LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (http://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   How do i make my apache2 server on Ubuntu 9.04 desktop secure (http://www.linuxquestions.org/questions/linux-newbie-8/how-do-i-make-my-apache2-server-on-ubuntu-9-04-desktop-secure-755769/)

sego banti 09-16-2009 10:17 PM

How do i make my apache2 server on Ubuntu 9.04 desktop secure
 
I am very new to Linux (a few days old), i need to host a payments website for my business so i need a high level of security.

I have set up apache2, mysql and php but i am positive the server is no where near secure!

I need pointers as to how i can harden the web server including getting rid of unnecessary bits of 9.04, installing a firewall, setting permissions etc.

Thanks in advance guys!

i92guboj 09-16-2009 10:31 PM

I would start ditching Ubuntu in favor of a more server-oriented distro, whatever will work better: debian, red hat,..

Second, on a machine that's supposed to be a web server, and that required high availability and a high degree of security, the worst enemy is the user himself, and much more if it's a desktop machine. You don't need a desktop in your server, it's just an extra source of instability and problems.

In any case, whatever your choice is in that regard, you should start by disabling all the services you don't need, overall those which open ports to the external world. Make sure that ssh is configured not to allow root login, and keep your site updated if you are using premade php applications or scripts like forums, shopping stuff or whatever.

You can also consider using GRsecurity or SELinux, I have no idea if Ubuntu supports either of these.

If you feel adventurous you can as well, compile your own apache and php packages, doing so you can choose to disable all the features that you are not going to use. Less parts of php and apache enabled means that you will have less things to worry about.

About the firewall, look into iptables, there's a lot to research about that, too much to be explained in a single post here. By defaults you should deny everything, at least from the outside, except the strictly needed ports.

chrism01 09-17-2009 01:32 AM

Good advice above. Obviously you should only use https (port 443) and get a real CA Certificate.


All times are GMT -5. The time now is 09:58 PM.