Re: basic LAMP security 101

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
MMatt Graham at <-
MLisa Kachold at ->
Attachments:
Message as email
+ (text/plain)
Delete this message
Reply to this message
Author: Stephen
Date:  
To: Main PLUG discussion list
Subject: Re: basic LAMP security 101
As this is a home server im not expecting that many logs :-)

and root cannot be accessed via ssh or console at the moment, its at
the default Ubuntu setup. I just haven't decided on the exact changes
i wanted to make yet.

On Fri, Apr 15, 2011 at 9:02 AM, Matt Graham <> wrote:
> From: JD Austin <>
>> 1. Disable root login via ssh (usually in /etc/ssh/sshd_config ->
>> PermitRootLogin no)
>
> If you've got to get in there as root non-interactively (which could happen),
> then "PermitRootLogin without-password" is a better idea.  That means you have
> to keep root's private SSH key extremely private, though.
>
>> 4. Disable any services you don't need/use
>
> This should probably be point 1, considering how important it is.
>
>> https://help.ubuntu.com/community/SELinux
>
> If you decide to do this, put it in "permissive" mode first and then run
> through a bunch of normal tests.  Then look at the logs, figure out where all
> your normal tests would've failed, change the security contexts and/or the
> applications you're using so that the operations would be permitted.  Rerun
> tests.  Keep doing this.  Allow several days.  If you have to run things that
> you don't maintain (like MySQL, or WordPress) or don't have time to fix
> extensively, you may realize you don't have enough time and energy to deal
> with selinux.  (In general, security is directly proportional to how much of a
> pain in the ass it is to get anything done.)
>
>> 7. Check all of your logs daily :)
>
> This gets difficult if you have multiple G of logs every day....
>
> --
> Matt G / Dances With Crows
> The Crow202 Blog:  http://crow202.org/wordpress/
> There is no Darkness in Eternity/But only Light too dim for us to see
>
> ---------------------------------------------------
> PLUG-discuss mailing list -
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>



--
A mouse trap, placed on top of your alarm clock, will prevent you from
rolling over and going back to sleep after you hit the snooze button.

Stephen
---------------------------------------------------
PLUG-discuss mailing list -
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss

This message was posted to the following mailing lists:
Plug Discuss
Mailing List Info | Nearby Messages		<-Re: Remote desktop support, Bomgar alternative?Re: basic LAMP security 101->
Some Mailing List Archive administrated by UnconfiguredLurker (version 2.3)