[sclug] Recommendations for hardening a Apache, MySQL and PHP server ?

Simon Huggins huggie at earth.li
Fri Dec 16 09:18:12 UTC 2005


On Fri, Dec 16, 2005 at 07:50:07AM -0000, Martin Summers wrote:
> I have the glorius task of building a public, internet facing company
> web server, which is going to be using Apache, PHP and MySQL for the
> data side of things. It is not going to be used for financial
> transactions, but will may hold simple customer data, and be capable
> of e-mailing them information. I will have some web users which will
> need to be able to update the web content, PHP code and MySQL
> database, but the rest is just system admin. All admin and system
> access will be done by ssh2

You need the web users:
	- to have sensible passwords (i.e. not trivial and not the same
	  as the username)
	- if they are editing PHP or installing PHP apps then they need
	  to understand web security.

> What I would like to know is what do people recommend in terms of
> system hardening to make this as secure as I can ?

> 7) Adding users needed to manage mySQL and upload to web server.

If you're thinking of using phpmyadmin or similar to manage MySQL then
ensure that it is only accessible over HTTPS and again as for the
account passwords ensure no test/test logins exist and that users have
non-trivial passwords.

Also ensure any MySQL username/password pairs are hidden away well
enough i.e. not web accessible.  The old favourite used to be to have
them in ".inc" files which apache would merrily serve up to random
users.  Now most PHP apps ship with them in a .php file so even if they
are served up, there's effectively nothing in them as php parses them
and finds no output instructions.

> 15) IPtables additionl configuraton

You probably want some outbound rules.  I don't get this luxury but if
you know you're never going to be talking to IRC servers for instance
then you can firewall TCP 6667 (and the others around there that they
use).

> 16) Harden Apache config (any reference docs ?)

I've heard /some/ good things about mod_security
See
http://www.modsecurity.org/documentation/modsecurity-apache/stable/08-miscellaneous.html#N10A8C
for some of its filtering.
I've never used it though.

Also most importantly run all the PHP as a user.  Run different sites as
different users.  You can do this with say the php-cgiwrap bits and
bobs.

> 24) rootkit detector (The jury is still out on this if this is a good
> thing to have pre-installed or not - opinions ?)

Stick it on a CD in the server's drive and run it from there perhaps?
Or just have a rescue CD you can boot off in the drive which contains
one though I guess you'd want up to date files to check against.

Simon.

-- 
        Black Cat Networks        -( <forc3> zsh je trouve ke tu passes  )-
UK domain, email and web hosting  -(  plus de temps a faire la conf k'a  )-
http://www.blackcatnetworks.co.uk -(             l'utiliser              )-


More information about the Sclug mailing list