############################################################################### # $Id$ # # LAMP stack security -- http://quicloud.com/blug/security.txt # # # Course online at: http://quicloud.com/blug/ # Accepting applications for next course (Feb 27, 2011)! Contact rICh for details # # @author rICh ################################################################################ ################################################################################ # general ################################################################################ Keep packages up to date! Use http://random.org/strings/ to generate TRULY random strings for passwords Use a cloud server to test security on before you push live Use the CIS Benchmarks https://benchmarks.cisecurity.org/en-us/?route=downloads.multiform Keep file perms locked as tight as possible (mysql, apache, cron scripts) Security can introduce wierd bugs -- only change one thing at a time StackOverflow.com -- Use it. Love it. ################################################################################ # Linux ################################################################################ # install firewall -- ufw and firestarter make good front ends sudo aptitude install iptables [ufw | firestarter] # make sure all non-interactive accounts (like mysql and apache) have nologin # Safe: www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin # Not so much: www-data:x:33:33:www-data:/var/www:/bin/bash # make 'sshers' group & only allow ssh from that group (also disable root login) # IMPORTANT! Open TWO Terminals to your server first!!! sudo groupadd sshers sudo usermod -a -Gsshers rmorrow # Configure OpenSSH server sudo vim /etc/ssh/sshd_config /====================== PermitRootLogin no X11Forwarding no UseDNS no AllowGroups sshers \====================== # Restart SSH daemon sudo /etc/init.d/ssh restart # Reference: # VERIFY ssh from remote # Everytime anyone leaves the organization, change passwords! # install fail2ban (blocks IPs which seem to be brute force attacking your server) # note: requires that you're using an iptables firewall sudo aptitude install fail2ban # NEVER, EVER, UNDER ANY CIRCUMSTANCES WHATSOEVER INSTALL 'FTP'. USE SFTP INSTEAD # check everything with an nmap from remote server # full scan of 'yourserver.com' (note: this takes a while) nmap -Pn yourserver.com # Nessus is great for vulnerability / penetration testing http://www.tenable.com/products/nessus # use a VPN -- OpenVPN (http://openvpn.com/) is *awesome*. Doing this, you can # block off all public SSH access to a server (SSH only on private) # if you're in AWS, use the Security Groups AND iptables !!! ################################################################################ # MySQL ################################################################################ # set password for root user (initial password is empty) MYSQL-PROMPT> set password for root PASSWORD('[something-secure]') # lock 3306 from all but the servers that need access to it # if multilple databases are used, lock access down as tight as possible to each # use SSL to connect remote MySQL # http://stackoverflow.com/questions/1593183/how-to-strengthen-mysql-database-server-security # (I don't like turning off file_priv, BTW) ################################################################################ # Apache ################################################################################ # run as www-data:www-data (or apache:apache in CentOS), NEVER as privileged # install mod_evasive (brute force blocker) # try to avoid .htaccess overrides (makes things really confusing # Disable SSL2 (Weak SSL) # Turn off Directory Browsing # mod_security is a sledgehammer -- use it wisely ################################################################################ # PHP ################################################################################ # grep for and remove any "phpinfo()" calls... # use Suhosin # Understand SQL Injection (run all SQL statements through a "cleaner" function) # put all classes and "secret" stuff outside of docroot (with aliases to make docroot access easy) # Use classes (and class variables) as much as possible # Never. Trust. Your. Users.