Steps to secure your server?

Question

Possible Duplicate:
What to use to harden Linux box? Apparmor, SELinux, grsecurity, SMACK, chroot?

I'm just completed install my web server. So what should i do to secure it?

I just installed Apache , Nginx , Mysql, Php. Regular Upgrade (yum upgrade)

How to prevent of being hack ?

Answer 1

1. Keep all your packages up to date, especially anything web facing
2. If you allow ssh in, set it up to only allow ssh with a certificate, rather than using username/password.
3. If you wrote any of your own web apps, make sure you understand about SQL injection, cross site scripting, etc.
4. Backups, backups, backups.

Answer 2

I assume you will also be using SSH for remote access and server maintenance.

• Require user's have strong passwords or install pam-cracklib.
• Disable root logins. (PermitRootLogin no in sshd_config)
• Disable empty passwords. (PermitEmptyPasswords no in sshd_config and remove nullok from any PAM configuration files under /etc/pam.conf or /etc/pam.d)
• Disable password authentication entirely for an extra bonus and just rely on stronger public key or Kerberos authentication. (PasswordAuthentication no in sshd_config)
• Restrict which users can use SSH. (AllowUsers in sshd_config)

Now which SSH reasonably locked down, install a firewall with ufw and only permit incoming connections to services you know you will be running.

ufw enable
ufw allow ssh
ufw allow http
ufw allow https
ufw default deny

The above is untested and might lock you out of the network, but it should be close to correct. Now to lock down PHP. It's advisable to look into running PHP through fastcgi or suexec instead of using mod_php as this allows you to run PHP as a different user (or users for multiple sites) protecting Apache from a security breach in PHP. There are also some other tips in the PHP manual about securing PHP such as safe mode. If you are running a standard CMS with PHP like Drupal/Joomla/Wordpress, then make sure it stays up to date with the latest security patches.

Answer 3

I don't see the issue with "hacks" here, but if you by any random chance meant "How to protect against crackers?", I'd advise researching every software component, their options and possible security strategies before opening the machine to the world.

Review your settings, make sure you're keeping it simple (e.g. don't install apache if you just want to serve a bunch of static files, a simpler, light-weight webserver will do too, while having less potential attack vectors; don't install PHP if you don't need dynamic pages (or at least if your dynamic pages can be coded using something simpler than PHP)).

About fighting attacks, be ready for users named, like, Robert'); DROP TABLE Students;--), and so on.

Security is never as simple as "just keep it up-to-date" — it may even be easier to keep track of security if you pick a security-and-stability-centric distro and update packages only when there's some vulnerability that affects your setup or a feature you really need — this way you can build your system somewhere else and use a frozen copy of directories under / (for those which shouldn't change) in your server system (either it is really impossible to change files there, or you can at least compare checksums with a previously computed list of known-good checksums).

It is all about a set of choices you have to make before opening the system to the world.

Answer 4

Certify your organization and your system with ISO/IEC 27001 If you go into the details of how to do this technically - be paranoid.