[Klug-general] Apache, PHP and MySQL security (Fairly long post!)

Allen Brooker allen at allenjb.me.uk
Sat Jan 6 12:09:35 GMT 2007 

Matthew Macdonald-Wallace wrote:
> Morning all,
> 
> I'm reading a series of articles on Security Focus by Artur Maj on how
> to secure Apache, MySQL and PHP whilst keeping them all together.  I'm
> setting up a secure LAMP box from scratch on my laptop and as usual with
> these kind of things, I've come away asking more questions that I
> started with, so I'm hoping that someone will be able to answer them for
> me:
> 
> 1) Which version of Apache do people prefer for business critical
> systems?  In the article on setting up Apache
> ( http://www.securityfocus.com/infocus/1694 ), Maj appears to be using
> Apache 1.3.7, however on the apache website there are versions for
> 1.x.x, 2.0.x and 2.2.x.  Is there an "industry standard" at the moment,
> or is it just a case of what you're comfortable with/stick with what you
> know?

I'm currently using Apache 2.0. To my knowledge apache1 is considered
deprecated by the developers and is currently only getting security
patches. I'm currently using the prefork (apache1 style) MPM on my
server, but I've always used threaded MPM's on my development machines
and have never run into any problems with PHP or any of the extensions
that I've used (altho this doesn't mean there aren't any - just none
I've run into). I haven't tried Apache 2.2 - as far as I know it's
considered stable by the developers but even Gentoo currently has it
hard masked, since it's only up to .3 currently (compared to Apache
2.0's .59). Today, unless you have a module which you use which is only
available for Apache 1, or have a specific feature only available in
Apache 2.2 which you need, I'd recommend using Apache 2.0.

If you want further information / advice, I can highly recommend the
#apache channel on Freenode - I've found it to be very helpful in the
past and there's some highly knowledgeable people hanging out there
(DrBacchus is one I particularly remember, but I'm sure there's many
others).

> 
> 2) When talking about PHP (http://www.securityfocus.com/infocus/1706),
> Maj recommends compiling PHP as a static module as this is, in his view,
> the best option for both security and performance.  Maj points out that
> this would mean a complete recompile of httpd should you need to upgrade
> - as I understand it, this means that you would need significant
> down-time everytime you upgraded anything.  I have always used PHP as a
> dynamic module, only recompiling the module if there is a "feature" in
> PHP that could lead to vulns/expliots.  Again, what do people suggest?
> Save time on the down-time and compile as a dynamic module, or compile
> as a dynamic module and risk the security issues that appear to come
> from this (according to Maj)?
> 
> 3) The article on MySQL (http://www.securityfocus.com/infocus/1726)
> talks about using chrootuid to run the server as mysql in a chroot jail,
> however I'm having real issues with this.  I've followed the
> instructions to the letter, creating the dirs and copying the files
> however everytime I try and run the command to launch mysql:
> 
>  chrootuid /chroot/mysql \
> mysql /chroot/mysql/usr/local/mysql/libexec/mysqld &
> 
> I get the following in /var/log/syslog:
> 
> /chroot/mysql/usr/local/mysql/libexec/mysqld: No such file or directory
> 
> The file exists, the permissions are as follows:
> 
> -rwxr-xr-x 1 root mysql 4989964 2007-01-05 22:42 mysqld
> 
> but I can't get it to work.  Can anyone help me with this?
> 
> 
> My final question is that I've noticed that these articles were written
> in 2003/2004, does anyone know of any other tutorials that I could
> follow in order to learn more about securing LAMP boxes? I'm currently
> running Ubuntu, however I've only just switched from Gentoo and I'm
> perfectly comfortable with the command line and installing stuff from
> tarballs so I'm happy to look at just about anything tutorial wise! :)

While these articles were written a few years ago, I believe that things
most likely haven't changed much and they are still very relevant.
> 
> Thanks in advance for all the help, I'm hoping to make a LUG Meet fairly
> soon so I can actually meet people, however it's probably going to be
> the February meet now as my wife is due to give birth at the end of this
> month and I can't help but think that things are going to be a little
> bit hectic.

Congratulations!
> 
> Best Regards,
> 
> Matt

Thanks for the links by the way, I'm currently just starting a project
to "rebuild" my server and am looking at security issues - I'd kind of
forgotten about Security Focus' articles.

At the end of the day I think you have to balance security with
practicality. While I'm no expert, if your box is running only as a
webserver, hosting trusted (ie. your own) content and not running
anything else, do you really need to chroot things? Personally I think
that one of the most important things to get right is a backup recovery
plan so that when the worst does happen for whatever reason, you can
rebuild and get the machine running again as quickly as possible.

Regards,

Allen

More information about the Kent mailing list