How to secure web server installed on rhel 5 so that no one can do beck door entry ?
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
You can't generically guard against that, otherwise it would never be possible in the first place. There's always the option of a new exploit being discovered that is not protected against.
if you google for "apache hardening guide" there are many many useful guides to follow
How to secure web server installed on rhel 5 so that no one can do beck door entry ?
In short: choose the right OS (RHEL requires licensing to be kept up to date: also see Centos, Scientific Linux), ensure you update when updates are released (and this includes anything running in your web stack), install only what you need now, harden the OS including accounts (shell, aging, password strength, SSH pubkey auth), do not disable Selinux, apply access restrictions (limit access to only expose what needs to be exposed) and enable auditing to alert you on any anomalies and act on alerts.
[EDIT]What I'm trying to convey is that prevention is important.[/EDIT]
There is some good advice in this thread. Understand too that there are books on that topic that are over 1,000 pages long. Until you've read 1,000 pages and implemented the techniques, remember that the two page guide you use may make your system slightly more secure, but it's no no way actually secure. If it really matters, get hands on help from someone who HAS read the 1,000 books, or even better someone who wrote the book.
unSpawn said "do not disable selinux" and I want to echo that. Also, one of the popular well known control panels by default enables something called suexec. The people who wrote suexec in the first place strongly want that you shouldn't even consider using it if you don't fully understand it. The documentation warns repeatedly of how dangerous it can be. That's the authors talking about the dangers of their own software. They are not wrong - php + suexec = I can crack it every time. So disable suexec unless you're sure that you REALLY understand it's implications.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.