basic LAMP security 101

Matt Graham danceswithcrows at usa.net
Fri Apr 15 09:02:36 MST 2011


From: JD Austin <jd at twingeckos.com>
> 1. Disable root login via ssh (usually in /etc/ssh/sshd_config ->
> PermitRootLogin no)

If you've got to get in there as root non-interactively (which could happen),
then "PermitRootLogin without-password" is a better idea.  That means you have
to keep root's private SSH key extremely private, though.

> 4. Disable any services you don't need/use

This should probably be point 1, considering how important it is.

> https://help.ubuntu.com/community/SELinux

If you decide to do this, put it in "permissive" mode first and then run
through a bunch of normal tests.  Then look at the logs, figure out where all
your normal tests would've failed, change the security contexts and/or the
applications you're using so that the operations would be permitted.  Rerun
tests.  Keep doing this.  Allow several days.  If you have to run things that
you don't maintain (like MySQL, or WordPress) or don't have time to fix
extensively, you may realize you don't have enough time and energy to deal
with selinux.  (In general, security is directly proportional to how much of a
pain in the ass it is to get anything done.)

> 7. Check all of your logs daily :)

This gets difficult if you have multiple G of logs every day....

-- 
Matt G / Dances With Crows
The Crow202 Blog:  http://crow202.org/wordpress/
There is no Darkness in Eternity/But only Light too dim for us to see



More information about the PLUG-discuss mailing list