basic LAMP security 101
Stephen
cryptworks at gmail.com
Fri Apr 15 10:53:35 MST 2011
As this is a home server im not expecting that many logs :-)
and root cannot be accessed via ssh or console at the moment, its at
the default Ubuntu setup. I just haven't decided on the exact changes
i wanted to make yet.
On Fri, Apr 15, 2011 at 9:02 AM, Matt Graham <danceswithcrows at usa.net> wrote:
> From: JD Austin <jd at twingeckos.com>
>> 1. Disable root login via ssh (usually in /etc/ssh/sshd_config ->
>> PermitRootLogin no)
>
> If you've got to get in there as root non-interactively (which could happen),
> then "PermitRootLogin without-password" is a better idea. That means you have
> to keep root's private SSH key extremely private, though.
>
>> 4. Disable any services you don't need/use
>
> This should probably be point 1, considering how important it is.
>
>> https://help.ubuntu.com/community/SELinux
>
> If you decide to do this, put it in "permissive" mode first and then run
> through a bunch of normal tests. Then look at the logs, figure out where all
> your normal tests would've failed, change the security contexts and/or the
> applications you're using so that the operations would be permitted. Rerun
> tests. Keep doing this. Allow several days. If you have to run things that
> you don't maintain (like MySQL, or WordPress) or don't have time to fix
> extensively, you may realize you don't have enough time and energy to deal
> with selinux. (In general, security is directly proportional to how much of a
> pain in the ass it is to get anything done.)
>
>> 7. Check all of your logs daily :)
>
> This gets difficult if you have multiple G of logs every day....
>
> --
> Matt G / Dances With Crows
> The Crow202 Blog: http://crow202.org/wordpress/
> There is no Darkness in Eternity/But only Light too dim for us to see
>
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>
--
A mouse trap, placed on top of your alarm clock, will prevent you from
rolling over and going back to sleep after you hit the snooze button.
Stephen
More information about the PLUG-discuss
mailing list