15 ways to secure LAMP based VPS and Dedicated Web Servers

The Internet has given us the power to buy goods, make payments etc instantly from the comfort of our own homes. However along with these benefits, there is an underlying cyber security threat at hand. It was recently revealed that more than 360 million stolen credit card accounts were up for sale on the cyber black market. With several similar incidents like this coming to the fore in the past, it is essential to ensure that you keep critical information about your customers’ secure and save yourself millions of dollars in consumer lawsuits.

We at ResellerClub have put together a little guide to help you reduce the risk of your LAMP based VPS and Dedicated servers from getting hacked. LAMP is one of the most popularly used Application Stacks. It stands for Linux, Apache, PHP and MySQL.

Mitigate the risks of your LAMP based VPS and dedicated servers being attacked!

The Apache Web Server is one of the most commonly used Web Servers. However like most other software, it requires appropriate settings, monitoring and maintenance to guard against vulnerabilities.  In this post, we will cover both General guidelines that you can follow to secure your server, as well as certain specific steps that you should address to mitigate the damage caused by such attacks.

General LAMP Server Security Best Practices:

  • Sign up for updates and announcements from the Web Server Mailing List.
  • Upgrade to the latest version whenever there is an update.
  • Install only the modules you require and disable unnecessary ones.
  • Make sure you log all admin level accesses with date, times and usernames
  • Do not display your server version or OS version in error messages.

For Servers with Apache:

1.   Hide the Apache Version number, and other sensitive information

It is essential to hide the Apache Version Number your server is running, as well as other sensitive information. You can do this by following the simple steps listed below.

Add or Edit the following two directives in your httpd.conf file

ServerSignature Off
ServerTokens Prod

The ServerSignature appears on the bottom of pages generated by apache such as 404 pages, directory listings, etc.

The ServerTokens directive is used to determine what Apache will put in the Server HTTP response header. By setting it to Prod it sets the HTTP response header as follows:

Server: Apache

2.   Make sure apache is running under its own user account and group

When Apache is installed, the default user is set as “nobody”. However if there other applications that also run as the user nobody on your system, then a compromise of apache can also compromise other installations. It is best to add a separate user “apache” and then modify the following directives in httpd.conf to run apache as it own user.

User apache
Group apache

3.   Ensure that files outside the web root directory are not accessed.

It is always good practice to restrict access for files outside the web root directory to maintain security and ensure that these files are only accessed by people who need to access them.

<Directory />
Order Deny,Allow
Deny from all
Options None
AllowOverride None
</Directory>
<Directory /html>
Order Allow,Deny
Allow from all
</Directory>

Note that because we set “Options None” and “AllowOverride None “this will turn off all options and overrides for the server. You now have to add them explicitly for each directory that requires an Option or Override.

4.   Turn off directory browsing, Follow symbolic links and CGI execution

You can do this with an Options directive inside a Directory tag.

  • If you want to turn off all Options simply use:

Options None

  • If you only want to turn off some, separate each option with a space in your Options directive:

Options -ExecCGI -FollowSymLinks -Indexes

5.  Install modsecurity

ModSecurity is an Apache add on module which can detect and prevent http attacks.  It can come in really handy in preventing SQL injections in case your developers forget to add input validation or identify and block information disclosure issues such as leaking detailed error messages, Social Security Numbers or Credit Card Numbers. Follow these steps to install mod-security

On CentOS:

yum install mod_security

On Ubuntu:

apt-get install mod_security.

service httpd restart

6.  Disable any unnecessary modules

There are several modules that are enabled on your Apache Web Server that you may not need. To search for modules installed run:

grep LoadModule httpd.conf

Here are some modules that are typically enabled but often not needed:

mod_imap

mod_include

mod_info

mod_userdir

mod_status

mod_cgi

mod_autoindex.

To disable them add a # sign in front of them.

You can also go through the Apache module documentation and disable or enable any that you need.

7.  Lower the Timeout value

The default Timeout directive is set to 300 seconds. Decreasing this value help’s mitigating the potential effects of a denial of service attack.

Timeout 45

8.  Limit large requests

In order to mitigate the effects of a denial of service attack, limit the amount of body that can be

sent in an http request.  If you do not have large uploads then you can limit this to 1Mb via the below directive.

LimitRequestBody 1048576

Application and Database Security

SQL injection is another common way of extracting data from poorly coded websites. Here is how you can prevent it and other such attacks.

  • Ensure your Applications like Joomla, WordPress, Drupal etc are upto date.
  • Subscribe to Bug updates and Vulnerability reports.
  • Try and avoid world writable 777 permissions your files or folders.
  • Regularly check for viruses or infections by scanning your web package.
  • If you are using MySQL or MariaDB run the mysql secure installation script.
  • If your application requires you to store confidential information like username, passwords, credit card data etc. then ensure that all communication is encrypted by using a Digital Certificate.

For servers with PHP:

1.  Run PHP as a separate User

It is recommended to Install php as a separate user than as an Apache Module. If you install php as an Apache Module then php will run with the apache user permission and any compromise of a vulnerable php script can lead to a server wide compromise.

A better way to install php would be with php-fpm a fastcgi process manager which lets you run and manage php scripts as a separate user.

2.  Use the POST method to pass important parameters like credit card information

Many developers already know this. PHP has two methods to pass variable information via a form the GET method and the POST method. The most important difference between these methods is that the GET method makes your pass information visible to everyone via a URL while POST method does not. Hence sensitive information like usernames, passwords should always be passed via the POST method.

3.  Always Validate Form and Text Input

Cross site scripting and SQL injection can both be prevented if form or file input is validated.

Cross site scripting allows a hacker to run malicious code on your server by simply uploading a file with malicious code in it to be run on the server and SQL injection allows a hacker to get access to your database by injecting malicious queries in your form to get database information like table name. A simple way to validate php code can be found at http://www.w3schools.com/php/php_form_validation.asp

4 . Hide the PHP version

Open php.ini and add the following

Vim /etc/php.ini

expose_php = Off

5.Log all php errors to a file and not on the website

display_errors = Off

log_errors = On

error_log = /var/log/httpd/php_error.log

For servers with MySQL or MariaDB:

1.      Run MySQL Secure Install

After installing MySQL run the mysql_secure_installation script.

sudo   /usr/bin/mysql_secure_installation

This script will prompt you to add a mysql root password, lock root access to localhost and remove any unwanted databases like the test database.

2.     Secure MySQL users and Database

Log into your MySQL Server and ensure that all MySQL users have a password and delete any unwanted user. Grant access to only those databases that the respective users would use.

Following the steps detailed above, you can go a long way in ensuring that your customer’s data remains secure.  In the next article I will add detail steps on Linux OS and Firewall Security.

Let us know if these techniques were helpful for securing your LAMP servers by leaving a comment below!