This post outlines the procedures that I use to secure a LAMP stack built on Ubuntu or Debian. All of the techniques outlined in this post are ones that I have gathered over the years through experience as well as through research and other Internet sites.
DISCLAIMER: I take no responsibility for any damage that may be caused to your system as a result of following any portion of this guide. As with anything that has a system wide effect, it is highly recommended that you backup your system prior to making any changes. Additionally, as with any web application, it is important to ensure that the file permissions are set correctly as well as that the code has been audited to ensure it is secure.
USE SUDO (DEBIAN ONLY – SUDO IS DEFAULT ON UBUNTU):
The use of the root account is something that should only be done when necessary. Every day operation of the server in most cases does not require root access at all times (such as checking logs). For this reason, we are going to use sudo to gain root privileges only when necessary. We will also create a user that will be used regularly instead of root, as well as disable the root users ability to log in.
#> apt-get install sudo
#> adduser USERNAME
#> usermod –G sudo USERNAME
#> sudo passwd –l root
You will now use the user that you created above to log into the server and manage it. Any time that you need to make a change to the server that requires root access, precede the command(s) with the word sudo. Alternatively, you can maintain root permissions until exec by typing sudo su. You will be prompted for your current users’ password.
LOCKING DOWN SSH:
Since most Linux based servers have no GUI, typically management of the server occurs over the SSH protocol. Below are some guidelines to help lock down this service and make it more difficult for attackers to use this as an attack vector.
#> sudo nano /etc/ssh/sshd_config
Change the following values to meet the needs of your environment:
port 2022 (Or some other port number above 1024)
Restart the ssh daemon:
#> Service ssh restart
From this point on, when logging into your server, you will need to connect using port 2022.
INSTALLING/ENABLING A FIREWALL:
Though your hosting provider may provide a firewall that you are able to configure, I still like to setup a firewall within the OS for further security. If you are working on Ubunutu, there is already a firewall configuration tool called ufw. If you are working on Debian, we will install ufw and configure it accordingly. Ubuntu users skip to the configuration section.
#> sudo apt-get install ufw
#> ufw allow http
#> ufw allow https
#> ufw allow 2022/tcp (or whatever alternative port you chose for ssh)
#> ufw enable
This will configure the basic services. As you can see, ufw is very easy to configure. You can add any necessary ports. Read the man/info page for further details.
SECURING SHARED MEMORY:
Some areas of shared memory can be used as launch points for attacks against running daemons such as httpd or mysql. Here we will secure the /dev/shm shared memory location.
#> sudo nano /etc/fstab
Add the following line to the file. This will require a reboot, which you can perform now or later, just make sure that it is done.
tmpfs /dev/shm tmpfs defaults,noexec,nosuid 0 0
APACHE DEFAULT PAGES:
Apache has a number of default pages that can be viewed/detected that may assist an attacker in fingerprinting the version of Apache or the OS. We will disable this function here.
#> sudo nano /etc/apache/mods-available/alias.conf
Find the line that reads “Allow from all”. Change it to:
Deny from all
HARDEN THE NETWORKING WITH SYSCTL SETTINGS:
In this sections, we are going to define some rules to be applied to the sysctl settings with regards to the network protocols and what is allowed and denied. Some of the options below may not work (On Ubuntu). I am not going to go into great detail on what each of these settings does:
#> nano /etc/sysctl.conf
Add the following parameters.
# Ignore ICMP Broadcasts – Commented Options below may not work!
# net.ipv4.icmp_echo_ignore_broadcasts = 1
# Disable source packet routing – Commented Options may not work!
net.ipv4.conf.all.accept_source_route = 0
net.ipv6.conf.all.accept_source_route = 0
# net.ipv4.conf.default.accept_source_route = 0
# net.ipv6.conf.default.accept_source_route = 0
# Ignore send redirects
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
# Block SYN attacks
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 2048
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_syn_retries = 5
# Ignore ICMP redirects
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0
# Ignore directed pings
net.ipv4.icmp_echo_ignore_all = 1
Once you have added the above parameters to the sysctl.conf file, you must load this file into the running configuration with the following command:
#> sudo sysctl –p
In this section, we are going to add a configuration to help prevent spoofing attempts.
#> sudo nano /etc/hosts.conf
Add the following line to the configuration file.
In this section, we will edit the main apache configuration file to add a few directives to make fingerprinting the server as well as cross site scripting (XSS) attacks less likely to succeed. Some of these directives may already be in the file so please search the file first before adding each line to prevent duplicates and errors.
#> sudo nano /etc/apache2/apache2.conf
Add the following lines to the file
Save the file and restart apache.
#> service apache2 restart
APACHE DIRECTORY INDEXING:
By default, apache2 enables directory indexing, allowing anyone to view an index of all of the files that are contained within a particular directory. We want to prevent this as it may assist an attacker with recognizance information.
#> sudo a2dismod autoindex
#> service apache2 restart
If you have already installed MySQL and have not run the secure installation script already, we are going to do that here. Please use caution running this script if you have a live website/application already using MySQL as this may interfere.
#> sudo mysql_secure_installation
I am not going to tell you how to answer the prompts here as this may vary depending on your application, but the wizard is very straight forward and easy to understand so you should not have trouble running it.
PHP is a very common (and in this case – essential to LAMP) scripting language used in many web applications and the ever popular LAMP stack and it’s variants. In this section, we are going to add a few directives to the php.ini file to reduce the attack surface of PHP globally.
#> sudo nano /etc/php5/apache2/php.ini
We want to add the following items to the file. It is a good idea to first search the file to ensure that these directives do not already exist and are configured or simply commented out.
Disable_functions = exec,system,shell_exec,passthru
register_globals = Off
expose_php = Off
display_errors = Off
track_errors = Off
html_errors = Off
magic_quotes_gpc = Off
By default, there is an alias that points to the Apache Documentation on the server. It is best to remove this to prevent Version fingerprinting of the apache server.
#> rm /etc/apache2/conf.d/apache2-doc
#> service apache2 restart