Best Security Tips for LAMP Stack (Apache, MySQL and PHP) on Linux
Many of new system administrators forgot to apply security, when configuring web hosting environment for production use with Apache, MySQL and PHP. I am trying to include all those security tips which we must be considered while preparing a new system for production use or any existing LAMP setup.
All the configuration changes are used in this article will be updated in following configuration files as per your operating systems. In some cases configuration files path may change. So make change in appropriate files. After making changes restart related services to change take effect.
For Ubuntu, Debian & LinuxMint:
Apache2: /etc/apache2/apache2.conf
PHP5: /etc/php5/apache2/php.ini
MySQL: /etc/mysql/my.cnf
PHP5: /etc/php5/apache2/php.ini
MySQL: /etc/mysql/my.cnf
For CentOS, RedHat & Fedora:
Apache: /etc/httpd/conf/httpd.conf
PHP: /etc/php.ini
MySQL: /etc/my.cnf
PHP: /etc/php.ini
MySQL: /etc/my.cnf
1. Hiding Version and OS Identity (Apache)
The ServerTokens directive controls whether Server response header field which is sent back to clients. The ServerSignature configures the footer on server-generated documents. Edit Apache configuration file and update following directives as following.
ServerTokensProd
ServerSignatureOff
2. Disable Directory Listing (Apache)
If directory listing is enabled in Apache. Then all the files and directories list will be shown on web page if no default document exists. Add following configuration in Apache to disable directory listing server wide.
<Directory /> Options-Indexes </Directory>
After that you can enable listing per directory basis if required.
3. Restricting File and Directory Access (Apache)
Restricting access on basis of Directory, File and Location in Apache.
Restrict Directory
To restrict directory and files access from users, It will only allowed the ips are defined with Allow from.
<Directory "/home/user/public_html"> OrderDeny,Allow Deny fromall Allow from192.168.0.0/24 Allow from.hackthesec.co.in </Directory>
Restrict File
We can also restrict specific file using File directive like below.
<File data.xml> Orderdeny,allow Deny fromall </File>
Restrict Location
The Location directive limits the scope of the enclosed directives by URL.
<Location /admin> OrderDeny,Allow Deny fromall Allow from192.168.0.0/24 Allow from.hackthesec.co.in </Location>
4. Disable Server Side Includes and CGI Execution (Apache)
We can simply disable server-side includes and CGI execution by defining directory tag. Add below in Apache virtual host configuration file.
<Directory "/home/user/public_html"> Options-Includes -ExecCGI </Directory>
5. Restrict PHP Information Leakage (PHP)
By Default PHP installation exposes to the world that PHP is installed on the server, which includes the PHP version within the HTTP header (Eg:, X-Powered-By: PHP/5.4.20). Read More
To hide this values from header edit php.ini and update below directive to Off
expose_php =Off
6. Disable Remote Code Execution (PHP)
If allow_url_fopen is enabled on your setup, It allows ile functions like file_get_contents() and the include and require statements which can retrieve data from http or ftp remote locations and execute their code.
allow_url_fopen=Off allow_url_include=Off
7. Disabling Dangerous PHP Functions (PHP)
We can disable any php function using disable_functions directive in php configuration file. Disable all the functions which can be harmful and not used in applications.
disable_functions =exec,shell_exec,passthru,system,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source,proc_open,pcntl_exec
8. Limit PHP Access To File System (PHP)
The open_basedir directive set the directories from which PHP is allowed to access files
open_basedir="/home/user/public_html "
9. Disable Unused PHP Modules (PHP)
PHP supports “Dynamic Extensions” to load in php environment. We can disable any unused module to load in system by changing configuration file name.
# cd /etc/php.d/ # mv oci8.ini oci8.ini.disable
10. Enable Limits in PHP (PHP)
To allow users to upload files of maximum size, update following configuration value.
upload_max_filesize =2M # Maximum 2M of file user can upload
Maximum execution time of each script
max_execution_time =30 # seconds
Maximum amount of time each script may spend parsing request data
max_input_time =60 # seconds
11. Restrict Remote MySQL Access (MySQL)
If your application environment do not required to access database remotely, then disable all remote connections for database server. The easier way to do it force MySQL server to listen only on 127.0.0.1 (localhost).
Edit MySQL configuration file and update following value.
bind-address=127.0.0.1
12. Disable use of LOCAL INFILE (MySQL)
Enabling LOCAL INFILE can be dangerous for you system security. If LOCAL INFILE is enabled on server, a user can load any file ( like /etc/passwd, /etc/shadow ) to a table easily.
To disable this edit MySQL configuration file and add following value under [mysqld] section.
[mysqld] local-infile=0
13. Create Application Specific User in MySQL (MySQL)
Do not use mysql ‘root’ user for accessing database through application. It can be dangerous for your system. So make sure to create and use application specific user with limited access on application database only. To create mysql account use following command.
root@hackthesec:~#mysql -u root -p mysql> CREATE USER 'myusr '@'localhost ' IDENTIFIED BY 'password '; mysql> GRANT SELECT,INSERT,UPDATE,DELETE ONmydb .* TO 'myusr '@'localhost ' IDENTIFIED BY 'password '; mysql> FLUSH PRIVILEGES;
14. Improve Security with mysql_secure_installation (MySQL)
After installing MySQL mysql_secure_installation command is very useful for securing MySQL server. This command will also enable password protection on root user.
root@hackthesec:~#mysql_secure_installation "Only required output is showing below. In actual you will see more output on-screen" Change the root password? [Y/n]y New password: ********** Re-enter new password: ********** Remove anonymous users? [Y/n]y Disallow root login remotely? [Y/n]y Remove test database and access to it? [Y/n]y Reload privilege tables now? [Y/n]y
15. Write Protect Configuration Files (Apache/MySQL/PHP)
In this section we are protecting all our server configuration files used in LAMP Stack, So than no one can change these files.
# chattr+i /etc/php.ini # chattr+i /etc/php.d/* # chattr+i /etc/my.cnf # chattr+i /etc/httpd/conf/httpd.conf
Remember than after enabling write protection no user including root can update these file. In case you need to update any of file disable write protection first using following command.
# chattr -i filename
We will keep updating useful LAMP security tips to this article. s.
0 comments:
Post a Comment