Security Basics mailing list archives
Re: Linux Web Server Hardening (LAMP + Wiki)
From: Tracy Reed <treed () ultraviolet org>
Date: Tue, 29 Jan 2013 17:11:10 -0800
On Mon, Jan 28, 2013 at 07:56:52AM PST, Michael Peppard spake thusly:
You will need to get up to speed on selinux. ACLs, chroot jails and iptables alone don't cut it.
I second the use of SELinux. It is a while new security system and rather complex but well worth learning. I think of it like firewalls for my applications. I have compiled the following list of resources for securing RHEL/CentOS: http://www.nsa.gov/ia/_files/os/redhat/rhel5-pamphlet-i731.pdf http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf http://people.redhat.com/sgrubb/files/hardening-rhel5.pdf http://benchmarks.cisecurity.org/tools2/linux/CIS_RHEL_5.0-5.1_Benchmark_v1.1.2.pdf http://web.nvd.nist.gov/view/ncp/repository Use something like puppet to automate implementation of this stuff network-wide. That last NIST link even has an awesome puppet config for all of this! I've been reading through the code for the puppet modules and learned some neat things, including stuff I had no clue about previously such as how augeas works and what it is good for.
LAMP is well supported by the default selinux rules on every major Linux distro. You will have to learn how to tighten the security rules, such as type enforcement yourself though.
If using SELinux (which I recommend) be sure to know about the booleans related to http. A simple flip of a setting from off to on can solve most http related problems and avoid frustration or writing custom SELinux policy: # /usr/sbin/getsebool -a | grep http allow_httpd_anon_write --> off allow_httpd_mod_auth_ntlm_winbind --> off allow_httpd_mod_auth_pam --> off allow_httpd_sys_script_anon_write --> off httpd_builtin_scripting --> on httpd_can_check_spam --> off httpd_can_network_connect --> off httpd_can_network_connect_cobbler --> off httpd_can_network_connect_db --> off httpd_can_network_memcache --> off httpd_can_network_relay --> off httpd_can_sendmail --> off httpd_dbus_avahi --> on httpd_enable_cgi --> on httpd_enable_ftp_server --> off httpd_enable_homedirs --> off httpd_execmem --> off httpd_manage_ipa --> off httpd_read_user_content --> off httpd_run_stickshift --> off httpd_setrlimit --> off httpd_ssi_exec --> off httpd_tmp_exec --> off httpd_tty_comm --> on httpd_unified --> on httpd_use_cifs --> off httpd_use_gpg --> off httpd_use_nfs --> off httpd_use_openstack --> off httpd_verify_dns --> off -- Tracy Reed ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- Re: Linux Web Server Hardening (LAMP + Wiki), (continued)
- Re: Linux Web Server Hardening (LAMP + Wiki) Jason M (Jan 28)
- Re: Linux Web Server Hardening (LAMP + Wiki) James Thomas (Jan 28)
- Re: Linux Web Server Hardening (LAMP + Wiki) Michael Peppard (Jan 29)
- RE: Linux Web Server Hardening (LAMP + Wiki) Ulm, Matt (Jan 28)
- Re: Linux Web Server Hardening (LAMP + Wiki) Littlefield, Tyler (Jan 28)
- Re: Linux Web Server Hardening (LAMP + Wiki) Henri Salo (Jan 28)
- RE: Linux Web Server Hardening (LAMP + Wiki) Balakrishnan Nadar (Jan 28)
- Re:Linux Web Server Hardening (LAMP + Wiki) forgaoqiang (Jan 28)
- Re: Linux Web Server Hardening (LAMP + Wiki) gremlin (Jan 31)
- Re: Linux Web Server Hardening (LAMP + Wiki) Michael Peppard (Jan 28)
- Re: Linux Web Server Hardening (LAMP + Wiki) Tracy Reed (Jan 29)
- Re: Linux Web Server Hardening (LAMP + Wiki) Jeffrey Walton (Jan 28)
- RE: Linux Web Server Hardening (LAMP + Wiki) Tommy Thomas (Jan 29)
- Re: RE: Linux Web Server Hardening (LAMP + Wiki) Mikhail A. Utin (Jan 28)
- RE: RE: Linux Web Server Hardening (LAMP + Wiki) Sosa . Angel (Jan 29)