Build a super secure LAMP server in Linux

Article Title: Build a super-secure LAMP server in Linux. Linux is a technology channel of the IT lab in China. Including desktop applications, Linux system management, kernel research, embedded systems, open source, and other basic categories. This article provides a comprehensive and detailed description of how to reinforce apache + php + mysql in Linux, by carefully reading this article, you can quickly master all aspects of secure href = "http://safe.it168.com/" target = _ blank> Security Configuration apache, php, and mysql, there is also the cutting-edge and powerful technology of chroot, relying on this knowledge, you can make your WWW server href = "http://server.it168.com/" target = _ blank> server in endless SQL Injection (SQL Injection) and CSS Cross Site Scripting (Cross Site Scripting) Attacks) standing.

From several vulnerabilities on the Internet to the hacking of the website of the lone swordsman, script attacks have stirred up. As a result, it has finally shown its importance in network attacks. Due to unintentional or unintentional carelessness of program developers, errors such as one or more may occur in scripts written with Perl, PHP, and ASP, which may lead to path leakage, heavy Load causes the entire server to be attacked or even spread to the entire network. Do we have to read the script N times and analyze it carefully? I believe that not everyone has the same level of skill, and even such skill will not waste so much time and energy.

You may ask: "I want to use free online programs, and I don't want to be hit. Isn't there a two-way solution ?"

For windows hosts, we can use IISLockdown, SecureIIS, and so on.

Two solutions are proposed for * nix hosts. One is to install the mod-security module for apache, and the other is to place LAMP in a chroot jail environment. Of course, the strongest one is to combine the two solutions :)

Next, let's share the two solutions.

Prerequisites: we only need to have normal linux operation experience, including vi usage.

First, let's clarify several concepts.

What is Debian? A completely free Linux operating system. What I like most is his apt package management tool, which makes it easy for you to install or upgrade the software! If you are a CERNET user, we recommend you go to the E-tech http://debian.ustc.edu.cn or my website http://secu.zzu.edu.cn upgrade, CHINANET users can upgrade in http://mirror.gennkbone.org

What is LAMP: it is the abbreviation of Linux Apache MySQL Php, which is almost the strongest combination of racks

What is chroot: the abbreviation of change root is to restrict a process daemon to a specific root environment, the chroot program is almost unable to access any files or space that exceeds the root account. This root directory (jail) contains all the files required to run the process daemon. After you configure the files correctly, most intruders cannot jump out of jail and access the files outside. In this way, we can restrict intruders to the maximum extent to protect themselves.

Software involved in this article

Makejail http://www.floc.net/makejail/

Is a software that automatically puts the program required to build jail into jail. It is written in python and has versions of debian and openbsd.

Zend Performance Suit http://www.zend.com

Zend developed a set of things to accelerate PHP, including a code optimizer and an accelerator, as well as the cache function, php programs run like flying! You can apply for a 30-day trial version. If you think it is easy to use, you can buy it :) mod-security http://www.modsecurity.org/he is a snapshot of apache; he has a filter request and audit function to prevent SQL Injection and cross-site scripting attacks.

Assume that we have a debian woody installed on our hands and the apt source has been correctly set.

Upgrade debian sarge, that is, testing. I think this version is good, because its software is newer and has security support, the main version of the software list contains the makejail Software

First, su to root to upgrade the system and install apache, php, mysql, and gd.

I updated the apt source on CERNET, so I used the apt source debian.ustc.edu.cn of HKUST at a very fast speed.

[Root @ debian/] apt-get update (update.jpg)

Update all software packages

[Root @ debian/] apt-get dist-upgrade(upgrade.jpg)

[Root @ debian/] apt-get install apache php4 php4-gd2 php4-mysql mysql-server mysql-client

Add extension = gd. so and extension = mysql. so to php. ini.

Your system has been installed with apache-1.3.27, php-4.1.2, mysql-4.0.13

This is a basic LAMP.

Add another system user. This user will be used by chroot.

[Root @ debian/] adduser -- home/chroot/apache -- shell/dev/null -- no-create-home -- system -- group chrapax

Next, edit the httpd. conf file and make some modifications to delete the redundant apache module and activate the php module.

[Root @ debian/] vi/etc/apache/httpd. conf

Comment out all modules except mod_access, mod_auth, mod_dir, mod_log_config, mod_mime, and mod_alias.

Remove the annotation LoadModule php4_module/usr/lib/apache/1.3/libphp4.so to support PHP (apache_mod.jpg)

Set ServerAdmin fatb@zzu.edu.cn

Set ServerName secu.zzu.edu.cn

　

[1] [2] [3] Next page