[Sussex] Securing Apache / Linux

Paul Graydon paul at paulgraydon.co.uk
Thu Aug 4 16:08:06 UTC 2005


I'm getting frustrated with other advice I'm getting having asked the
rather innocent question about securing an LAMP server.  I know they
probably think they're being funny but advice like "disconnect the
network cable" and "turn off all scripting support", whilst definitely
good ways of securing a Apache Linux box, are rather useless in the real
world.

I've got a goal I'd like to achieve, and I guess the best way to
approach this is to tell you that rather than what I've done so far, see
if you can help me achieve the goal instead as I'm abysmally failing.

We have a LAMP server at work, which runs happily, based on RedHat EL
ES4, all patched and up to date. Both myself and my boss want to be able
to control the webserver, upload content, etc. etc.  This is where
things get a little more difficult as best as I can see.  We both need
to be able to CHMOD files stored in the htdocs folder, over FTP.  That's
where the biggest hangup seems to come.



So far I've created a separate user group called webteam on the server,
created two users, one for myself, one for the boss, and made their
primary group the webteam group. The htdocs folder (and subfolders) has
been chowned to httpd:webteam, and then been recursively chmoded to
2575, so that the webteam group owns any files created in it, and apache
can only read and execute contained files, as I was advised elsewhere.
However, the only way either my boss or myself can chmod the files is to
log in as root.  For security purposes I've disabled the root account
from being able to be used over FTP, and SSH/telnet is blocked at the
firewall.

Is there any way to achieve this, short of creating a common account on
the server that both my boss and I will use to log in over ftp?






More information about the Sussex mailing list