Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
03-02-2014, 09:03 PM
|
#1
|
Member
Registered: Sep 2013
Posts: 321
Rep:
|
Web server
We have newly setup a web server , Redhat , apache , php, mysql .
It just put to live and runs very well , would advise what I need to do to make it more stable , for example , in security ( eg in apache or OS side ) ? in OS level , what I need to do to monitor the performance ?
In short , what function and what we need to do for a LAMP web server ?
very thanks
|
|
|
03-03-2014, 02:01 AM
|
#2
|
Moderator
Registered: May 2001
Posts: 29,415
|
Quote:
Originally Posted by byran cheung
We have newly setup a web server , Redhat , apache , php, mysql .
It just put to live and runs very well , would advise what I need to do to make it more stable , for example , in security ( eg in apache or OS side ) ? in OS level , what I need to do to monitor the performance ?
|
You should have thought about security before going live with it.
What applications (+ versions) does the web server provide?
What security measures are in place already?
|
|
|
03-03-2014, 04:47 AM
|
#3
|
Member
Registered: Sep 2013
Posts: 321
Original Poster
Rep:
|
What applications (+ versions) does the web server provide ==> Redhat 6 , PHP 5 , mysql 5 , apache 2.1 , this is a web server to display product categories and reserve product only , very simple web server.
What security measures are in place ==> We only use basic permission file .httpaccess to control the subnet to login , all others use the default setting , what else that I need to change ? thanks
|
|
|
03-03-2014, 05:43 AM
|
#4
|
Senior Member
Registered: Aug 2011
Location: Dublin
Distribution: Centos 5 / 6 / 7 / 8
Posts: 3,529
|
Some of the things we do here:
O/S Level: - Require a BIOS password to change options
- GRUB Password protection
- Require root password for single user mode
- Disable USB mass storage devices
- Disable Ctrl+Alt+Del from rebooting the server
- User password change / complexity policies
- sha512 instead of md5 passwords
- Idle user timeout
- No remote root access
- Configure groups for users and sudo
- Get rid of wireless kernel modules
- Enable rollback within YUM
- Install clamav
- Use logwatch
- Use AIDE
- Use RootKitHunter
- Remove unnecessary package groups (eg, "X Windows System" "Windows File Server" "DNS Name Server" "FTP Server" "News Server" "Games and Entertainment" "Sound and Video" "Graphics" "Dialup Networking Support")
Within Apache: - Use SSL where applicable
- Disable Proxy modules
- Lock the apache user account
- Disable Web Dav Modules
- Disable Status and Info Modules
- Disable Autoindex
- Disable User Directories modules
- Limit the information in the server token
- Limit the information in the server signature
Hope this helps.
We have a build document that details all these steps and it's followed for all server builds immediately after O/S installation and before adding any other software to the server.
Last edited by TenTenths; 03-03-2014 at 05:48 AM.
|
|
|
03-03-2014, 09:47 PM
|
#5
|
Member
Registered: Sep 2013
Posts: 321
Original Poster
Rep:
|
Quote:
Originally Posted by TenTenths
Some of the things we do here:
O/S Level: - Require a BIOS password to change options
- GRUB Password protection
- Require root password for single user mode
- Disable USB mass storage devices
- Disable Ctrl+Alt+Del from rebooting the server
- User password change / complexity policies
- sha512 instead of md5 passwords
- Idle user timeout
- No remote root access
- Configure groups for users and sudo
- Get rid of wireless kernel modules
- Enable rollback within YUM
- Install clamav
- Use logwatch
- Use AIDE
- Use RootKitHunter
- Remove unnecessary package groups (eg, "X Windows System" "Windows File Server" "DNS Name Server" "FTP Server" "News Server" "Games and Entertainment" "Sound and Video" "Graphics" "Dialup Networking Support")
Within Apache: - Use SSL where applicable
- Disable Proxy modules
- Lock the apache user account
- Disable Web Dav Modules
- Disable Status and Info Modules
- Disable Autoindex
- Disable User Directories modules
- Limit the information in the server token
- Limit the information in the server signature
Hope this helps.
We have a build document that details all these steps and it's followed for all server builds immediately after O/S installation and before adding any other software to the server.
|
thanks reply ,
These points seems are related to security , except security , what else that should be do ? thanks
|
|
|
03-04-2014, 02:25 AM
|
#6
|
Moderator
Registered: May 2001
Posts: 29,415
|
Quote:
Originally Posted by byran cheung
this is a web server to display product categories and reserve product only , very simple web server.
|
Is that an Off the Shelf application? Or one that's built by you? Point is you should be clear who's responsible for updates, bug and security fixes, you should check for updates regularly and you should test to find out its current security posture. Also note that major version numbers on their own mean absolutely nothing: it isn't (or shouldn't be) "Redhat 6" but "RHEL 6U5" etc, etc. Be precise and know what you run.
Quote:
Originally Posted by byran cheung
We only use basic permission file .httpaccess to control the subnet to login , all others use the default setting
|
While the list provided by TenTenths certainly has items that relate to security what you first of all need to create is an overview of steps to take. For this you should read the Red Hat Enterprise Linux documentation and security sections, followed by the OWASP coding errors / web server documentation and subject the result to at least a combination of GNU/Tiger, the Cisecurity RHEL and Apache benchmarks and running, or having somebody experienced run, OpenVAS against the machine from a remote address.
The main reason for taking a cue from such documentation is authoritativeness (web log posts alone generally speaking are the worst thing to glean nfo from), completeness (it's easy for lesser-experienced persons to loose themselves in details) and the order in which to perform tasks (for example installing software like AIDE, though I rather prefer Samhain, configuring accounts and setting access restrictions should take place before exposing the machine to the network).
Best read the documentation first so you get the idea, run a baseline scan with aforementioned tools so you can test the result, implement measures, rinse, repeat. Now you know what to do and what the approach should be feel free to ask detailed questions along the way.
HTH
|
|
|
All times are GMT -5. The time now is 03:00 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|