How to secure web server installed on rhel 5 so that no one can do beck door entry ?

You can't generically guard against that, otherwise it would never be possible in the first place. There's always the option of a new exploit being discovered that is not protected against.

if you google for "apache hardening guide" there are many many useful guides to follow

1 members found this post helpful.

Moved: This thread is more suitable in <Linux-Security> and has been moved accordingly to help your thread/question get the exposure it deserves.

In short: choose the right OS (RHEL requires licensing to be kept up to date: also see Centos, Scientific Linux), ensure you update when updates are released (and this includes anything running in your web stack), install only what you need now, harden the OS including accounts (shell, aging, password strength, SSH pubkey auth), do not disable Selinux, apply access restrictions (limit access to only expose what needs to be exposed) and enable auditing to alert you on any anomalies and act on alerts.

[EDIT]What I'm trying to convey is that prevention is important.[/EDIT]


As for hardening your OS:
- http://www.nsa.gov/ia/_files/os/redh...guide-i731.pdf
- http://www.nsa.gov/ia/_files/os/redh...phlet-i731.pdf
- http://people.redhat.com/sgrubb/file...ning-rhel5.pdf
- http://nvd.nist.gov/scap/content/sty...5-document.htm

Test it:
- http://benchmarks.cisecurity.org/too...ark_v1.1.2.pdf
- GNU/Tiger (locally),
- OpenVAS (or nessusd) remotely,

Learn from common errors:
- https://www.owasp.org/index.php/CWE/...tware_Security
- http://www.sans.org/top25-software-errors/
- https://www.owasp.org/index.php/Cate...op_Ten_Project (http://resources.infosecinstitute.co...s-and-tactics/)

...and if you admin the machine act like an administrator. Know what you do and why you do it. See the http://rkhunter.wiki.sourceforge.net/SECREF?f=print for more.

There is some good advice in this thread. Understand too that there are books on that topic that are over 1,000 pages long. Until you've read 1,000 pages and implemented the techniques, remember that the two page guide you use may make your system slightly more secure, but it's no no way actually secure. If it really matters, get hands on help from someone who HAS read the 1,000 books, or even better someone who wrote the book.

unSpawn said "do not disable selinux" and I want to echo that. Also, one of the popular well known control panels by default enables something called suexec. The people who wrote suexec in the first place strongly want that you shouldn't even consider using it if you don't fully understand it. The documentation warns repeatedly of how dangerous it can be. That's the authors talking about the dangers of their own software. They are not wrong - php + suexec = I can crack it every time. So disable suexec unless you're sure that you REALLY understand it's implications.