Checklist For Securing Linux Web Server In 10 Steps Or Less
1
Feedback and comments @makash | [email protected] Workbook for http://slidesha.re/JMDS7F Page 1 of 1 ©Akash Mahajan 2012 Securing Linux Web Server in 10 Steps or Less This document is in addition to the slides of Securing Linux Web Server in 10 Steps or Less. Consider this as a starting block for Linux server hardening activities. Assumptions You have root access to the Linux server You are running either Ubuntu 10.04 LTS or above or a Debian variant. If you are using another distribution like CentOS etc. please understand the reasoning and substitute your commands. Checklist Reduce the attack surface Start with a mini distro and add software on top of it. # tasksel install openssh-server # tasksel install lamp-server See which processes are listening on the external IP address # netstat –nltup -4 Stop or remove services from running or booting up # /etc/init.d/<service name> stop # update-rc.d <service name> remove Stop services from listening on external IP address bind-address=127.0.0.1 Patch and Update your server # apt-get update && apt-get upgrade Secure your access with SSH Remove Root Login Ideally use public keys with passphrases Add another directive in /etc/sshd_config AllowUsers <user@host> Secure Apache Web server In /etc/apache2/conf.d/security Uncomment line number 27 ServerTokens Prod Uncomment line number 39 ServerSignature Off Keep file owner as the user which uploads and group as www-data Secure MySQL if database server and web server are on the same host In /etc/mysql/my.cnf bind-address=127.0.0.1 Execute following command # mysql_secure_installation Create a new user for each new database and only give access to the following SELECT, INSERT, UPDATE, DELETE, ALTER, CREATE Specify the host where the user can login from. Ideally this should be localhost and never ‘%’ Enable Uncomplicated Firewall ufw allow ufw allow <Ports you want> ufw default deny ufw allow from <external IP> to <current host IP> port 3306
-
Upload
akash-mahajan -
Category
Technology
-
view
2.885 -
download
7
description
This is a basic workbook for you to follow as a checklist. Learn the basic approaches to securing linux based web servers without getting too technical. This talk will be useful for anyone running a linux server with full root access. You don't need to be an experienced system administrator to understand and use the content of this talk. But if you are a full time system admin you will get to know a structured way of looking at server security. The following types of servers running Linux Virtual Private Server/Dedicated Server/Rackspace Cloud Instance/Amazon EC2 Not going to help if you have your website on Shared servers like Dreamhost/Go Daddy/Host Gator
Transcript of Checklist For Securing Linux Web Server In 10 Steps Or Less
Feedback and comments @makash | [email protected]
Workbook for http://slidesha.re/JMDS7F Page 1 of 1 ©Akash Mahajan 2012
Securing Linux Web Server in 10 Steps or Less This document is in addition to the slides of Securing Linux Web Server in 10 Steps or Less. Consider this as
a starting block for Linux server hardening activities.
Assumptions You have root access to the Linux server
You are running either Ubuntu 10.04 LTS or above or a Debian variant. If you are using another distribution
like CentOS etc. please understand the reasoning and substitute your commands.
Checklist Reduce the attack surface
Start with a mini distro and add software on top of it.
# tasksel install openssh-server
# tasksel install lamp-server
See which processes are listening on the external IP address
# netstat –nltup -4
Stop or remove services from running or booting up
# /etc/init.d/<service name> stop
# update-rc.d <service name> remove
Stop services from listening on external IP address
bind-address=127.0.0.1
Patch and Update your server
# apt-get update && apt-get upgrade
Secure your access with SSH
Remove Root Login
Ideally use public keys with passphrases
Add another directive in /etc/sshd_config
AllowUsers <user@host>
Secure Apache Web server
In /etc/apache2/conf.d/security
Uncomment line number 27 ServerTokens Prod
Uncomment line number 39 ServerSignature Off
Keep file owner as the user which uploads and group as www-data
Secure MySQL if database server and web server are on the same host
In /etc/mysql/my.cnf
bind-address=127.0.0.1
Execute following command
# mysql_secure_installation
Create a new user for each new database and only give access to the following
SELECT, INSERT, UPDATE, DELETE, ALTER, CREATE
Specify the host where the user can login from. Ideally this should be localhost and never ‘%’
Enable Uncomplicated Firewall
ufw allow
ufw allow <Ports you want>
ufw default deny
ufw allow from <external IP> to <current host IP> port 3306
![IS418T Securing Linux Platforms and Applications …itt-tech.info/wp-content/uploads/2016/09/IS418T_58...IS418T Securing Linux Platforms and Applications [Onsite] Course Description:](https://static.fdocuments.net/doc/165x107/5e73f7585e94d964c514a38c/is418t-securing-linux-platforms-and-applications-itt-techinfowp-contentuploads201609is418t58.jpg)
