Linux Operating System »How to Secure Your LAMP Server

The LAMP stack that runs on Linux and consists of: Apache, MySQL / MariaDB, and PHP / Python / Perl is a very popular combination of free and open source software and is used to run millions of websites today. While many are opting for the more efficient Nginx-based LEMP stack over Apache, there are still a significant number of users who choose LAMP for their projects. In fact, over 30% of active sites today run on the top of the LAMP. The stack is considered robust and very suitable for high performance and high availability web applications. In this article, we are going to show you how to secure the LAMP stack on your Linux VPS.

Linux security

Enabling automatic updates

Meaning that the LAMP stack is based on Linux and all the open source communities are working on improvements, it is considered secure too. On an Ubuntu VPS, all security updates and patches are available for automatic installation as soon as they become available in the Ubuntu repositories, so make sure you configure the system to automatically install security updates if you are concerned about security. In case this feature is not enabled on the server, and you don’t manually install the latest updates and patches, you are putting your server at risk of being hacked.

To enable automatic unattended upgrades, you must install the unattended-upgrades package.

sudo apt-get install unattended-upgrades

To configure which package categories will be automatically upgraded, you must edit the /etc/apt/apt.conf.d/50unattended-upgrades file.

Configuring the firewall

Having a properly configured firewall is very important for overall security. UFW is the default firewall configuration tool for Ubuntu and is initially disabled. To enable UFW you can use:

sudo ufw enable

Allow access to basic services like OpenSSH and Apache:

sudo ufw allow 22
sudo ufw allow 80
sudo ufw allow 443

Enabling access to other services is pretty easy. Just replace the port number in the examples above with the service port number you want to access and that’s it. The firewall rules will remain active even after a system reboot.

Disable unused services

If you have active services that you are not using, you can simply turn them off. For example, if you have a service like Dovecot and is running on a server and you are not using it, stop and disable the service using the following commands:

sudo systemctl stop dovecot.service
sudo systemctl disable dovecot.service

Install fail2ban

Fail2ban is a service that scans log files for too many failed login attempts and blocks the IP address that shows malicious code. This service is very useful if you are not using two-factor authentication or private authentication services such as OpenSSH. To install Fail2ban, run the following command:

sudo apt-get install fail2ban

Make a copy of the default config file so you can safely make changes:

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Editing the jail.local file:

sudo nano /etc/fail2ban/jail.local

Block [SSHD] should look like this:

[sshd]

enabled  = true
port     = ssh
filter   = sshd
logpath  = /var/log/auth.log
maxretry = 5
bantime = 600

Save the file and restart Fail2ban for the changes to take effect:

sudo systemctl restart fail2ban.service

Enable Fail2ban at system boot:

sudo systemctl enable fail2ban.service

Apache security

Hide sensitive information in Apache

The default configuration in Apache provides a lot of sensitive information that can be used against a service. It is necessary to hide this information, so we will further create a configuration file for new installations:

sudo nano /etc/apache2/conf-available/custom.conf

Insert the following content:

ServerTokens Prod
ServerSignature Off
TraceEnable Off
Options all -Indexes
Header unset ETag
Header always unset X-Powered-By
FileETag None

Include Apache module headers if not already enabled:

sudo a2enmod headers

Include the configuration:

sudo a2enconf custom.conf

Restart Apache for the changes to take effect:

sudo systemctl restart apache2.service

Install and enable mod_security

Mod_security is a web based firewall (WAF) application that can be installed as an add-on for Apache. It can be used to protect a web server from numerous attacks such as SQL injection, session hijacking, cross-site scripting, bad user agents and many more. To install and enable mod_security, run the following commands:

sudo apt-get install libapache2-modsecurity
sudo a2enmod security2

After installation, you must configure the module and enable the OWASP ModSecurity Core Rule Set (CRS).

sudo mv /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf

Then open /etc/modsecurity/modsecurity.conf file and edit / add the following parameters:

SecRuleEngine On
SecResponseBodyAccess Off
SecRequestBodyLimit 8388608
SecRequestBodyNoFilesLimit 131072
SecRequestBodyInMemoryLimit 262144

Save and close the file. Remove the current CRS and load the OWASP CRS using the following commands:

sudo rm -rf /usr/share/modsecurity-crs
sudo git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git /usr/share/modsecurity-crs
cd /usr/share/modsecurity-crs
sudo mv crs-setup.conf.example crs-setup.conf

Edit the file /etc/apache2/mods-enabled/security2.conf. It should look like the picture below:

