[sclug] Recommendations for hardening a Apache, MySQL and PHP server ?

Fri Dec 16 07:51:25 UTC 2005

Hello There .....

No doubt this question has been asked before, in many guises, but here it is again, just in case things have changed significantly since the last time this question has been answered/asked:-

I have the glorius task of building a public, internet facing company web server, which is going to be using Apache, PHP and MySQL for the data side of things. It is not going to be used for financial transactions, but will may hold simple customer data, and be capable of e-mailing them information. I will have some web users which will need to be able to update the web content, PHP code and MySQL database, but the rest is just system admin. All admin and system access will be done by ssh2

What I would like to know is what do people recommend in terms of system hardening to make this as secure as I can ?

At present, the system I have started to build is a Redhat Enterprise 4 system, with most of the packages stipped out apart from the ones that I need, and what is left has been updated. I have enabled SELinux, but so far, I have not found a good document that explains a practical way to harden a LAMP type server using the SELinux facilities (Any suggestions or pointers ?).

Also, since I am not managing the PHP and web content, I am not sure what I need to do to protect against cross-site/service scripting - any suggestions of ideas would be most welcome !

Here's a quick rundown of what I was thinking of starting with:-

1) Redhat enterprise 4 release 1 to be installed.
2) Excess packages have been removed.
3) Existing packages be updated.
4) Services have been reduced to bare minimum.
5) User acounts and groups have been removed.
6) permissions to startup scripts have been changed.
7) Adding users needed to manage mySQL and upload to web server.
8) passwd, shadow, group and services file to be immutable.
9) SUID and GUID programs detected - bits removed.
10) Login time for root account and PAM changes.
11) Virtual console login tied down.
12) Password changing restrictions to be implemented (part of PAM changes above)
13) system resource usage to be tied down.
14) TCP wrappers to be confiured.
15) IPtables additionl configuraton
16) Harden Apache config (any reference docs ?)
17) Check sshd config.
18) SNORT installation and config
19) Tripwire installation and config
20) Configure Sendmail for sending e-mails.(accepts from localhost only)
21) Run nessus against web server.
22) tainted shell.
23) Remote syslog mirroring
24) rootkit detector (The jury is still out on this if this is a good thing to have pre-installed or not - opinions ?)

Thanks in advance for any comments or suggestions !!

regards,

Martin

Martin Summers
UNIX System Administrator (Bloke in charge of "stuff")
ANSYS Europe Ltd
Martin.Summers at ansys.com