SECURING AN UBUNTU/DEBIAN LAMP SERVER:

This post outlines the procedures that I use to secure a LAMP stack built on Ubuntu or Debian. All of the techniques outlined in this post are ones that I have gathered over the years through experience as well as through research and other Internet sites.

DISCLAIMER: I take no responsibility for any damage that may be caused to your system as a result of following any portion of this guide. As with anything that has a system wide effect, it is highly recommended that you backup your system prior to making any changes. Additionally, as with any web application, it is important to ensure that the file permissions are set correctly as well as that the code has been audited to ensure it is secure.

USE SUDO (DEBIAN ONLY – SUDO IS DEFAULT ON UBUNTU):
The use of the root account is something that should only be done when necessary. Every day operation of the server in most cases does not require root access at all times (such as checking logs). For this reason, we are going to use sudo to gain root privileges only when necessary. We will also create a user that will be used regularly instead of root, as well as disable the root users ability to log in.

#> apt-get install sudo
#> adduser USERNAME
#> usermod –G sudo USERNAME
#> sudo passwd –l root

You will now use the user that you created above to log into the server and manage it. Any time that you need to make a change to the server that requires root access, precede the command(s) with the word sudo. Alternatively, you can maintain root permissions until exec by typing sudo su. You will be prompted for your current users’ password.

LOCKING DOWN SSH:
Since most Linux based servers have no GUI, typically management of the server occurs over the SSH protocol. Below are some guidelines to help lock down this service and make it more difficult for attackers to use this as an attack vector.

#> sudo nano /etc/ssh/sshd_config

Change the following values to meet the needs of your environment:

port 2022 (Or some other port number above 1024)
permitRootLogin no
debianBanner no

Restart the ssh daemon:

#> Service ssh restart

From this point on, when logging into your server, you will need to connect using port 2022.

INSTALLING/ENABLING A FIREWALL:
Though your hosting provider may provide a firewall that you are able to configure, I still like to setup a firewall within the OS for further security. If you are working on Ubunutu, there is already a firewall configuration tool called ufw. If you are working on Debian, we will install ufw and configure it accordingly. Ubuntu users skip to the configuration section.

#> sudo apt-get install ufw
#> ufw allow http
#> ufw allow https
#> ufw allow 2022/tcp (or whatever alternative port you chose for ssh)
#> ufw enable

This will configure the basic services. As you can see, ufw is very easy to configure. You can add any necessary ports. Read the man/info page for further details.

SECURING SHARED MEMORY:
Some areas of shared memory can be used as launch points for attacks against running daemons such as httpd or mysql. Here we will secure the /dev/shm shared memory location.

#> sudo nano /etc/fstab

Add the following line to the file. This will require a reboot, which you can perform now or later, just make sure that it is done.

tmpfs /dev/shm tmpfs defaults,noexec,nosuid 0 0

APACHE DEFAULT PAGES:
Apache has a number of default pages that can be viewed/detected that may assist an attacker in fingerprinting the version of Apache or the OS. We will disable this function here.

#> sudo nano /etc/apache/mods-available/alias.conf

Find the line that reads “Allow from all”. Change it to:

Deny from all

HARDEN THE NETWORKING WITH SYSCTL SETTINGS:
In this sections, we are going to define some rules to be applied to the sysctl settings with regards to the network protocols and what is allowed and denied. Some of the options below may not work (On Ubuntu). I am not going to go into great detail on what each of these settings does:

#> nano /etc/sysctl.conf

Add the following parameters.

# Ignore ICMP Broadcasts – Commented Options below may not work!

# net.ipv4.icmp_echo_ignore_broadcasts = 1

# Disable source packet routing – Commented Options may not work!

net.ipv4.conf.all.accept_source_route = 0
net.ipv6.conf.all.accept_source_route = 0
# net.ipv4.conf.default.accept_source_route = 0
# net.ipv6.conf.default.accept_source_route = 0

# Ignore send redirects
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0

# Block SYN attacks

net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 2048
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_syn_retries = 5

# Ignore ICMP redirects

net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0

# Ignore directed pings

net.ipv4.icmp_echo_ignore_all = 1

Once you have added the above parameters to the sysctl.conf file, you must load this file into the running configuration with the following command:

#> sudo sysctl –p

PREVENT SPOOFING:
In this section, we are going to add a configuration to help prevent spoofing attempts.

#> sudo nano /etc/hosts.conf

Add the following line to the configuration file.

nospoof on

APACHE BANNERS:
In this section, we will edit the main apache configuration file to add a few directives to make fingerprinting the server as well as cross site scripting (XSS) attacks less likely to succeed. Some of these directives may already be in the file so please search the file first before adding each line to prevent duplicates and errors.

#> sudo nano /etc/apache2/apache2.conf

Add the following lines to the file

ServerTokens Prod
ServerSignature Off
TraceEnable Off
FileEtag None

Save the file and restart apache.

#> service apache2 restart

APACHE DIRECTORY INDEXING:
By default, apache2 enables directory indexing, allowing anyone to view an index of all of the files that are contained within a particular directory. We want to prevent this as it may assist an attacker with recognizance information.

#> sudo a2dismod autoindex
#> service apache2 restart

SECURING MYSQL:
If you have already installed MySQL and have not run the secure installation script already, we are going to do that here. Please use caution running this script if you have a live website/application already using MySQL as this may interfere.

#> sudo mysql_secure_installation

I am not going to tell you how to answer the prompts here as this may vary depending on your application, but the wizard is very straight forward and easy to understand so you should not have trouble running it.

HARDENING PHP:
PHP is a very common (and in this case – essential to LAMP) scripting language used in many web applications and the ever popular LAMP stack and it’s variants. In this section, we are going to add a few directives to the php.ini file to reduce the attack surface of PHP globally.

#> sudo nano /etc/php5/apache2/php.ini

We want to add the following items to the file. It is a good idea to first search the file to ensure that these directives do not already exist and are configured or simply commented out.

Disable_functions = exec,system,shell_exec,passthru
register_globals = Off
expose_php = Off
display_errors = Off
track_errors = Off
html_errors = Off
magic_quotes_gpc = Off

REMOVE APACHE-DOC:
By default, there is an alias that points to the Apache Documentation on the server. It is best to remove this to prevent Version fingerprinting of the apache server.

#> rm /etc/apache2/conf.d/apache2-doc

Restart Apache

#> service apache2 restart

Leave a Reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload the CAPTCHA.