Best Security Tips for LAMP Stack, Many of latest machine directors forgot to use security whilst configuring net website hosting surroundings for manufacturing use with Apache, MySQL, and PHP.
I am seeking to encompass all those protection pointers which we must be considered whilst making ready a new machine for production use or any existing LAMP setup.
All the configuration modifications are used in this newsletter will be updated in following configuration documents as in line with your running structures.
In some instances, configuration files direction may additionally trade.
So make the alternate in appropriate documents. After making changes restart related services to change take effect.
Best Security Tips for LAMP Stack, For Ubuntu, Debian & LinuxMint:
Apache2: /etc/apache2/apache2.conf PHP: /etc/php/[VERSION]/apache2/php.ini MySQL: /etc/mysql/my.cnf or /etc/mysql/mysql.conf.d/mysqld.cnf
Best Security Tips for LAMP Stack, For CentOS, RedHat & Fedora:
Apache: /etc/httpd/conf/httpd.conf PHP: /etc/php.ini MySQL: /etc/my.cnf
1. Best Security Tips for LAMP Stack, Hiding Version and OS Identity (Apache)
The ServerTokens directive controls whether Server reaction header discipline which is despatched lower back to clients.
The ServerSignature configures the footer on server-generated files.
Edit Apache configuration file and replace following directives as following.
ServerTokens ProdServerSignature Off2. Best Security Tips for LAMP Stack, Disable Directory Listing (Apache)
If directory list is enabled in Apache. Then all the files and directories listing might be shown on the web web page if no default file exists.
Add following configuration in Apache to disable directory listing server extensive.
<Directory />
Options -Indexes
</Directory>After that, you can enable listing per directory basis if required.
3. Restricting File and Directory Access (Apache)
Restricting get right of entry to on basis of Directory, File the Location in Apache.
Restrict Directory
To restriction listing and documents get entry to from customers, It will simplest allowed the ips are defined with Allow from.
<Directory "/home/user/public_html">
Order Deny,Allow
Deny from all
Allow from 192.168.1.0/24
Allow from .example.com
</Directory>Best Security Tips for LAMP Stack, Restrict File
We can also restrict specific file using File directive like below.
<File data.xml>
Order deny,allow
Deny from all
</File>Best Security Tips for LAMP Stack, Restrict Location
The Location directive limits the scope of the enclosed directives by URL.
<Location /admin>
Order Deny,Allow
Deny from all
Allow from 192.168.1.0/24
Allow from .example.com
</Location>4. Disable Server Side Includes and CGI (Apache)
We can simply disable server-side includes and CGI execution through defining directory tag. Add below in Apache virtual host configuration report.
<Directory "/home/user/public_html">
Options -Includes -ExecCGI
</Directory>5. Restrict PHP Information Leakage (PHP)
By default, PHP installation exposes to the arena that PHP is installed on the server, which incorporates the PHP model inside the HTTP header (Eg: X-Powered-By: PHP/five.Four.20). Read More
Best Security Tips for LAMP Stack, To cover this values from header edit Hypertext Preprocessor.Ini and replace underneath directive to Off
expose_php = Off6. Best Security Tips for LAMP Stack, Disable Remote Code Execution (PHP)
If allow_url_fopen is enabled for your setup, It permits ile functions like file_get_contents() and the consist of and requires statements which can retrieve statistics from HTTP or FTP far flung locations and execute their code.
allow_url_fopen=Off
allow_url_include=Off7. Disable Dangerous PHP Functions (PHP)
We can disable any PHP function the usage of the disable_functions directive in PHP configuration record. Disable all the functions which can be dangerous and no longer utilized in programs.
disable_functions =exec,shell_exec,passthru,system,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source,proc_open,pcntl_exec8. Limit PHP Access To File System (PHP)
The open_basedir directive set the directories from which PHP is allowed to get admission to files
open_basedir="/home/user/public_html"9. Best Security Tips for LAMP Stack, Disable Unused PHP Modules (PHP)
PHP helps “Dynamic Extensions” to load inside the PHP environment. We can disable any unused module to load within the gadget through converting configuration document name.
cd /etc/php.d/
mv oci8.ini oci8.ini.disable10. Best Security Tips for LAMP Stack, Enable Limits in PHP (PHP)
To allow customers to upload documents of most length, update following configuration value.
upload_max_filesize = 2M #Maximum 2Mb of file user can uploadMaximum execution time of each script
max_execution_time = 30 # secondsMaximum amount of time each script may spend parsing request data.
max_input_time = 60 # seconds
11. Restrict Remote MySQL Access (MySQL)
If your application environment does no longer require to get right of entry to the database remotely, then disable all far off connections for the database server.
The simpler way to do it force MySQL server to pay attention simplest on 127.Zero.0.1 (localhost).
Edit MySQL configuration file and replace following fee.
bind-address=127.0.0.112. Best Security Tips for LAMP Stack, Disable use of LOCAL INFILE (MySQL)
Enabling LOCAL INFILE can be risky for your device protection. If LOCAL INFILE is enabled on the server, a consumer can load any file ( like /and many others/passwd, /etc/shadow ) to a desk easily.
To disable this edit MySQL configuration report and upload following fee below [mysqld] segment.
[mysqld]
local-infile=013. Create Application Specific User in MySQL (MySQL)
Do not use MySQL ‘root’ consumer for having access to the database thru the application.
It can be risky on your machine. So make sure to create and use an application-particular user with restricted access to software database handiest.
Best Security Tips for LAMP Stack, To create MySQL account use following command.
root@tecadmin:~# mysql -u root -p
mysql> CREATE USER 'myusr'@'localhost' IDENTIFIED BY 'password';
mysql> GRANT SELECT,INSERT,UPDATE,DELETE ON mydb.* TO 'myusr'@'localhost' IDENTIFIED BY 'password';
mysql> FLUSH PRIVILEGES;14. Improve Security with mysql_secure_installation (MySQL)
After installing MySQL mysql_secure_installation command is very useful for securing MySQL server.
This command can even enable password safety on root consumer.
root@tecadmin:~# mysql_secure_installation
"Only required output is showing below. In actual you will see more output on-screen"
Change the root password? [Y/n] y
New password: **********
Re-enter new password: **********
Remove anonymous users? [Y/n] y
Disallow root login remotely? [Y/n] y
Remove test database and access to it? [Y/n] y
Reload privilege tables now? [Y/n] y15. Write Protect Configuration Files (Apache/MySQL/PHP)
In this segment we are defensive all our server configuration files used in LAMP Stack, So than nobody can exchange these documents.
chattr +i /etc/php.ini
chattr +i /etc/php.d/*
chattr +i /etc/my.cnf
chattr +i /etc/httpd/conf/httpd.confRemember than after allowing write protection no person such as root can replace these file.
In case you need to update any of report disable write protection first using following command.
chattr -i filenameWe will hold updating beneficial LAMP security pointers for this newsletter.
We additionally request you to indicate pointers by adding them in remarks.