Re: Linux Web Server Hardening (LAMP + Wiki)

[gremlin () gremlin ru]

On 28-Jan-2013 22:45:29 +0800, forgaoqiang wrote:

> I think the default setting of LAMP is safty enough,

They are not. Typical settings include old (and thus vulnerable)
apache httpd built with mod_php, which is _not_ safe.

First of all, decide how you'll split your system. I'd recommend
setting one (or more) frontends with nginx and put actual httpd
(recent version, built with suexec support even for PHP) inside
of an OpenVZ VPS (start from http://openvz.org/Download/live_CD).
Setting up virtual HTTP hosts and running them with separate users'
permissions is also a must. Putting MySQL in a separate VPS is
optional, but if you do, don't forget to assign RFC-1918 | RFC-5156
address to it (thus making it inaccessible from outside). Once
you'll need to access MySQL database from outside, use the SSH's
"-L" parameter (see `man ssh` for details).

And don't hesitate to ask questions: looking like a fool is much
better than actually being one.


-- 
Alexey V. Vissarionov aka Gremlin from Kremlin <gremlin ПРИ gremlin ТЧК ru>
GPG key ID: 0xEF3B1FA8, keyserver: hkp://subkeys.pgp.net
GPG key fingerprint: 8832 FE9F A791 F796 8AC9 6E4E 909D AC45 EF3B 1FA8

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------