[Sussex] LAMP Security (Fairly long post...)

John Crowhurst fyremoon at fyremoon.net
Sat Jan 6 12:21:33 UTC 2007


On Sat, January 6, 2007 11:30, Matthew Macdonald-Wallace wrote:
> 1) Which version of Apache do people prefer for business critical
> systems?  In the article on setting up Apache
> ( http://www.securityfocus.com/infocus/1694 ), Maj appears to be using
> Apache 1.3.7, however on the apache website there are versions for
> 1.x.x, 2.0.x and 2.2.x.  Is there an "industry standard" at the moment,
> or is it just a case of what you're comfortable with/stick with what you
> know?

I suspect this guide was written when 1.3.7 was the most common version of
Apache. Now that Apache 2 is available, people use 1.3.7 for legacy
applications.

> 2) When talking about PHP (http://www.securityfocus.com/infocus/1706),
> Maj recommends compiling PHP as a static module as this is, in his view,
> the best option for both security and performance.  Maj points out that

I do suspect this is also old information. Compiling static modules
wouldn't give that much protection IMO to an exploit or vulnerability. A
dynamic module would make upgrading so much easier.

> 3) The article on MySQL (http://www.securityfocus.com/infocus/1726)
> talks about using chrootuid to run the server as mysql in a chroot jail,
> however I'm having real issues with this.  I've followed the
> instructions to the letter, creating the dirs and copying the files
> however everytime I try and run the command to launch mysql:
>
>  chrootuid /chroot/mysql \
> mysql /chroot/mysql/usr/local/mysql/libexec/mysqld &

You probably need:

chrootuid /chroot/mysql \
mysql /usr/local/mysql/libexec/mysqld &

The file exists in your root filesystem, but you are using chroot to
change the root filesystem from / to /chroot/mysql. In other words, its
looking for:
/chroot/mysql/chroot/mysql/usr/local/mysql/libexec/mysqld

> My final question is that I've noticed that these articles were written
> in 2003/2004, does anyone know of any other tutorials that I could
> follow in order to learn more about securing LAMP boxes? I'm currently
> running Ubuntu, however I've only just switched from Gentoo and I'm
> perfectly comfortable with the command line and installing stuff from
> tarballs so I'm happy to look at just about anything tutorial wise! :)

I found quite a few new tutorials simply by searching google. Here are a
couple:
http://www.tuxmachines.org/node/8677
http://www.oreillynet.com/pub/a/databases/2006/07/13/lamp-data-protection.html

--
John




More information about the Sussex mailing list