Linux Web Server Security Thread

Hi Dan!

Security updates... CentOS is a RedHat distribution if I remember correctly, so it will probably use YUM as an updater. You can edit /etc/yum/yum-updatesd.conf (change the entry do_update no to do_update yes) to make it install updates automatically. That would be for all of your software, not just security stuff.

About ssh: You should have a look at /etc/ssh/sshd_config and the sshd manpage. One thing that may be interesting to you is the DenyUsers and AllowUsers option - a black- or whiltelist. Find out more here.

I'm no expert when it comes to iptables, but this article looks like it should help you with quite a few issues.

sudo: I'm going to write an entry to the Tips and Tricks thread about editing the sudoers file soon, so I won't write much about that right now. Of course, you can always check the sudoers manpage.

Booting? If you're using Grub as a boot manager, add something like (changing it to your actual vmlinuz-2.6.xx of course) to /boot/grub/menu.lst and set it as standard. That way, you can still boot with a GUI if you want to.

Greetings,
Nepomuk

You might also have to secure your apache installation:
first check if the TRACK / TRACE methods are enabled, this is true by default on a debian system. Not sure for a CentOS machine.
To check:
> nc localhost 80
TRACE / HTTP/1.0
via: hello
(enter a few times)

If the server returns that he doesn' tknow this function, you are good. If not you have 2 options:
1. add TraceEnable off to your configuration file
2. add a rewrite condition, also in your configuration file:
RewriteEngine on
RewriteCond %{REQUEST_METHOD} !^(GET|POST|HEAD)$
RewriteRule .* - [F]

When you install php, you might want to change a few settings, like magic quotes (first line of defense against cross site scripting & sql injections) and you might want to put it in safe mode (some functions however will not work, so you might want to verify what is best for you, more information can be found here: PHP: Safe Mode - Manual)

Next your mysql server, I would advice to take a good look at the standard tables that are inserted when installing mysql. You might not need all of them. Also create a very solid root account, with an insanely difficult password.
Last item make sure only connections from the localhost are allowed, unless you really really really need other hosts to communicate with your server.

As for system hardening, you could consider running your entire LAMP server in a chroot environment ( http://www.howtoforge.com/chrooted_d...ubuntu_desktop ), this will ensure that your users only have access to a system that has no extra data except the necesarry files to run the lamp server. An extra note on the chroot environment, please check that there are no executables that don't have the correct permissions set. If you have an executable that allows users to execute and become root for a moment, you might allow them to break the chroot ( How to break out of a chroot() jail - PenguinSecurityWiki )

That are the things that pop into my head... If I think of something I will add them

edit:
One more thing, SSH, put PermitRootLogin to No, default this is Yes I think, you don't want that. Also when using sudo, I'm not against it, but I prefer not the use sudo at all. If your root user has a very strong password, it is reasonably save, and whe you use "su" you know you really want to have root permissions, sudo is typed quickly and is not always required.