Secure your LAMP based Cloud VPS
Posted by Rupi Singh on 26 August 2015 05:53 PM
We’ve put together a little guide to help you reduce the risk of your your LAMP based servers from getting hacked. LAMP is one of the most popularly used Application Stacks. It stands for Linux, Apache, PHP and MySQL.
Mitigate the risks of your servers being attacked
General Security Guidelines to be followed for securing your Web Server
For Servers with Apache:
1. Hide the Apache Version number, and other sensitive information
It is essential to hide the Apache Version Number your server is running, as well as other sensitive information. You can do this by following the simple steps listed below.
Add or Edit the following two directives in your httpd.conf file
The ServerSignature appears on the bottom of pages generated by apache such as 404 pages, directory listings, etc.
The ServerTokens directive is used to determine what Apache will put in the Server HTTP response header. By setting it to Prod it sets the HTTP response header as follows:
2. Make sure apache is running under its own user account and group
When Apache is installed, the default user is set as “nobody”. However if there other applications that also run as the user nobody on your system, then a compromise of apache can also compromise other installations. It is best to add a separate user “apache” and then modify the following directives in httpd.conf to run apache as it own user.
3. Ensure that files outside the web root directory are not accessed.
It is always good practice to restrict access for files outside the web root directory to maintain security and ensure that these files are only accessed by people who need to access them.
Note that because we set “Options None” and “AllowOverride None “this will turn off all options and overrides for the server. You now have to add them explicitly for each directory that requires an Option or Override.
4. Turn off directory browsing, Follow symbolic links and CGI execution
You can do this with an Options directive inside a Directory tag.
Options -ExecCGI -FollowSymLinks -Indexes
5. Install modsecurity
ModSecurity is an Apache add on module which can detect and prevent http attacks. It can come in really handy in preventing SQL injections in case your developers forget to add input validation or identify and block information disclosure issues such as leaking detailed error messages, Social Security Numbers or Credit Card Numbers. Follow these steps to install mod-security
yum install mod_security
apt-get install mod_security.
service httpd restart
6. Disable any unnecessary modules
There are several modules that are enabled on your Apache Web Server that you may not need. To search for modules installed run:
grep LoadModule httpd.conf
Here are some modules that are typically enabled but often not needed:
To disable them add a # sign in front of them.
You can also go through the Apache module documentation and disable or enable any that you need.
7. Lower the Timeout value
The default Timeout directive is set to 300 seconds. Decreasing this value help’s mitigating the potential effects of a denial of service attack.
8. Limit large requests
In order to mitigate the effects of a denial of service attack, limit the amount of body that can be
sent in an http request. If you do not have large uploads then you can limit this to 1Mb via the below directive.
Application and Database Security
SQL injection is another common way of extracting data from poorly coded websites. Here is how you can prevent it and other such attacks.
For servers with PHP:
1. Run PHP as a separate User
It is recommended to Install php as a separate user than as an Apache Module. If you install php as an Apache Module then php will run with the apache user permission and any compromise of a vulnerable php script can lead to a server wide compromise.
A better way to install php would be with php-fpm a fastcgi process manager which lets you run and manage php scripts as a separate user.
2. Use the POST method to pass important parameters like credit card information
Many developers already know this. PHP has two methods to pass variable information via a form the GET method and the POST method. The most important difference between these methods is that the GET method makes your pass information visible to everyone via a URL while POST method does not. Hence sensitive information like usernames, passwords should always be passed via the POST method.
3. Always Validate Form and Text Input
Cross site scripting and SQL injection can both be prevented if form or file input is validated.
Cross site scripting allows a hacker to run malicious code on your server by simply uploading a file with malicious code in it to be run on the server and SQL injection allows a hacker to get access to your database by injecting malicious queries in your form to get database information like table name. A simple way to validate php code can be found at http://www.w3schools.com/php/php_form_validation.asp
4 . Hide the PHP version
Open php.ini and add the following
expose_php = Off
5.Log all php errors to a file and not on the website
display_errors = Off
log_errors = On
error_log = /var/log/httpd/php_error.log
For servers with MySQL or MariaDB:
1. Run MySQL Secure Install
After installing MySQL run the mysql_secure_installation script.
This script will prompt you to add a mysql root password, lock root access to localhost and remove any unwanted databases like the test database.
2. Secure MySQL users and Database
Log into your MySQL Server and ensure that all MySQL users have a password and delete any unwanted user. Grant access to only those databases that the respective users would use.
Following the steps detailed above, you can go a long way in ensuring that your customer’s data remains secure. In the next article I will add detail steps on Linux OS and Firewall Security.