Ubuntu/Debian | LAMP Security
This post outlines the procedures that I use to secure a LAMP stack built on Ubuntu or Debian. All of the techniques outlined in this post are ones that I have gathered over the years through experience as well as through research and other Internet sites.
DISCLAIMER: I take no responsibility for any damage that may be caused to your system as a result of following any portion of this guide. As with anything that has a system wide effect, it is highly recommended that you backup your system prior to making any changes. Additionally, as with any web application, it is important to ensure that the file permissions are set correctly as well as that the code has been audited to ensure it is secure.
Use sudo (debian only, sudo is default in Ubuntu):
The use of the root account is something that should only be done when necessary. Every day operation of the server in most cases does not require root access at all times (such as checking logs). For this reason, we are going to use sudo to gain root privileges only when necessary. We will also create a user that will be used regularly instead of root, as well as disable the root users ability to log in.
# Install sudo and add a privileged user
root@localhost:/# apt-get install sudo
root@localhost:/# adduser jason
root@localhost:/# usermod –aG sudo jason
You will now use the user that you created above to log into the server and manage it. Any time that you need to make a change to the server that requires root access, precede the command(s) with the word sudo. Alternatively, you can maintain root permissions until exec by typing sudo su. You will be prompted for your current users’ password.
Basic SSH lockdown:
Since most Linux based servers typically have no GUI, management of the server occurs over the SSH protocol. Below are some guidelines to help lock down this service and make it more difficult for attackers to use this as an attack vector. There are a ton of options to be had, these are just the basics.
# Change port, disable root login, remove banner, diable password authentication.
jason@localhost:~/ sudo nano /etc/ssh/sshd_config
port 2022
permitRootLogin no
PasswordAuthentication no
debianBanner no
# Restart the SSH daemon
jason@localhost:~/ service ssh restart
From this point on, when logging into your server, you will need to connect using port 2022.
Basic firewall configuraiton:
Though your hosting provider may provide a firewall that you are able to configure, I still like to setup a firewall within the OS for further security. If you are working on Ubunutu, there is already a firewall configuration tool called ufw. If you are working on Debian, we will install ufw and configure it accordingly. Ubuntu users skip to the configuration section.
# Install and configure UFW for firewall management
jason@localhost:~/ sudo apt-get install ufw
jason@localhost:~/ sudo ufw allow http
jason@localhost:~/ sudo ufw allow https
jason@localhost:~/ sudo ufw allow 2022/tcp
jason@localhost:~/ sudo ufw enable
This will configure the basic services. As you can see, ufw is very easy to configure. You can add any necessary ports. Read the man/info page for further details.
Securing shared memory:
Some areas of shared memory can be used as launch points for attacks against running daemons such as httpd or mysqld. Here we will secure the /dev/shm shared memory location. This will require a reboot, which you can perform now or later, just make sure that it is done. This will require a reboot, which you can perform now or later.
# Secure /dev/shm against attack
jason@localhost:~/ sudo nano /etc/fstab
tmpfs /dev/shm tmpfs defaults,noexec,nosuid 0 0
Disable apache default pages:
Apache has a number of default pages that can be viewed/detected that may assist an attacker in fingerprinting the version of Apache or the OS. We will disable this function here.
# Disable default pages
jason@localhost:~/ sudo nano /etc/apache/mods-available/alias.conf
Deny from all
Basic network stack hardening:
In this sections, we are going to define some rules to be applied to the sysctl settings with regards to the network protocols and what is allowed and denied. Some of the options below may not work in your environment and may require testing.
jason@localhost:~/ sudo vi /etc/sysctl.conf
# Ignore ICMP Broadcasts
net.ipv4.icmp_echo_ignore_broadcasts = 1
# Disable source packet routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv6.conf.all.accept_source_route = 0
# net.ipv4.conf.default.accept_source_route = 0
# net.ipv6.conf.default.accept_source_route = 0
# Ignore send redirects
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
# Block SYN attacks
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 2048
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_syn_retries = 5
# Ignore ICMP redirects
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0
# Ignore directed pings
net.ipv4.icmp_echo_ignore_all = 1
# Reload sysctl configuration
jason@localhost:~/ sudo sysctl –p
Help prevent spoofing:
In this section, we are going to add a configuration to help prevent spoofing attempts.
# Add 'no spoof' to hosts file
jason@localhost:~/ sudo nano /etc/hosts.conf
nospoof on
Disable banners and signatures:
In this section, we will edit the main apache configuration file to add a few directives to make fingerprinting the server as well as cross site scripting (XSS) attacks less likely to succeed. Some of these directives may already be in the file so please search the file first before adding each line to prevent duplicates and errors.
# Disable banners and server signatures
jason@localhost:~/ sudo nano /etc/apache2/apache2.conf
ServerTokens Prod
ServerSignature Off
TraceEnable Off
FileEtag None
# Restart apache daemon
jason@localhost:~/ sudo service apache2 restart
Disable apache directory indexing:
By default, apache2 enables directory indexing, allowing anyone to view an index of all of the files that are contained within a particular directory. We want to prevent this as it may assist an attacker with recognizance information.
# Disable apache indexing module
jason@localhost:~/ sudo a2dismod autoindex
# Restart apache daemon
jason@localhost:~/ service apache2 restart
Basic MySQL Security:
If you have already installed MySQL and have not run the secure installation script already, we are going to do that here. Please use caution running this script if you have a live website/application already using MySQL as this may interfere.
# Run MySQL built-in security script (follow prompts as desired)
jason@localhost:~/ sudo mysql_secure_installation
I am not going to tell you how to answer the prompts here as this may vary depending on your application, but the wizard is very straight forward and easy to understand so you should not have trouble running it.
Basic PHP hardening:
PHP is a very common (and in this case – essential to LAMP) scripting language used in many web applications and the ever popular LAMP stack and it’s variants. In this section, we are going to add a few directives to the php.ini file to reduce the attack surface of PHP globally.
# Edit PHP main configuration file
jason@localhost:~/ sudo nano /etc/php5/apache2/php.ini
Disable_functions = exec,system,shell_exec,passthru
register_globals = Off
expose_php = Off
display_errors = Off
track_errors = Off
html_errors = Off
magic_quotes_gpc = Off
Remove Apache Docs:
By default, there is an alias that points to the Apache Documentation on the server. It is best to remove this to prevent Version fingerprinting of the apache server.
# Remove apache docs
jason@localhost:~/ sudo rm /etc/apache2/conf.d/apache2-doc
#Restart apache daemon
jason@localhost:~/ service apache2 restart
That about it. I now have a very basic hardened lamp server, ready to host sites. Keep in mind that whatever CMS or other application that you are installing will also likely have additional package requirements that may introduce other potential vulnerabilities. It is important to also take the time to harden those packages as well as any web applications (such as wordpress) to ensure the work above is not in vein. Always implement a ‘defense in depth’ strategy when deploying and maintaining any server or application – keyword here is ‘maintaining’. Security is not ‘set it and forget it’. Always come back and review your configurations periodically and be mindful of new vulnerabilities to defend against.