About Securing Your LAMP Stack
This is not a full description on how you secure a LAMP stack. But it is a list of good ideas for configurations, and things you can do to secure your stack.
You can use this ebook as a starting point, from where to search further and broader, on specific ways to make a secure server.
Many of the ideas outscetched here will cover servers in general. But most is about webservers, and most about Linux as your server OS with the Apache webserver.
Following now I will touch the security for the LAMP stack and Apache.
You should not run any daemons if they are not needed. And you should close all ports that are not in use.
To secure your server this chapter comes with some suggestions on how you can harden your LAMP stack.
You can start by enabling UFW
sudo ufw enable
Then only allow ports that we actually use.
Here the port for Web trafic, (port 80).
sudo ufw allow 80
When you login for the first time you are ready to create the new user account that you will be using to administer your server.
For your new user to have rights you add him to the "sudo group".
As root, run this command to add the new user to the sudo group.
gpasswd -a newadmin sudo
Shared memory; /dev/shm can be used attacking a running service, for example httpd. Modify /etc/fstab to make it more secure.
Open a terminal and enter the following :
sudo nano /etc/fstab
Add this somewhere in the file. You have to reboot for this setting to be activated :
tmpfs /dev/shm tmpfs defaults,noexec,nosuid 0 0
To avoid IP spoofing you can open the host.conf -file in a terminal window, like this;
sudo nano /etc/host.conf
Then, when you have opened the file, you add these two lines to the configuration file;
Nmap (Network Mapper) is a free OSS utility for scanning open ports.
To download, enter this in a terminal windows:
sudo apt-get install nmap
Now when the tool is installed, you can scan your system for open ports with :
nmap -v -sT localhost
SYN scanning with the following :
sudo nmap -v -sS localhost
Logwatch will analyse logs and create a report that can be sent to you from the system, as an email.
Logwatch will, on most systems, work right out of the box.
Open a terminal and enter the following:
sudo apt-get install logwatch libdate-manip-perl
To view the logwatch output:
sudo logwatch | less
You can set Logwatch to send an email to you from the program with a report, in HTML, for the last week, by entering the following:
sudo logwatch --mailto firstname.lastname@example.org --output mail --format html --range 'between -7 days and today'
Logwatch is a really useful tool, that can generate regular reports, with information, on what have happend on your server, taken from the logs.
Install it like this:
apt-get install logwatch
Make it run weekly as a cronjob:
mv /etc/cron.daily/00logwatch /etc/cron.weekly/
Make it show output from the last week by editing /etc/cron.weekly/00logwatch and adding
--range 'between -7 days and -1 days'
to the end of the /usr/sbin/logwatch command.
Tiger is a useful tool that can be used to detect intrusion to the system. You can install Tiger by entering this in a terminal:
sudo apt-get install tiger
Then you run Tiger by this entry:
You can find the output from Tiger in this directory:
The security reports can be viewed by following:
sudo less /var/log/tiger/security.report.*
If security is high priority a useful tool is Linux process accounting. This tool will log which commands have been run on the server, when, and by who.
apt-get install acct
You can do several things to lessen the number of methods for attackers to use, when making a brute force attack on your server. Among strong authentication techniques are; hardware tokens, one-time passwords, biometric authentication, and SSL/TLS client certificates. They are much more resistant to attacks. Attackers can attempt multiple logins at the same time from different clients.
So using a timeout delay will at best only slow the attacker partly. Using timeout in conjunction with a lockout will have a better effect, as the fake user trying to log in will be denied after a number of unsuccessful retries. This do, on the other hand make a DDoS more likely to succed for the attacker.
An enforced password policy where users are required to change password regulary, and where the passwords have to be of a minimum length, using special characters, numbers, upper and lower characters.
Also a help in the battle against attackers, can be banning IP addresses, and domainnames.