https://dev.webpages.dk/  
 
Securing LAMP stack
Securing the LAMP Stack:

Here we look shortly on the topic of how to secure a LAMP stack.
This is not the complete way. You should search for more ways of doing this on the net.
One simple but very effective method is an enforced password policy where users are required to change password regulary, and where the passwords have to be of a minimum length, using special characters, numbers, upper and lower characters.

Check out the page, where you can generate a password

 Securing the LAMP stack

Here is some information about securing your LAMP stack

About Securing Your LAMP Stack
This is not a full description on how you secure a LAMP stack. But it is a list of good ideas for configurations, and things you can do to secure your stack.
You can use this text as a starting point, from where to search further and broader, on specific ways to make a secure server. Many of the ideas outlined here will cover servers in general. But most is about webservers, and most about Linux as your server OS with the Apache webserver.
Following now I will touch the security for the LAMP stack and Apache.

You should not run any daemons if they are not needed. And you should close all ports that are not in use.

To secure your server this chapter comes with some suggestions on how you can harden your LAMP stack.

You can start by enabling UFW

sudo ufw enable

 Then only allow ports that we actually use.
 Here the port for Web trafic, (port 80).
sudo ufw allow 80

 When you login for the first time you are ready to create the new user account that you will be using to administer your server.
adduser newadmin

 For your new user to have rights you add him to the "sudo group".
 As root, run this command to add the new user to the sudo group.
gpasswd -a newadmin sudo

 Shared memory; /dev/shm can be used attacking a running service, for example httpd. Modify /etc/fstab to make it more secure.

 Open a terminal and enter the following :
sudo nano /etc/fstab

 Add this somewhere in the file. You have to reboot for this setting to be activated :
tmpfs  /dev/shm  tmpfs  defaults,noexec,nosuid  0  0

 To avoid IP spoofing you can open the host.conf -file in a terminal window, like this;
sudo nano /etc/host.conf

  Then, when you have opened the file, you add these two lines to the configuration file;
order bind,hosts
nospoof on

 Nmap (Network Mapper) is a free OSS utility for scanning open ports.

 To download, enter this in a terminal windows:
sudo apt-get install nmap

 Now when the tool is installed, you can scan your system for open ports with :
nmap -v -sT localhost

 SYN scanning with the following :
sudo nmap -v -sS localhost

 Logwatch will analyse logs and create a report that can be sent to you from the system, as an email. Logwatch will, on most systems, work right out of the box.

 Open a terminal and enter the following:
sudo apt-get install logwatch libdate-manip-perl

 To view the logwatch output:
sudo logwatch | less

 You can set Logwatch to send an email to you from the program with a report, in HTML, for the last week, by entering the following:
sudo logwatch --mailto your.email@example.com --output mail --format html --range 'between -7 days and today'

 Logwatch is a really useful tool, that can generate regular reports, with information, on what have happend on your server, taken from the logs.
 Install it like this:
apt-get install logwatch

 Make it run weekly as a cronjob:
mv /etc/cron.daily/00logwatch /etc/cron.weekly/

 Make it show output from the last week by editing /etc/cron.weekly/00logwatch and adding ...
--range 'between -7 days and -1 days'

 ...to the end of the /usr/sbin/logwatch command.
 Tiger is a useful tool that can be used to detect intrusion to the system. You can install Tiger by entering this in a terminal:
sudo apt-get install tiger

 Then you run Tiger by this entry:

sudo tiger


 You can find the output from Tiger in this directory:
/var/log/tiger

 The security reports can be viewed by following:
sudo less /var/log/tiger/security.report.*

 If security is high priority a useful tool is Linux process accounting. This tool will log which commands have been run on the server, when, and by who.
apt-get install acct

touch /var/log/wtmp

 You can do several things to lessen the number of methods for attackers to use, when making a brute force attack on your server.
Among strong authentication techniques are;
  • hardware tokens
  • one-time passwords
  • biometric authentication
  • SSL/TLS client certificates
They are much more resistant to attacks.
Attackers can attempt multiple logins at the same time from different clients.

 So using a timeout delay will at best only slow the attacker partly.
Using timeout in conjunction with a lockout will have a better effect, as the fake user trying to log in will be denied after a number of unsuccessful retries. This do, on the other hand make a DDoS more likely to succed for the attacker.

 An enforced password policy where users are required to change password regulary, and where the passwords have to be of a minimum length, using special characters, numbers, upper and lower characters.

 Also a help in the battle against attackers, can be banning IP addresses, and domainnames.


 HTML


<DIV class="tabborder">
<button class="tablinks" onclick="openlanguage(event, 'source')">Project: Tabs</button>
<button class="tablinks" onclick="openlanguage(event, 'HTML')">HTML</button>
<button class="tablinks" onclick="openlanguage(event, 'CSS')">CSS</button>
<button class="tablinks" onclick="openlanguage(event, 'Javascript')">Javascript</button>
</DIV>

 CSS


.tablinks {
    background-color:#FFFFFF;
    border-top:2px solid #000000;
    border-left:2px solid #000000;
    border-right:2px solid #000000;
    border-bottom:none;
    border-radius:0px 10px 0px 0px;
}
.tabborder{
    border-bottom:2px solid #000000;
}

 Javascript


function openlanguage(evt, openlanguage) {
var i, tabcontent, tablinks;

tabcontent = document.getElementsByClassName("tabcontent");

for (i = 0; i < tabcontent.length; i++) {
tabcontent[i].style.display = "none";
}

tablinks = document.getElementsByClassName("tablinks");

for (i = 0; i < tablinks.length; i++) {
tablinks[i].className = tablinks[i].className.replace(" active", "");
}

document.getElementById(openlanguage).style.display = "block";
evt.currentTarget.className += " active";
}

 PHP

Icons made by Freepik from www.flaticon.com This page is all about securing the LAMP stack. You will find a couple of tips to harden you server setup.
02:27:37