Ubuntu/Debian | LAMP Security
This post outlines the procedures that I use to secure a LAMP stack built on Ubuntu or Debian. All of the techniques outlined in this post are ones that I have gathered over the years through experience as well as through research and other Internet sites.
DISCLAIMER: I take no responsibility for any damage that may be caused to your system as a result of following any portion of this guide. As with anything that has a system wide effect, it is highly recommended that you backup your system prior to making any changes. Additionally, as with any web application, it is important to ensure that the file permissions are set correctly as well as that the code has been audited to ensure it is secure.
Use sudo (debian only, sudo is default in Ubuntu):
The use of the root account is something that should only be done when necessary. Every day operation of the server in most cases does not require root access at all times (such as checking logs). For this reason, we are going to use sudo to gain root privileges only when necessary. We will also create a user that will be used regularly instead of root, as well as disable the root users ability to log in.
# Install sudo and add a privileged user [email protected]:/# apt-get install sudo [email protected]:/# adduser jason [email protected]:/# usermod –aG sudo jason
You will now use the user that you created above to log into the server and manage it. Any time that you need to make a change to the server that requires root access, precede the command(s) with the word sudo. Alternatively, you can maintain root permissions until exec by typing sudo su. You will be prompted for your current users’ password.
Basic SSH lockdown:
Since most Linux based servers typically have no GUI, management of the server occurs over the SSH protocol. Below are some guidelines to help lock down this service and make it more difficult for attackers to use this as an attack vector. There are a ton of options to be had, these are just the basics.
# Change port, disable root login, remove banner, diable password authentication. [email protected]:~/ sudo nano /etc/ssh/sshd_config port 2022 permitRootLogin no PasswordAuthentication no debianBanner no # Restart the SSH daemon [email protected]:~/ service ssh restart
From this point on, when logging into your server, you will need to connect using port 2022.
Basic firewall configuraiton:
Though your hosting provider may provide a firewall that you are able to configure, I still like to setup a firewall within the OS for further security. If you are working on Ubunutu, there is already a firewall configuration tool called ufw. If you are working on Debian, we will install ufw and configure it accordingly. Ubuntu users skip to the configuration section.
# Install and configure UFW for firewall management [email protected]:~/ sudo apt-get install ufw [email protected]:~/ sudo ufw allow http [email protected]:~/ sudo ufw allow https [email protected]:~/ sudo ufw allow 2022/tcp [email protected]:~/ sudo ufw enable
This will configure the basic services. As you can see, ufw is very easy to configure. You can add any necessary ports. Read the man/info page for further details.
Securing shared memory:
Some areas of shared memory can be used as launch points for attacks against running daemons such as httpd or mysqld. Here we will secure the /dev/shm shared memory location. This will require a reboot, which you can perform now or later, just make sure that it is done. This will require a reboot, which you can perform now or later.
# Secure /dev/shm against attack [email protected]:~/ sudo nano /etc/fstab tmpfs /dev/shm tmpfs defaults,noexec,nosuid 0 0
Disable apache default pages:
Apache has a number of default pages that can be viewed/detected that may assist an attacker in fingerprinting the version of Apache or the OS. We will disable this function here.
# Disable default pages [email protected]:~/ sudo nano /etc/apache/mods-available/alias.conf Deny from all
Basic network stack hardening:
In this sections, we are going to define some rules to be applied to the sysctl settings with regards to the network protocols and what is allowed and denied. Some of the options below may not work in your environment and may require testing.
[email protected]:~/ sudo vi /etc/sysctl.conf # Ignore ICMP Broadcasts net.ipv4.icmp_echo_ignore_broadcasts = 1 # Disable source packet routing net.ipv4.conf.all.accept_source_route = 0 net.ipv6.conf.all.accept_source_route = 0 # net.ipv4.conf.default.accept_source_route = 0 # net.ipv6.conf.default.accept_source_route = 0 # Ignore send redirects net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.send_redirects = 0 # Block SYN attacks net.ipv4.tcp_syncookies = 1 net.ipv4.tcp_max_syn_backlog = 2048 net.ipv4.tcp_synack_retries = 2 net.ipv4.tcp_syn_retries = 5 # Ignore ICMP redirects net.ipv4.conf.all.accept_redirects = 0 net.ipv6.conf.all.accept_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv6.conf.default.accept_redirects = 0 # Ignore directed pings net.ipv4.icmp_echo_ignore_all = 1 # Reload sysctl configuration [email protected]:~/ sudo sysctl –p
Help prevent spoofing:
In this section, we are going to add a configuration to help prevent spoofing attempts.
# Add 'no spoof' to hosts file [email protected]:~/ sudo nano /etc/hosts.conf nospoof on
Disable banners and signatures:
In this section, we will edit the main apache configuration file to add a few directives to make fingerprinting the server as well as cross site scripting (XSS) attacks less likely to succeed. Some of these directives may already be in the file so please search the file first before adding each line to prevent duplicates and errors.
# Disable banners and server signatures [email protected]:~/ sudo nano /etc/apache2/apache2.conf ServerTokens Prod ServerSignature Off TraceEnable Off FileEtag None # Restart apache daemon [email protected]:~/ sudo service apache2 restart
Disable apache directory indexing:
By default, apache2 enables directory indexing, allowing anyone to view an index of all of the files that are contained within a particular directory. We want to prevent this as it may assist an attacker with recognizance information.
# Disable apache indexing module [email protected]:~/ sudo a2dismod autoindex # Restart apache daemon [email protected]:~/ service apache2 restart
Basic MySQL Security:
If you have already installed MySQL and have not run the secure installation script already, we are going to do that here. Please use caution running this script if you have a live website/application already using MySQL as this may interfere.
# Run MySQL built-in security script (follow prompts as desired) [email protected]:~/ sudo mysql_secure_installation
I am not going to tell you how to answer the prompts here as this may vary depending on your application, but the wizard is very straight forward and easy to understand so you should not have trouble running it.
Basic PHP hardening:
PHP is a very common (and in this case – essential to LAMP) scripting language used in many web applications and the ever popular LAMP stack and it’s variants. In this section, we are going to add a few directives to the php.ini file to reduce the attack surface of PHP globally.
# Edit PHP main configuration file [email protected]:~/ sudo nano /etc/php5/apache2/php.ini Disable_functions = exec,system,shell_exec,passthru register_globals = Off expose_php = Off display_errors = Off track_errors = Off html_errors = Off magic_quotes_gpc = Off
Remove Apache Docs:
By default, there is an alias that points to the Apache Documentation on the server. It is best to remove this to prevent Version fingerprinting of the apache server.
# Remove apache docs [email protected]:~/ sudo rm /etc/apache2/conf.d/apache2-doc #Restart apache daemon [email protected]:~/ service apache2 restart
That about it. I now have a very basic hardened lamp server, ready to host sites. Keep in mind that whatever CMS or other application that you are installing will also likely have additional package requirements that may introduce other potential vulnerabilities. It is important to also take the time to harden those packages as well as any web applications (such as wordpress) to ensure the work above is not in vein. Always implement a ‘defense in depth’ strategy when deploying and maintaining any server or application – keyword here is ‘maintaining’. Security is not ‘set it and forget it’. Always come back and review your configurations periodically and be mindful of new vulnerabilities to defend against.