LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 12-18-2012, 04:04 AM   #1
siddartha
LQ Newbie
 
Registered: Aug 2012
Posts: 27

Rep: Reputation: Disabled
Secure LAMP?


It seems gone are the days of real, local apps. In the cloud. Or server applets.

I want to run a couple of apps in PHP which need apache and mysql to run.

Could you point out some recent documentation about securing them? At least they should be accessible from the localhost and invisible to the exterior, even without a firewall.
 
Old 12-18-2012, 08:47 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,462
Blog Entries: 54

Rep: Reputation: 2899Reputation: 2899Reputation: 2899Reputation: 2899Reputation: 2899Reputation: 2899Reputation: 2899Reputation: 2899Reputation: 2899Reputation: 2899Reputation: 2899
Quote:
Originally Posted by siddartha View Post
(..) they should be accessible from the localhost and invisible to the exterior,
Then configure then to listen only on the loopback device.


Quote:
Originally Posted by siddartha View Post
Could you point out some recent documentation about securing them?
Note security isn't a fire-and-forget one-off. It's a constant cycle of auditing and adjusting.

- A secured server starts with hardening the OS, so start with creating a baseline (so you can document which changes have what effect) and read what documentation your distribution provides. If you want to meditate on the finer points, or if your distribution doesn't provide enough documentation, check out the "Securing Debian" manual, one of the oldest around. Once done check your changes locally with Tiger and from remote with OpenVAS (not netstat or nmap). Bonus points for using the Cisecurity benchmarks (for example what applies to RHEL / Centos / SL).

- Create an application level baseline, so you can document which changes have what effect, visit the web site for your database, web server and interpreter of choice for up to date information and implement what advice their security documentation offers. Then check the SANS InfoSec Reading Room for topics like Web Servers and docs like Step by Step Installation of a Secure Linux Web, DNS and Mail Server, the Top 10 2010 and the OWASP Application Security FAQ. Increase your mana by using the CIS Apache benchmark and remembering to run OpenVAS after you made changes. More bonus points for reading more like Low- to No-Cost Methods to Review Webserver Logs for Potential Security Issues and IT Audit: Security Beyond the Checklist.


* If you want to see a Real Life case then this thread would be a good example IMHO.

HTH
 
Old 12-21-2012, 04:52 AM   #3
linosaurusroot
Member
 
Registered: Oct 2012
Distribution: OpenSuSE,RHEL,Fedora,OpenBSD
Posts: 808
Blog Entries: 2

Rep: Reputation: 203Reputation: 203Reputation: 203
While I often agree with unSpawn I'm going to pick on a couple of phrases here:

Quote:
A secured server starts with hardening the OS
that is assuming you've already covered physical security

Quote:
Bonus points for using the Cisecurity benchmarks
These benchmarks have tips on setup of a brand new server with no work on it. They aren't good metrics of security and they ignore all kinds of things that aren't present by default (i.e. all the actual work which is most of what you want secured).

I'm also a believer in some sort of MAC (particularly Apparmor/Subdomain which I've been using since 2001) because merely separating users from each other doesn't protect you from the data you handle.
http://wiki.laptop.org/go/OLPC_Bitfrost#Foreword
 
Old 12-21-2012, 05:04 AM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,462
Blog Entries: 54

Rep: Reputation: 2899Reputation: 2899Reputation: 2899Reputation: 2899Reputation: 2899Reputation: 2899Reputation: 2899Reputation: 2899Reputation: 2899Reputation: 2899Reputation: 2899
Quote:
Originally Posted by linosaurusroot View Post
that is assuming you've already covered physical security
Good one, though I have to see the first incident reported here that involves physical tampering.


Quote:
Originally Posted by linosaurusroot View Post
These benchmarks have tips on setup of a brand new server with no work on it. They aren't good metrics of security and they ignore all kinds of things that aren't present by default (i.e. all the actual work which is most of what you want secured).
...and that's why I added the SANS and OWASP links.
 
Old 12-22-2012, 08:25 AM   #5
siddartha
LQ Newbie
 
Registered: Aug 2012
Posts: 27

Original Poster
Rep: Reputation: Disabled
Thanks. Phisical security is partly done: checksums and full disk encryption.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
To have a secure LAMP server, how many user accounts and which privileges for each? alex123456 Linux - Server 4 09-18-2012 12:03 AM
A few queries about LAMP. My LAMP is not burning! autophil Linux - Networking 7 07-20-2011 12:31 PM
LXer: Enterprise LAMP Summit & Big LAMP Camp LXer Syndicated Linux News 0 09-21-2009 01:51 AM
LXer: LAMP vs. LAMP Rematch LXer Syndicated Linux News 0 11-08-2006 03:03 AM
how can I secure my nis server ?can I use openSSL to secure it form sniffing ? abhi_raj Linux - Networking 1 07-10-2006 06:19 AM


All times are GMT -5. The time now is 09:53 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration