About Securing Your LAMP Stack
This is not a full description on how you secure a LAMP stack. But it is a list of good ideas for configurations, and things you can do to secure your stack.
You can use this ebook as a starting point, from where to search further and broader, on specific ways to make a secure server.
Many of the ideas outscetched here will cover servers in general. But most is about webservers, and most about Linux as your server OS with the Apache webserver.
Following now I will touch the security for the LAMP stack and Apache.
You should not run any daemons if they are not needed. And you should close all ports that are not in use.
To secure your server this chapter comes with some suggestions on how you can harden your LAMP stack.
You can start by enabling UFW
Then only allow ports that we actually use.
Here the port for Web trafic, (port 80).
When you login for the first time you are ready to create the new user account that you will be using to administer your server.
For your new user to have rights you add him to the "sudo group".
As root, run this command to add the new user to the sudo group.
Shared memory; /dev/shm can be used attacking a running service, for example httpd. Modify /etc/fstab to make it more secure.
Open a terminal and enter the following :
Add this somewhere in the file. You have to reboot for this setting to be activated :
To avoid IP spoofing you can open the host.conf -file in a terminal window, like this;
Then, when you have opened the file, you add these two lines to the configuration file;
Nmap (Network Mapper) is a free OSS utility for scanning open ports.
To download, enter this in a terminal windows:
Now when the tool is installed, you can scan your system for open ports with :
SYN scanning with the following :
Logwatch will analyse logs and create a report that can be sent to you from the system, as an email. Logwatch will, on most systems, work right out of the box.
Open a terminal and enter the following:
To view the logwatch output:
You can set Logwatch to send an email to you from the program with a report, in HTML, for the last week, by entering the following:
Logwatch is a really useful tool, that can generate regular reports, with information, on what have happend on your server, taken from the logs.
Install it like this:
Make it run weekly as a cronjob:
Make it show output from the last week by editing /etc/cron.weekly/00logwatch and adding
to the end of the /usr/sbin/logwatch command.
Tiger is a useful tool that can be used to detect intrusion to the system. You can install Tiger by entering this in a terminal:
Then you run Tiger by this entry:
You can find the output from Tiger in this directory:
The security reports can be viewed by following:
If security is high priority a useful tool is Linux process accounting. This tool will log which commands have been run on the server, when, and by who.
You can do several things to lessen the number of methods for attackers to use, when making a brute force attack on your server. Among strong authentication techniques are; hardware tokens, one-time passwords, biometric authentication, and SSL/TLS client certificates. They are much more resistant to attacks. Attackers can attempt multiple logins at the same time from different clients.
So using a timeout delay will at best only slow the attacker partly. Using timeout in conjunction with a lockout will have a better effect, as the fake user trying to log in will be denied after a number of unsuccessful retries. This do, on the other hand make a DDoS more likely to succed for the attacker.
An enforced password policy where users are required to change password regulary, and where the passwords have to be of a minimum length, using special characters, numbers, upper and lower characters.
Also a help in the battle against attackers, can be banning IP addresses, and domainnames.