Security Configuration under Lamp

Apache side:

1, Apache has two instructions can output server details, namely Serversignature and Servertokens.

When these two instructions are used together, the Apache version number, PHP version number, IP, port, and so on are output. This is obviously not safe.

At this point there are two workarounds, one: Disable Serversignature. Second: If it cannot be disabled, you can set the instruction to "Prod" (this will only show the fewest information).

2, in the httpd.conf file, its documentroot directive corresponds to the directory of the public directory, the user can easily access to, it is best not to put important files.

3, the httpd.conf file has a large number of comment statements, these comment statements sometimes bring negative effects, it is recommended to delete.

4, in the Not found error page will generally display your Apache version number, server operating system name and other information. The solution is:

Open the configuration file with the Vim editor and look for "serversignature", which is turned on by default. We need to turn off the server signature. Servertokens prod tells Apache to only return the Apache product name in the header of each server response that requested the webpage.

# vim/etc/httpd/conf/httpd.conf (Rhel/centos/fedora) # vim/etc/apache/apache2.conf (Debian/ubuntu) ServerSignature Offservertokens prod# Service httpd Restart (rhel/centos/fedora) # service Apache2 restart (debian/ubuntu)

5, by default, after entering the URL Apache will automatically find the target directory in the index.php file, if not found, on the page will display all the contents of the path directory, it is very insecure. The solution is:

Modify the Apache configuration file httpd.conf; Find the following sentence delete indexes. Change the options Indexes followsymlinks to the options followsymlinks.

PHP Aspects:

Security-related configuration parameters

1, disable_functions = string, default value: null, you can set the function you want to disable, such as: Disable_functions = Fopen,popen,file

2, disable_classes = string, default value: null, class can be disabled

3, display_errors = on| Off, default: On, normally in the development process if there are any errors will be error to the page, but when the site is operating, if you continue to display the error on the page is obviously inappropriate, so set this parameter to OFF

4, Max_execution_time = integer, default value: 30, this parameter can specify the number of seconds the script executes, which prevents the user from consuming excessive CPU time (if set to 0, there is no time limit)

5, Memory_limit = integerm, default value: 128M, this directive can specify the memory used by the script (this directive is enabled only when PHP is configured--enable-memory-limit)

6, Open_basedir = string, default value: null, this directive can establish a base directory, all file operations can only be done in this directory, (similar to Apache's documentroot directive).

7, User_dir = string, default: null, Resignation Ridge can set a directory name, PHP script must be placed in order to execute. (for example, if set to demo, user Jon wants to execute demo.php, the resume demo directory should be in the user directory of Jon, and then demo.php will be placed in the folder).

MySQL aspect:

1. Disable any system services that you do not need to use (you can disable the service if you do not need to send e-mail with the Web server).

2. Close unused ports.

3. Some security options for the MySQL daemon:

--skip-networking. If you enable this option, your MySQL database does not accept any remote connections (this is safe, but it also means that you cannot remotely debug your database)

--skip-name-resolve. Prevents users from connecting with host names, allowing only IP addresses and localhost to be used

--skip-show-database. Prevents users without show databases permissions from using this command to view a list of data.

--safe-user-create. Prevent users who do not have permissions from creating new users.

Security Configuration under Lamp