Secure your LAMP based Cloud VPS
Posted by Rupi Singh on 26 August 2015 05:53 PM
|
|
We’ve put together a little guide to help you reduce the risk of your your LAMP based servers from getting hacked. LAMP is one of the most popularly used Application Stacks. It stands for Linux, Apache, PHP and MySQL. Mitigate the risks of your servers being attacked General Security Guidelines to be followed for securing your Web Server
For Servers with Apache:1. Hide the Apache Version number, and other sensitive informationIt is essential to hide the Apache Version Number your server is running, as well as other sensitive information. You can do this by following the simple steps listed below. Add or Edit the following two directives in your httpd.conf file ServerSignature Off The ServerSignature appears on the bottom of pages generated by apache such as 404 pages, directory listings, etc. The ServerTokens directive is used to determine what Apache will put in the Server HTTP response header. By setting it to Prod it sets the HTTP response header as follows: Server: Apache 2. Make sure apache is running under its own user account and groupWhen Apache is installed, the default user is set as “nobody”. However if there other applications that also run as the user nobody on your system, then a compromise of apache can also compromise other installations. It is best to add a separate user “apache” and then modify the following directives in httpd.conf to run apache as it own user. User apache 3. Ensure that files outside the web root directory are not accessed.It is always good practice to restrict access for files outside the web root directory to maintain security and ensure that these files are only accessed by people who need to access them. <Directory /> Note that because we set “Options None” and “AllowOverride None “this will turn off all options and overrides for the server. You now have to add them explicitly for each directory that requires an Option or Override. 4. Turn off directory browsing, Follow symbolic links and CGI executionYou can do this with an Options directive inside a Directory tag.
Options None
Options -ExecCGI -FollowSymLinks -Indexes 5. Install modsecurityModSecurity is an Apache add on module which can detect and prevent http attacks. It can come in really handy in preventing SQL injections in case your developers forget to add input validation or identify and block information disclosure issues such as leaking detailed error messages, Social Security Numbers or Credit Card Numbers. Follow these steps to install mod-security On CentOS: yum install mod_security On Ubuntu: apt-get install mod_security. service httpd restart 6. Disable any unnecessary modulesThere are several modules that are enabled on your Apache Web Server that you may not need. To search for modules installed run: grep LoadModule httpd.conf Here are some modules that are typically enabled but often not needed: mod_imap mod_include mod_info mod_userdir mod_status mod_cgi mod_autoindex. To disable them add a # sign in front of them. You can also go through the Apache module documentation and disable or enable any that you need. 7. Lower the Timeout valueThe default Timeout directive is set to 300 seconds. Decreasing this value help’s mitigating the potential effects of a denial of service attack. Timeout 45 8. Limit large requestsIn order to mitigate the effects of a denial of service attack, limit the amount of body that can be sent in an http request. If you do not have large uploads then you can limit this to 1Mb via the below directive. LimitRequestBody 1048576 Application and Database SecuritySQL injection is another common way of extracting data from poorly coded websites. Here is how you can prevent it and other such attacks.
For servers with PHP:1. Run PHP as a separate UserIt is recommended to Install php as a separate user than as an Apache Module. If you install php as an Apache Module then php will run with the apache user permission and any compromise of a vulnerable php script can lead to a server wide compromise. A better way to install php would be with php-fpm a fastcgi process manager which lets you run and manage php scripts as a separate user. 2. Use the POST method to pass important parameters like credit card informationMany developers already know this. PHP has two methods to pass variable information via a form the GET method and the POST method. The most important difference between these methods is that the GET method makes your pass information visible to everyone via a URL while POST method does not. Hence sensitive information like usernames, passwords should always be passed via the POST method. 3. Always Validate Form and Text InputCross site scripting and SQL injection can both be prevented if form or file input is validated. Cross site scripting allows a hacker to run malicious code on your server by simply uploading a file with malicious code in it to be run on the server and SQL injection allows a hacker to get access to your database by injecting malicious queries in your form to get database information like table name. A simple way to validate php code can be found at http://www.w3schools.com/php/php_form_validation.asp 4 . Hide the PHP versionOpen php.ini and add the following Vim /etc/php.ini expose_php = Off 5.Log all php errors to a file and not on the website display_errors = Off log_errors = On error_log = /var/log/httpd/php_error.log For servers with MySQL or MariaDB:1. Run MySQL Secure InstallAfter installing MySQL run the mysql_secure_installation script. sudo /usr/bin/mysql_secure_installation This script will prompt you to add a mysql root password, lock root access to localhost and remove any unwanted databases like the test database. 2. Secure MySQL users and DatabaseLog into your MySQL Server and ensure that all MySQL users have a password and delete any unwanted user. Grant access to only those databases that the respective users would use. Following the steps detailed above, you can go a long way in ensuring that your customer’s data remains secure. In the next article I will add detail steps on Linux OS and Firewall Security. | |
|