Thursday, May 1, 2014

Secure your LAMP based VPS and Dedicated Web Servers

The Internet has given United States the ability to shop for product, create payments etc instantly from the comfort of our own homes. but beside these advantages, there's Associate in Nursing underlying cyber security threat at hand. it had been recently unconcealed that quite 360 million stolen Credit Cards accounts were up purchasable on the cyber black market. With many similar incidents like this returning to the fore within the past, it's essential to make sure that you simply keep crucial info regarding your customers’ secure and save yourself many bucks in shopper lawsuits.

We’ve place along slightly guide to assist you scale back the chance of your your LAMP based mostly servers from obtaining hacked. LAMP is one in all the foremost popularly used Application Stacks. It stands for UNIX system, Apache, PHP and MySQL.

Mitigate the risks of your servers being attacked

The Apache net Server is one in all the foremost normally used net Servers. but like most different software package, it needs acceptable settings, observance and maintenance to protect against vulnerabilities. during this post, we are going to cowl each General pointers that you simply will follow to secure your server, additionally as bound specific steps that you simply ought to address to mitigate the injury caused by such attacks.

General Security pointers to be followed for securing your net Server

  • Sign up for updates and announcements from the net Server listing.
  • Upgrade to the newest version whenever there's Associate in Nursing update.
  • Install solely the modules you need and disable excess ones.
  • Make sure you log all admin level accesses with date, times and usernames
  • Do not show your server version or OS version in error messages.

For Servers with Apache:

1.   Hide the Apache Version variety, and different sensitive info
It is essential to cover the Apache Version variety your server is running, additionally as different sensitive info. you'll try this by following the straightforward steps listed below.

Add or Edit the subsequent 2 directives in your httpd.conf file

ServerSignature Off
ServerTokens Prod

The ServerSignature seems on the lowest of pages generated by apache like 404 pages, directory listings, etc.

The ServerTokens directive is employed to see what Apache can place within the Server hypertext transfer protocol response header. By setting it to Prod it sets the hypertext transfer protocol response header as follows:

Server: Apache

2. certify apache is running underneath its own user account and cluster
When Apache is put in, the default user is ready as “nobody”. but if there different applications that additionally run because the user no one on your system, then a compromise of apache can even compromise different installations. it's best to feature a separate user “apache” and so modify the subsequent directives in httpd.conf to run apache because it own user.

User apache
Group apache

3. make sure that files outside the net root directory aren't accessed.
It is continually smart apply to limit access for files outside the net root directory to take care of security and make sure that these files square measure solely accessed by folks that have to be compelled to access them.

<Directory />
Order Deny,Allow
Deny from all
Options None
AllowOverride None
</Directory>
<Directory /html>
Order Allow,Deny
Allow from all
</Directory>

Note that as a result of we tend to set “Options None” and “AllowOverride None “this can shut down all choices and overrides for the server. You currently got to add them expressly for every directory that needs Associate in Nursing choice or Override.

4. shut down directory browsing, Follow symbolic links and CGI execution
You can try this with Associate in Nursing choices directive within a Directory tag.

If you would like to show off all choices merely use:
        Options None

If you simply need to show off some, separate every choice with an area in your choices directive:
     Options -ExecCGI -FollowSymLinks -Indexes

5.  Install modsecurity
ModSecurity is Associate in Nursing Apache add on module which might sight and stop hypertext transfer protocol attacks.  It will are available in extremely handy in preventing SQL injections just in case your developers forget to feature input validation or determine and block info revealing problems like unseaworthy elaborate error messages, social insurance Numbers or mastercard Numbers. Follow these steps to put in mod-security

On CentOS:

   yum install mod_security

On Ubuntu:

    apt-get install mod_security.

service httpd restart

6.  Disable any excess modules
There square measure many modules that square measure enabled on your Apache net Server that you simply might not want. to look for modules put in run:

grep LoadModule httpd.conf

Here square measure some modules that square measure generally enabled however usually not needed:

mod_imap

mod_include

mod_info

mod_userdir

mod_status

mod_cgi

mod_autoindex.

To disable them add a # check in front of them.

You can additionally bear the Apache module documentation and disable or alter any that you simply want.

7.  Lower the Timeout worth
The default Timeout directive is ready to three hundred seconds. Decreasing this worth help’s mitigating the potential effects of a denial of service attack.

Timeout 45

8.  Limit massive requests
In order to mitigate the consequences of a denial of service attack, limit the number of body that may be sent in Associate in Nursing hypertext transfer protocol request.  If you are doing not have massive uploads then you'll limit this to 1Mb via the below directive.

LimitRequestBody 1048576

Application and Database Security

SQL injection is another common method of extracting knowledge from poorly coded websites. Here is however you'll forestall it and different such attacks.

  • Ensure your Applications like Joomla, WordPress, Drupal etc square measure upto date.
  • Subscribe to Bug updates and Vulnerability reports.
  • Try and avoid world writable 777 permissions your files or folders.
  • Regularly check for viruses or infections by scanning your net package.
  • If you're victimization MySQL or MariaDB run the mysql secure installation script.
  • If your application needs you to store wind like username, passwords, mastercard knowledge etc. then make sure that all communication is encrypted by employing a Digital Certificate.
For servers with PHP:

1.  Run PHP as a separate User
It is suggested to put in php as a separate user than as Associate in Nursing Apache Module. If you put in php as Associate in Nursing Apache Module then php can run with the apache user permission and any compromise of a vulnerable php script will cause a server wide compromise.

A better way to install php would be with php-fpm a fastcgi method manager that permits you to run and manage php scripts as a separate user.

2.  Use the POST methodology to pass vital parameters like credit card info
Many developers already recognize this. PHP has 2 ways to pass variable info via a type the GET methodology and also the POST methodology. the foremost vital distinction between these ways is that the GET methodology makes your pass info visible to everybody via a URL whereas POST methodology doesn't. thence sensitive info like usernames, passwords must always be passed via the POST methodology.

3. continually Validate type and Text Input
Cross web site scripting and SQL injection will each be prevented if type or file input is valid.

Cross web site scripting permits a hacker to run malicious code on your server by merely uploading a file with malicious code in it to be run on the server and SQL injection permits a hacker to urge access to your info by injecting malicious queries in your type to urge info info like table name. an easy thanks to validate php code is found at 

4 . Hide the PHP version
Open php.ini and add the subsequent

Vim /etc/php.ini
expose_php = Off

5.Log all php errors to a file and not on the web site

display_errors = Off
log_errors = On
error_log = /var/log/httpd/php_error.log

For servers with MySQL or MariaDB:

1.      Run MySQL Secure Install
After putting in MySQL run the mysql_secure_installation script.

sudo   /usr/bin/mysql_secure_installation

This script can prompt you to feature a mysql root secret, lock root access to localhost and take away any unwanted infos just like the take a look at database.

2.     Secure MySQL users and database
Log into your MySQL Server and make sure that all MySQL users have a secret and delete any unwanted user. Grant access to solely those databases that the individual users would use.

Following the steps elaborate on top of, you'll go an extended method in making certain that your customer’s knowledge remains secure. within the next article i'll add detail steps on UNIX system OS and Firewall Security.

Let us recognize if these techniques were useful by effort a comment below