Security Settings for linux servers

The local server architecture is LAMP. The following settings do not add much security.

1. Account Security

Disable unwanted users and system accounts, or set the shell to/sbin/nologin, and set the home directory to/dev/null.

The password cannot be set easily. It is best not to associate the password with your own information, such as date, name, phone number, or website address. It is better to say a word, remember it, and it is not easy for social engineering.

2. Service Security

Disable unnecessary services and modify frequently used service ports (if you use them yourself ).

3. mysql Security

Do not use root connection in php. To create a user, you only need to add, delete, modify, and query the user.

Different users should be created for multiple databases. All remote connection permissions are excluded. If necessary, disable the connection port 3306. If it is just a local connection, the listener is completely unnecessary.

If there is a mysql 0-day, remote overflow is not good.

4. php security

If the php security mode does not affect the existing php program, start the security mode.

Disable php functions. For example, system, passthru, dl, exec, shell_exec, popen, phpinfo, proc_open, chmod, chown, chroot, dir, opendir, readdir, and scandir. I think it is very important. Even if you get the webshell permission, it is hard to mention it. The file listing function should also be disabled. dl is quite interesting.

5. apache Security

The uid user of the apache program. login is prohibited.

Disable some directories from executing php programs.

Php web application, this security is hard to say. Upload, inject, and cross-site. The website path should be "singular", and the background should be well protected.

6. permission settings.

Chmod 700 gcc g ++ perl php make prohibits some development tools. Prevent write code compilation and Elevation of Privilege (get shell in advance ).

Chmod 700 wget chmod rpm yum .. Some download tools and permission control programs are prohibited to prevent uploading and elevation of permission programs and adding execution permissions. Elevation of Privilege.

Chmod 700 ping ifconfig netstat ps .. Disable system configuration commands and network commands.

As I have summarized above, the server will not be occupied without a large 0-day period. Preventing webshell access is a problem with php website programs.

If you have any errors, please correct them. I am also a beginner.