Secure LAMP?
 

It seems gone are the days of real, local apps. In the cloud. Or server applets.

I want to run a couple of apps in PHP which need apache and mysql to run.

Could you point out some recent documentation about securing them? At least they should be accessible from the localhost and invisible to the exterior, even without a firewall.

Then configure then to listen only on the loopback device.


Note security isn't a fire-and-forget one-off. It's a constant cycle of auditing and adjusting.

- A secured server starts with hardening the OS, so start with creating a baseline (so you can document which changes have what effect) and read what documentation your distribution provides. If you want to meditate on the finer points, or if your distribution doesn't provide enough documentation, check out the "Securing Debian" manual, one of the oldest around. Once done check your changes locally with Tiger and from remote with OpenVAS (not netstat or nmap). Bonus points for using the Cisecurity benchmarks (for example what applies to RHEL / Centos / SL).

- Create an application level baseline, so you can document which changes have what effect, visit the web site for your database, web server and interpreter of choice for up to date information and implement what advice their security documentation offers. Then check the SANS InfoSec Reading Room for topics like Web Servers and docs like Step by Step Installation of a Secure Linux Web, DNS and Mail Server, the Top 10 2010 and the OWASP Application Security FAQ. Increase your mana by using the CIS Apache benchmark and remembering to run OpenVAS after you made changes. More bonus points for reading more like Low- to No-Cost Methods to Review Webserver Logs for Potential Security Issues and IT Audit: Security Beyond the Checklist.


* If you want to see a Real Life case then this thread would be a good example IMHO.

HTH

While I often agree with unSpawn I'm going to pick on a couple of phrases here:

that is assuming you've already covered physical security

These benchmarks have tips on setup of a brand new server with no work on it. They aren't good metrics of security and they ignore all kinds of things that aren't present by default (i.e. all the actual work which is most of what you want secured).

I'm also a believer in some sort of MAC (particularly Apparmor/Subdomain which I've been using since 2001) because merely separating users from each other doesn't protect you from the data you handle.
http://wiki.laptop.org/go/OLPC_Bitfrost#Foreword

Good one, though I have to see the first incident reported here that involves physical tampering.


...and that's why I added the SANS and OWASP links.

Thanks. Phisical security is partly done: checksums and full disk encryption.