RE: Linux Web Server Hardening (LAMP + Wiki)

[Arie Claassens <arie_claassens () hotmail com>]

Hi Jeff,

Have a look at the following sites:

https://benchmarks.cisecurity.org/downloads/multiform/index.cfm
http://www.nsa.gov/ia/mitigation_guidance/security_configuration_guides/oper
ating_systems.shtml
https://www.atomicorp.com/

The Wiki itself needs to be addressed like any other web app, i.e. CAPTCHA
protection on forms, input sanitation, XSRF protection, etc., but if you
harden the OS and specifically Apache, it goes a long way towards reducing
your attack surface. Look at simple things like disabling all Apache modules
that you do not need, installing mod_evasive and mod_security to help reduce
DOS attacks and filter malicious input on your web app. See
https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project for more
info.

 Years back, http://www.securecentos.com/ had some really nice tips on
hardening your OS on multiple levels and also simplifying the whole process
of hardening and maintaining your server.

http://www.mediawiki.org/wiki/Manual:Security should help with the hardening
of the actual Wiki.

YMMV.

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of Eric Furman
Sent: 28 January 2013 10:19 AM
To: Jeffrey Walton
Cc: Security Basics List
Subject: Re: Linux Web Server Hardening (LAMP + Wiki)

Don't use Linux. It is insecure. Use Windows or one of the BSDs.
All are much more secure.

On Fri, Jan 25, 2013, at 04:31 PM, Jeffrey Walton wrote:
> Hi All,
>
> Is anyone aware of a hardening guide for a Linux LAMP server with a
> Wiki component?
>
> I have an older Linux Server hardening book, but nothing recent. I
> have not seen a Wiki hardening document.
>
> Thanks in advance,
>
> Jeff
>
> ------------------------------------------------------------------------
> Securing Apache Web Server with thawte Digital Certificate
> In this guide we examine the importance of Apache-SSL and who needs an
> SSL certificate.  We look at how SSL works, how it benefits your company
> and how your customers can tell if a site is secure. You will find out
> how to test, purchase, install and use a thawte Digital Certificate on
> your Apache web server. Throughout, best practices for set-up are
> highlighted to help you ensure efficient ongoing management of your
> encryption keys and digital certificates.
http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727
d1
> ------------------------------------------------------------------------

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL
certificate.  We look at how SSL works, how it benefits your company and how
your customers can tell if a site is secure. You will find out how to test,
purchase, install and use a thawte Digital Certificate on your Apache web
server. Throughout, best practices for set-up are highlighted to help you
ensure efficient ongoing management of your encryption keys and digital
certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727
d1
------------------------------------------------------------------------


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------