Here we will cover some steps you can take to make sure that your LAMP (Linux, Apache, MySQL, PHP) server is secure.
Ideally you would not normally run all 3 components on the same server, but in some cases it is overkill to separate them. For example this particular site is hosted on a virtual server purchased from TekTonic (who, by the way, I strongly recommend.) Since, this is a small site and I do not control the network that it is hosted on, I did not setup the typical network of DMZ, App, and Data Base network segments all separated by firewalls.
So, how do I make this server secure? (all of this is based on CentOS, but there are comparable ways to achieve these on other distros)
Do not allow remote root ssh login:
First you will want to add a user that can login to your server. First add the user
useradd username
Then set the password for the above username
passwd username
This will prompt for you to type in a password twice.
Now log out of your server and make sure that you can login with the new user. To switch to the root user just type:
su -
Followed by the root password when prompted.
Now you will want to edit your SSH server settings file, this is located at /etc/ssh/sshd_config. Make sure the following is in the file.
# Prevent root logins: PermitRootLogin no
Then simply restart the ssh service.
service sshd restart
Any time that you need root access, just simply use the su command to switch to that user.
su -
Block all incoming ports except ssh, http, and https
The easiest way to do this is with iptables which by default is installed on your centOS machine.
First we want to see what is currently in the firewall. Using this command
iptables -L
It should show something like this:
Chain INPUT (policy ACCEPT)target prot opt source destination Chain FORWARD (policy ACCEPT)target prot opt source destination Chain OUTPUT (policy ACCEPT)target prot opt source destination
At this point it is allowing all traffic. First we want to setup the types of traffic that we allow, these will be done by the following commands that allow loopback, ssh, http, https, and mysql (for remote database access, though this is somewhat dangerous):
iptables -I INPUT 1 -i lo -j ACCEPT
iptables -A INPUT -p tcp --dport ssh -j ACCEPT
iptables -A INPUT -p tcp --dport http -j ACCEPT
iptables -A INPUT -p tcp --dport https -j ACCEPT
iptables -A INPUT -p tcp --dport mysql -j ACCEPT
Now a list of your firewall should show this:
[root@your-choice-realty ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT tcp -- anywhere anywhere tcp dpt:mysql
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destinationNow that you know what you want to allow, you will want to block all other traffic.
iptables -A INPUT -j DROP
It is also a good idea to log your drops with the following command. Be sure to use the prefix “DROP” so that PSAD and OSSEC can pick them up.
iptables -I INPUT 5 -m limit --limit 5/min -j LOG --log-prefix "DROP " --log-level 7
Finally you will want to save your firewall using this command:
service iptables save
Some other rules that you might find useful:
iptables -I INPUT 1 -m state --state ESTABLISHED,RELATED -j ACCEPT
This rule will allow established connections to work, for example if your outgoing rule allows something the above rule will allow the information to be returned. Also note that we are using -I INPUT 1, this inserts the rule into position 1 of the INPUT chain.
iptables -D INPUT 5
This will drop the 5th rule.
Actively block malicious traffic
To do this we will use and application called PSAD.
Simply download and install the rpm.
wget http://www.cipherdyne.com/psad/download/psad-1.4.6-1.i386.rpm rpm -Uvh psad-1.4.6-1.i386.rpm
This will do most of the setup for you. You will want to edit the config file at /etc/psad/psad.conf to add in your email address for alerts. Change the home network variable if you want to ignore a network. Also set AUTO_IDS to y if you would like to automatically block malicious IP’s.
After making changes be sure to restart psad.
service psad restart
Run a web firewall
I installed mod_security quite simply by using yum.
Once it was installed I added the base rules from OWASP (http://sourceforge.net/projects/mod-security/files/modsecurity-crs/0-CURRENT/) to the new mod_security.conf file that the yum install added to the conf.d directory of apache.
However I quickly found that this ruleset is a bit too draconian. You will want to take some time and review the rules to determine which ones are best for your site.
Also, be very careful if like me you are hosting a blog with a lot of technical information. You will find that mod_security will prevent you from posting some articles depending on the characters in them, namely paths to specific files. Such as /etc/httpd/conf. The filters think that you are trying to hack the system and get to that specific site.
If mod_security is blocking when you go to update an article you will get a message saying that “Method Post is not supported”
Monitor logs and file system for unusual activity
I have found that the best tool for this is ossec. It is easy to install and configure. With a minimal tuning it is possible to be alerted on a wide variety of activities that could be potentially malicious.
First download the installer
[root@ossec ~]# wget http://www.ossec.net/files/ossec-hids-latest.tar.gz
Then simply run the install.sh that is contained in the package.
One Trackback
[...] check out our article on building a hardened lamp server. It contains much more information on IPTables, PSAD and [...]