[Klug-general] Apache, PHP and MySQL security (Fairly long post!)

Sat Jan 6 22:30:54 GMT 2007

On Saturday 06 Jan 2007 08:38, Matthew Macdonald-Wallace wrote:
> Morning all,
>
> I'm reading a series of articles on Security Focus by Artur Maj on how
> to secure Apache, MySQL and PHP whilst keeping them all together.  I'm
> setting up a secure LAMP box from scratch on my laptop and as usual with
> these kind of things, I've come away asking more questions that I
> started with, so I'm hoping that someone will be able to answer them for
> me:
>
> 1) Which version of Apache do people prefer for business critical
> systems?  In the article on setting up Apache
> ( http://www.securityfocus.com/infocus/1694 ), Maj appears to be using
> Apache 1.3.7, however on the apache website there are versions for
> 1.x.x, 2.0.x and 2.2.x.  Is there an "industry standard" at the moment,
> or is it just a case of what you're comfortable with/stick with what you
> know?
>
> 2) When talking about PHP (http://www.securityfocus.com/infocus/1706),
> Maj recommends compiling PHP as a static module as this is, in his view,
> the best option for both security and performance.  Maj points out that
> this would mean a complete recompile of httpd should you need to upgrade
> - as I understand it, this means that you would need significant
> down-time everytime you upgraded anything.  I have always used PHP as a
> dynamic module, only recompiling the module if there is a "feature" in
> PHP that could lead to vulns/expliots.  Again, what do people suggest?
> Save time on the down-time and compile as a dynamic module, or compile
> as a dynamic module and risk the security issues that appear to come
> from this (according to Maj)?
>
> 3) The article on MySQL (http://www.securityfocus.com/infocus/1726)
> talks about using chrootuid to run the server as mysql in a chroot jail,
> however I'm having real issues with this.  I've followed the
> instructions to the letter, creating the dirs and copying the files
> however everytime I try and run the command to launch mysql:
>
>  chrootuid /chroot/mysql \
> mysql /chroot/mysql/usr/local/mysql/libexec/mysqld &
>
> I get the following in /var/log/syslog:
>
> /chroot/mysql/usr/local/mysql/libexec/mysqld: No such file or directory
>
> The file exists, the permissions are as follows:
>
> -rwxr-xr-x 1 root mysql 4989964 2007-01-05 22:42 mysqld
>
> but I can't get it to work.  Can anyone help me with this?
>
>
> My final question is that I've noticed that these articles were written
> in 2003/2004, does anyone know of any other tutorials that I could
> follow in order to learn more about securing LAMP boxes? I'm currently
> running Ubuntu, however I've only just switched from Gentoo and I'm
> perfectly comfortable with the command line and installing stuff from
> tarballs so I'm happy to look at just about anything tutorial wise! :)
>
> Thanks in advance for all the help, I'm hoping to make a LUG Meet fairly
> soon so I can actually meet people, however it's probably going to be
> the February meet now as my wife is due to give birth at the end of this
> month and I can't help but think that things are going to be a little
> bit hectic.
>
> Best Regards,
>
> Matt
>
> _______________________________________________
> Kent mailing list
> Kent at mailman.lug.org.uk
> https://mailman.lug.org.uk/mailman/listinfo/kent

have you read the apache security pages?

-- 
--------------------------------
http://www.thedumbterminal.co.uk