What is the procedure for securing a Linux, Apache, MySQL, PHP Server (or even Perl) for production use?
Other than setting the MySQL password and the root password for Linux what other (maybe not so obvious) steps should be taken?
Also what steps can I take, if I was going to be extra paranoid, that may not normally be necessary?
This is for a basic single site use but must be secure.
Answer
These recommendations are off of the top of my head and not intended to be comprehensive.
Check out Bastille, it's a series of scripts that implements best practices in Linux.
Don't send authentication data over plaintext protocols. For example, disable FTP. If you send authentication data via Apache, use SSL.
Disable and remove any unnecessary software including the GUI interface.
Audit any files with the SUID bit set and remove. (This will severely limit non-root abilities. Understand the implications for each individual change.)
Audit public writable directories and remove the writable bit. (Leave /tmp alone.)
Avoid running any daemon as root.
Research all multi-user software that listens on sockets in detail for security best practices.
Avoiding adding users to the system is one of the best approaches. Multi-user systems require greater attention to detail.
Enforce password standards. For example: minimum 10 characters, non-alphanumeric characters, using letters and numbers. This is to make brute forcing more difficult in case of password file compromise. Enforce this via the system.
Lock out users after 5 failed authentication attempts with a minimum of 10 minute lockout. Maintain a password history so users can't use the past 5 passwords.
If you have a larger environment, using network segregation with multiple subnets to isolate risk is an absolute requirement. If a smaller environment, running a firewall on the local system to limit exposure is recommended. For example, only allowing SSH to your IP. tcpwrappers can be used too for an extra layer. (/etc/hosts.allow, /etc/hosts.deny)
And, of course, keeping all software up to date. Especially public facing daemons.
With SSH:
- Disable SSH protocol 1
- Only allow root authentication
without-password
(only keypair)
With Apache:
- Disable any modules that are not needed
- Disable .htaccess and public directories
- Disable FollowSymlink and any unnecessary options
- Do not install PHP if you don't need it.
With MySQL:
- Disable default users.
- Don't use wildcard hosts.
- Be sure to set unique host for every user.
- Don't listen on tcp unless necessary. (Unusually unavoidable.)
- Limit application user privileges as much as possible. (SELECT,INSERT,UPDATE,DELETE ideal for write and SELECT for read)
I'd recommend researching php.ini tuning for security specifically. It's riskier software by default.
No comments:
Post a Comment