Secure LAMP server for production use

mysql linux apache-2.2 php lamp

These recommendations are off of the top of my head and not intended to be comprehensive.

Check out Bastille, it's a series of scripts that implements best practices in Linux.

Don't send authentication data over plaintext protocols. For example, disable FTP. If you send authentication data via Apache, use SSL.

Disable and remove any unnecessary software including the GUI interface.

Audit any files with the SUID bit set and remove. (This will severely limit non-root abilities. Understand the implications for each individual change.)

Audit public writable directories and remove the writable bit. (Leave /tmp alone.)

Avoid running any daemon as root.

Research all multi-user software that listens on sockets in detail for security best practices.

Avoiding adding users to the system is one of the best approaches. Multi-user systems require greater attention to detail.

Enforce password standards. For example: minimum 10 characters, non-alphanumeric characters, using letters and numbers. This is to make brute forcing more difficult in case of password file compromise. Enforce this via the system.

Lock out users after 5 failed authentication attempts with a minimum of 10 minute lockout. Maintain a password history so users can't use the past 5 passwords.

If you have a larger environment, using network segregation with multiple subnets to isolate risk is an absolute requirement. If a smaller environment, running a firewall on the local system to limit exposure is recommended. For example, only allowing SSH to your IP. tcpwrappers can be used too for an extra layer. (/etc/hosts.allow, /etc/hosts.deny)

And, of course, keeping all software up to date. Especially public facing daemons.

With SSH:

  • Disable SSH protocol 1
  • Only allow root authentication without-password (only keypair)

With Apache:

  • Disable any modules that are not needed
  • Disable .htaccess and public directories
  • Disable FollowSymlink and any unnecessary options
  • Do not install PHP if you don't need it.

With MySQL:

  • Disable default users.
  • Don't use wildcard hosts.
  • Be sure to set unique host for every user.
  • Don't listen on tcp unless necessary. (Unusually unavoidable.)
  • Limit application user privileges as much as possible. (SELECT,INSERT,UPDATE,DELETE ideal for write and SELECT for read)

I'd recommend researching php.ini tuning for security specifically. It's riskier software by default.

Bastille


Here is a good article that you can use as a base for your setup and change accordingly to your ditribution: http://it.toolbox.com/blogs/rayheffer/how-to-build-a-secure-lamp-web-server-with-centos-5-36786

Related

ZFS: Mirror vs. RAID-Z
Clone a working Linux server
Best way to grow Linux software RAID 1 to RAID 10
Domain Controller thinks its on a Public Network
Can we have multiple CNAMES for a single Name?
Create a directory under /var/run at boot
Best way to do Subversion backups?
What is the best way to monitor a production server?
Is there any open source Exchange server? [closed]
Nginx proxy by Request Method
How to enable iptables (instead of firewalld) services on RHEL 7 and Fedora 18?
Readahead Settings for LVM, Device-Mapper, Software Raid and Block Devices - what wins?