LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Reply
  Search this Thread
Old 03-02-2014, 09:03 PM   #1
byran cheung
Member
 
Registered: Sep 2013
Posts: 321

Rep: Reputation: Disabled
Web server


We have newly setup a web server , Redhat , apache , php, mysql .
It just put to live and runs very well , would advise what I need to do to make it more stable , for example , in security ( eg in apache or OS side ) ? in OS level , what I need to do to monitor the performance ?

In short , what function and what we need to do for a LAMP web server ?

very thanks
 
Old 03-03-2014, 02:01 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594
Quote:
Originally Posted by byran cheung View Post
We have newly setup a web server , Redhat , apache , php, mysql .
It just put to live and runs very well , would advise what I need to do to make it more stable , for example , in security ( eg in apache or OS side ) ? in OS level , what I need to do to monitor the performance ?
You should have thought about security before going live with it.
What applications (+ versions) does the web server provide?
What security measures are in place already?
 
Old 03-03-2014, 04:47 AM   #3
byran cheung
Member
 
Registered: Sep 2013
Posts: 321

Original Poster
Rep: Reputation: Disabled
What applications (+ versions) does the web server provide ==> Redhat 6 , PHP 5 , mysql 5 , apache 2.1 , this is a web server to display product categories and reserve product only , very simple web server.

What security measures are in place ==> We only use basic permission file .httpaccess to control the subnet to login , all others use the default setting , what else that I need to change ? thanks
 
Old 03-03-2014, 05:43 AM   #4
TenTenths
Senior Member
 
Registered: Aug 2011
Location: Dublin
Distribution: Centos 5 / 6 / 7
Posts: 3,120

Rep: Reputation: 1327Reputation: 1327Reputation: 1327Reputation: 1327Reputation: 1327Reputation: 1327Reputation: 1327Reputation: 1327Reputation: 1327Reputation: 1327
Some of the things we do here:

O/S Level:
  • Require a BIOS password to change options
  • GRUB Password protection
  • Require root password for single user mode
  • Disable USB mass storage devices
  • Disable Ctrl+Alt+Del from rebooting the server
  • User password change / complexity policies
  • sha512 instead of md5 passwords
  • Idle user timeout
  • No remote root access
  • Configure groups for users and sudo
  • Get rid of wireless kernel modules
  • Enable rollback within YUM
  • Install clamav
  • Use logwatch
  • Use AIDE
  • Use RootKitHunter
  • Remove unnecessary package groups (eg, "X Windows System" "Windows File Server" "DNS Name Server" "FTP Server" "News Server" "Games and Entertainment" "Sound and Video" "Graphics" "Dialup Networking Support")

Within Apache:
  • Use SSL where applicable
  • Disable Proxy modules
  • Lock the apache user account
  • Disable Web Dav Modules
  • Disable Status and Info Modules
  • Disable Autoindex
  • Disable User Directories modules
  • Limit the information in the server token
  • Limit the information in the server signature
Hope this helps.

We have a build document that details all these steps and it's followed for all server builds immediately after O/S installation and before adding any other software to the server.

Last edited by TenTenths; 03-03-2014 at 05:48 AM.
 
Old 03-03-2014, 09:47 PM   #5
byran cheung
Member
 
Registered: Sep 2013
Posts: 321

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by TenTenths View Post
Some of the things we do here:

O/S Level:
  • Require a BIOS password to change options
  • GRUB Password protection
  • Require root password for single user mode
  • Disable USB mass storage devices
  • Disable Ctrl+Alt+Del from rebooting the server
  • User password change / complexity policies
  • sha512 instead of md5 passwords
  • Idle user timeout
  • No remote root access
  • Configure groups for users and sudo
  • Get rid of wireless kernel modules
  • Enable rollback within YUM
  • Install clamav
  • Use logwatch
  • Use AIDE
  • Use RootKitHunter
  • Remove unnecessary package groups (eg, "X Windows System" "Windows File Server" "DNS Name Server" "FTP Server" "News Server" "Games and Entertainment" "Sound and Video" "Graphics" "Dialup Networking Support")

Within Apache:
  • Use SSL where applicable
  • Disable Proxy modules
  • Lock the apache user account
  • Disable Web Dav Modules
  • Disable Status and Info Modules
  • Disable Autoindex
  • Disable User Directories modules
  • Limit the information in the server token
  • Limit the information in the server signature
Hope this helps.

We have a build document that details all these steps and it's followed for all server builds immediately after O/S installation and before adding any other software to the server.
thanks reply ,

These points seems are related to security , except security , what else that should be do ? thanks
 
Old 03-04-2014, 02:25 AM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594
Quote:
Originally Posted by byran cheung View Post
this is a web server to display product categories and reserve product only , very simple web server.
Is that an Off the Shelf application? Or one that's built by you? Point is you should be clear who's responsible for updates, bug and security fixes, you should check for updates regularly and you should test to find out its current security posture. Also note that major version numbers on their own mean absolutely nothing: it isn't (or shouldn't be) "Redhat 6" but "RHEL 6U5" etc, etc. Be precise and know what you run.


Quote:
Originally Posted by byran cheung View Post
We only use basic permission file .httpaccess to control the subnet to login , all others use the default setting
While the list provided by TenTenths certainly has items that relate to security what you first of all need to create is an overview of steps to take. For this you should read the Red Hat Enterprise Linux documentation and security sections, followed by the OWASP coding errors / web server documentation and subject the result to at least a combination of GNU/Tiger, the Cisecurity RHEL and Apache benchmarks and running, or having somebody experienced run, OpenVAS against the machine from a remote address.

The main reason for taking a cue from such documentation is authoritativeness (web log posts alone generally speaking are the worst thing to glean nfo from), completeness (it's easy for lesser-experienced persons to loose themselves in details) and the order in which to perform tasks (for example installing software like AIDE, though I rather prefer Samhain, configuring accounts and setting access restrictions should take place before exposing the machine to the network).

Best read the documentation first so you get the idea, run a baseline scan with aforementioned tools so you can test the result, implement measures, rinse, repeat. Now you know what to do and what the approach should be feel free to ask detailed questions along the way.

HTH
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] What topics do I need to study for *web* client server programming - Web service? TheIndependentAquarius Programming 9 03-15-2013 10:53 AM
Configuring and Hosting Web sites in Red hat web server 6 shakul hameed Linux - Server 4 09-07-2012 01:55 AM
Copy files from web server to web server conflicker Linux - Newbie 5 02-02-2012 11:56 AM
how to add additional web domain for existing web server in rhel5 124vikas.dange@gmail.com Linux - Server 2 11-25-2009 04:45 PM
setting up password protected web forms on an apache web server AZDAVE Linux - Security 3 07-07-2004 01:03 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 11:34 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration