't have the correct permissions set. If you have an executable that allows users to execute and become root for a moment, you might allow them to break the chroot ( How to break out of a chroot() jail - PenguinSecurity Wiki )

          That are the things that pop into my head... If I think of something I will add them

          edit:
          One more thing, SSH, put PermitRootLogin to No, default this is Yes I think, you don't want that. Also when using sudo, I'm not against it, but I prefer not the use sudo at all. If your root user has a very strong password, it is reasonably save, and whe you use "su" you know you really want to have root permissions, sudo is typed quickly and is not always required.

            Comment

            Previous template Next
            Working...