Web server
 

We have newly setup a web server , Redhat , apache , php, mysql .
It just put to live and runs very well , would advise what I need to do to make it more stable , for example , in security ( eg in apache or OS side ) ? in OS level , what I need to do to monitor the performance ?

In short , what function and what we need to do for a LAMP web server ?

very thanks

You should have thought about security before going live with it.
What applications (+ versions) does the web server provide?
What security measures are in place already?

What applications (+ versions) does the web server provide ==> Redhat 6 , PHP 5 , mysql 5 , apache 2.1 , this is a web server to display product categories and reserve product only , very simple web server.

What security measures are in place ==> We only use basic permission file .httpaccess to control the subnet to login , all others use the default setting , what else that I need to change ? thanks

Some of the things we do here:

O/S Level:

• Require a BIOS password to change options
• GRUB Password protection
• Require root password for single user mode
• Disable USB mass storage devices
• Disable Ctrl+Alt+Del from rebooting the server
• User password change / complexity policies
• sha512 instead of md5 passwords
• Idle user timeout
• No remote root access
• Configure groups for users and sudo
• Get rid of wireless kernel modules
• Enable rollback within YUM
• Install clamav
• Use logwatch
• Use AIDE
• Use RootKitHunter
• Remove unnecessary package groups (eg, "X Windows System" "Windows File Server" "DNS Name Server" "FTP Server" "News Server" "Games and Entertainment" "Sound and Video" "Graphics" "Dialup Networking Support")
  

Within Apache:

• Use SSL where applicable
• Disable Proxy modules
• Lock the apache user account
• Disable Web Dav Modules
• Disable Status and Info Modules
• Disable Autoindex
• Disable User Directories modules
• Limit the information in the server token
• Limit the information in the server signature

Hope this helps.

We have a build document that details all these steps and it's followed for all server builds immediately after O/S installation and before adding any other software to the server.

thanks reply ,

These points seems are related to security , except security , what else that should be do ? thanks

Is that an Off the Shelf application? Or one that's built by you? Point is you should be clear who's responsible for updates, bug and security fixes, you should check for updates regularly and you should test to find out its current security posture. Also note that major version numbers on their own mean absolutely nothing: it isn't (or shouldn't be) "Redhat 6" but "RHEL 6U5" etc, etc. Be precise and know what you run.


While the list provided by TenTenths certainly has items that relate to security what you first of all need to create is an overview of steps to take. For this you should read the Red Hat Enterprise Linux documentation and security sections, followed by the OWASP coding errors / web server documentation and subject the result to at least a combination of GNU/Tiger, the Cisecurity RHEL and Apache benchmarks and running, or having somebody experienced run, OpenVAS against the machine from a remote address.

The main reason for taking a cue from such documentation is authoritativeness (web log posts alone generally speaking are the worst thing to glean nfo from), completeness (it's easy for lesser-experienced persons to loose themselves in details) and the order in which to perform tasks (for example installing software like AIDE, though I rather prefer Samhain, configuring accounts and setting access restrictions should take place before exposing the machine to the network).

Best read the documentation first so you get the idea, run a baseline scan with aforementioned tools so you can test the result, implement measures, rinse, repeat. Now you know what to do and what the approach should be feel free to ask detailed questions along the way.

HTH