[Sussex] LAMP Security (Fairly long post...)

Matthew Macdonald-Wallace matthew at truthisfreedom.org.uk
Sat Jan 6 11:30:57 UTC 2007


Morning all,

I'm reading a series of articles on Security Focus by Artur Maj on how
to secure Apache, MySQL and PHP whilst keeping them all together.  I'm
setting up a secure LAMP box from scratch on my laptop and as usual with
these kind of things, I've come away asking more questions that I
started with, so I'm hoping that someone will be able to answer them for
me:

1) Which version of Apache do people prefer for business critical
systems?  In the article on setting up Apache
( http://www.securityfocus.com/infocus/1694 ), Maj appears to be using
Apache 1.3.7, however on the apache website there are versions for
1.x.x, 2.0.x and 2.2.x.  Is there an "industry standard" at the moment,
or is it just a case of what you're comfortable with/stick with what you
know?

2) When talking about PHP (http://www.securityfocus.com/infocus/1706),
Maj recommends compiling PHP as a static module as this is, in his view,
the best option for both security and performance.  Maj points out that
this would mean a complete recompile of httpd should you need to upgrade
- as I understand it, this means that you would need significant
down-time everytime you upgraded anything.  I have always used PHP as a
dynamic module, only recompiling the module if there is a "feature" in
PHP that could lead to vulns/expliots.  Again, what do people suggest?
Save time on the down-time and compile as a dynamic module, or compile
as a dynamic module and risk the security issues that appear to come
from this (according to Maj)?

3) The article on MySQL (http://www.securityfocus.com/infocus/1726)
talks about using chrootuid to run the server as mysql in a chroot jail,
however I'm having real issues with this.  I've followed the
instructions to the letter, creating the dirs and copying the files
however everytime I try and run the command to launch mysql:

 chrootuid /chroot/mysql \
mysql /chroot/mysql/usr/local/mysql/libexec/mysqld &

I get the following in /var/log/syslog:

/chroot/mysql/usr/local/mysql/libexec/mysqld: No such file or directory

The file exists, the permissions are as follows:

-rwxr-xr-x 1 root mysql 4989964 2007-01-05 22:42 mysqld

but I can't get it to work.  Can anyone help me with this?


My final question is that I've noticed that these articles were written
in 2003/2004, does anyone know of any other tutorials that I could
follow in order to learn more about securing LAMP boxes? I'm currently
running Ubuntu, however I've only just switched from Gentoo and I'm
perfectly comfortable with the command line and installing stuff from
tarballs so I'm happy to look at just about anything tutorial wise! :)

Best Regards,

Matt




More information about the Sussex mailing list