<IfModule security2_module>
 SecDataDir /var/cache/modsecurity
 IncludeOptional /etc/modsecurity/*.conf
 IncludeOptional "/usr/share/modsecurity-crs/*.conf"
 IncludeOptional "/usr/share/modsecurity-crs/rules/*.conf
</IfModule>

Finally, restart Apache for the changes to take effect:

sudo systemctl restart apache2.service

Install and enable mod_evasive

Mod_evasive is an Apache module that can be used to protect a web server from DoS (Denial of Service), DDoS (Distributed Denial of Service) and brute force attacks. To install mod_evasive on the server, run the following command:

sudo apt-get install libapache2-mod-evasive

Open the default config file in /etc/apache2/mods-enabled/evasive.conf and change the settings to look like below:

<IfModule mod_evasive20.c>
<IfModule mod_evasive20.c>
 DOSPageCount 5
 DOSSiteCount 50
 DOSPageInterval 1
 DOSSiteInterval 1
 DOSBlockingPeriod 600
 DOSLogDir "/var/log/mod_evasive"
</IfModule>

Save and close the file. Create a directory for log files:

sudo mkdir /var/log/mod_evasive
sudo chown -R www-data: /var/log/mod_evasive

Restart Apache:

sudo systemctl restart apache2.service

Secure MySQL

MySQL server protection

The first thing to do to secure the MySQL service is to run the mysql_secure_installation script.

sudo mysql_secure_installation

The script will guide you through important security tasks like setting up a root password, disabling remote administrator login, deleting anonymous users, etc.

Disable MySQL Remote Access

If you will not perform remote operations on your MySQL server, disable remote access to the service. You can do this by editing the /etc/mysql/mysql.conf.d/mysqld.cnf file and changing the Bind address to 127.0.0.1.

bind-address = 127.0.0.1

Restart the service for the changes to take effect.

sudo systemctl restart mysql.service

Creating individual MySQL users

Another thing you should consider is creating separate MySQL users for each database and application.

Login to MySQL as root:

mysql -u root -p

You can create a MySQL database and grant all privileges to a new user with the following commands:

mysql> CREATE DATABASE new_db;
mysql> GRANT ALL PRIVILEGES on new_db.* to 'new_user'@'localhost' identified by 'PaSsW0rD';
mysql> FLUSH PRIVILEGES;
mysql> EXIT

Then you can use the newly created database and user for your application.

Disable LOCAL INFILE

If you are not explicitly using LOCAL INFILE, then it is good to disable it. Again, edit your MySQL config file and add the following line below the block [mysqld]:

local-infile=0

Restart the MySQL service for the changes to take effect.

PHP protection

If you followed the steps above, your server should already be safe. The last part of securing a LAMP server is securing PHP, which is a fairly straightforward process. Find the location of the ini file in PHP:

php --ini | grep "Loaded Configuration File"

All changes that we will make to this file.

Hide basic information in PHP

The first step is to hide the information provided PHPthat some attackers can take advantage of. Open the php.ini file and change the settings to match as follows:

expose_php = Off
display_errors = Off
mail.add_x_header = Off

Save the file and restart Apache:

sudo systemctl restart apache2.service

Disabling dangerous PHP functions

The Disable_functions directive allows you to disable some functions that may be harmful to your system. Change the directive in your php.ini file to match as follows:

disable_functions = show_source,system,shell_exec,passthru,exec,phpinfo,popen,proc_open,allow_url_fopen,curl_exec,curl_multi_exec

While you’re here, disable remote PHP code execution with the following options:

allow_url_fopen=Off
allow_url_include=Off

File upload limitation

Unless you are using the file upload functions fully, it is safe to restrict file uploads in PHP. Open php.ini file and set the following parameter:

file_uploads=Off

In case you are using the file upload function, you can install the following:

file_uploads=On
upload_max_filesize=1M

where upload_max_filesize is the upload size limit.

Restart Apache after making these changes.

Set maximum execution time

Again, edit the php.ini file and change the following parameters:

max_execution_time = 30
max_input_time = 30
memory_limit = 40M

This sets the maximum time in seconds the script is allowed to run or parse data, and also sets the maximum amount of memory that the script can allocate.

Enable open_basedir

The open_basedir directive allows you to set the location from which PHP is allowed to access files. Edit the php.ini file and set the correct location to match the current configuration:

open_basedir="/path/to/the/directory/"

Remember to restart Apache for the changes to take effect.

Sidebar