How to protect the LAMP server on CentOS or RHEL (1)

How to protect the LAMP server on CentOS or RHEL (1)

LAMP is a set of software architecture, including these components: Linux (operating system as the basic layer), Apache (website server located on the operating system), MySQL (or MariaDB, as a relational database management system), and finally PHP (this server-side scripting language is used to process and display information stored in the database ).

In this article, we assume that each part of this architecture has been set up and run, so we will focus on providing protection for one or more LAMP servers. However, it must be emphasized that server-side security is a huge and complicated topic. Therefore, you should not expect to use only one article to fully and comprehensively discuss it.

In this article, we will discuss the basic things to be done to safeguard every part of the LAMP software architecture.

Ensure Linux security

If you want to use ssh to manage your CentOS servers, consider the following tips: to ensure secure remote server access by editing the/etc/ssh/sshd_config configuration file.

1) If possible, try to use key-based authentication to remotely log on to the server, instead of using the basic authentication mechanism (username and password ). Assume that you have created a key pair and a user name on the client and copied them to the server.

PasswordAuthentication no

RSAAuthentication yes

PubkeyAuthentication yes

2) Change the port on which sshd will listen. We recommend that you use a port higher than 1024:

Port XXXX

3) Only Protocol Version 2 is allowed:

Protocol 2

4) configuration verification times out, does not allow root login, and limits which users can log on through ssh:

LoginGraceTime 2 m

PermitRootLogin no

AllowUsers gacanepa

5) only allow specific hosts (and/or specific networks) to log on via ssh:

In the/etc/hosts. deny file:

Sshd: ALL

In the/etc/hosts. allow file:

Sshd: XXX. YYY. ZZZ. AAA. BBB. CCC. DDD

XXX. YYY. ZZZ. represents the first three octal groups of IPv4 network addresses, and AAA. BBB. CCC. DDD is an IPv4 address. With this setting, only the host from the network XXX. YYY. ZZZ.0/24 and host AAA. BBB. CCC. DDD can be connected through ssh. All other hosts are disconnected before they enter the logon prompt. An error message similar to this is returned:

(Do not forget to restart the sshd background program to make these changes take effect: service sshd restart ).

It must be emphasized that, when it comes to blocking inbound connections to your server, this method is fast and simple, but a little primitive. For further customization, scalability, and flexibility, you should consider using common iptables and/or fail2ban.

Ensure Apache Security

1) ensure that the system users running the Apache website server cannot access the shell:

# Grep-I apache/etc/passwd

If apache has a default shell (such as/bin/sh), we must change it to/bin/false or/sbin/nologin:

# Usermod-s/sbin/nologin apache

For the/etc/httpd/conf/httpd. conf file, see the following suggestions (2 to 5:

2) prohibit directory list: If index.html is not displayed in the directory, this prevents the browser from displaying the contents of the directory.

Delete the word Indexes in the Options command:

# Options commands are complex and important. See

# Http://httpd.apache.org/docs/2.2/mod/core.html#options

# Learn more.

# Options Indexes FollowSymLinks

Should be shown:

Options None

In addition, make sure that the directory and Vm settings do not overwrite the global configuration.

Please note that in this example, if we check the setting and find the/var/www/icons directory, we will see that "Indexes MultiViews FollowSymLinks" should be changed to "None ".

Before change:

Options Indexes MultiViews FollowSymLinks

AllowOverride None

Order allow, deny

Allow from all

After modification:

Options None

AllowOverride None

Order allow, deny

Allow from all

3) Hide the Apache version and the module/operating system information on the error page (such as the Not Found and Forbidden pages.

ServerTokens Prod # This means that only "Apache" is returned in the http Response Header, but no version number is returned.

ServerSignature Off # Hiding operating system information