basic LAMP security 101

Fri Apr 15 13:42:37 MST 2011

On Fri, Apr 15, 2011 at 10:53 AM, Stephen <cryptworks at gmail.com> wrote:

> As this is a home server im not expecting that many logs :-)
>
> and root cannot be accessed via ssh or console at the moment, its at
> the default Ubuntu setup. I just haven't decided on the exact changes
> i wanted to make yet.
>
> On Fri, Apr 15, 2011 at 9:02 AM, Matt Graham <danceswithcrows at usa.net>
> wrote:
> > From: JD Austin <jd at twingeckos.com>
> >> 1. Disable root login via ssh (usually in /etc/ssh/sshd_config ->
> >> PermitRootLogin no)
> >
> > If you've got to get in there as root non-interactively (which could
> happen),
> > then "PermitRootLogin without-password" is a better idea.  That means you
> have
> > to keep root's private SSH key extremely private, though.
> >
> >> 4. Disable any services you don't need/use
> >
> > This should probably be point 1, considering how important it is.
> >
> >> https://help.ubuntu.com/community/SELinux
> >
> > If you decide to do this, put it in "permissive" mode first and then run
> > through a bunch of normal tests.  Then look at the logs, figure out where
> all
> > your normal tests would've failed, change the security contexts and/or
> the
> > applications you're using so that the operations would be permitted.
>  Rerun
> > tests.  Keep doing this.  Allow several days.  If you have to run things
> that
> > you don't maintain (like MySQL, or WordPress) or don't have time to fix
> > extensively, you may realize you don't have enough time and energy to
> deal
> > with selinux.  (In general, security is directly proportional to how much
> of a
> > pain in the ass it is to get anything done.)
> >
> >> 7. Check all of your logs daily :)
> >
> > This gets difficult if you have multiple G of logs every day....
> >
> > --
> > Matt G / Dances With Crows
> > The Crow202 Blog:  http://crow202.org/wordpress/
> > There is no Darkness in Eternity/But only Light too dim for us to see
> >
>
Hi Stephen,

How are you?

The full analysis of any TCP/IP application solution follows each of the OSI
layers.

0) You would need to evaluate every port opening from your router/firewall
to the application layer.
1) You would need to check your software versions against the known database
of exploits.  For instance if you have enabled some of the mods in Apache
that have known exploits (mod_proxy) you could be at risk.
2) You could have failed to configure or protect your server and have a
known issue. (For instance, running any SSH without a fully random 89
character password can be exploited if you allow repeated requests to the
your ssh daemon; once they get a user account, it's trivial to get a root
shell).

Therefore you really need to run a scanner or security test suite against
your LAMP server AS CONFIGURED.

I have a Rapid7 installation that I can use to test your server if you would
like?
Just email me off-list.

-- 
(503) 754-4452 iPhone
(623) 239-3392 Skype
(623) 688-3392 Google Voice

 http://www.obnosis.com
 http://www.it-clowns.com

"It took me many years but I have gained access to the root account and have
removed the user God."   -Saros
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.PLUG.phoenix.az.us/pipermail/plug-discuss/attachments/20110415/a34f0109/attachment.html>