Language Selection

English French German Italian Portuguese Spanish

Quick Guide to Securing a Lamp Server

Filed under
Howtos

In the last few years on the Internet the price of dedicated servers have went down and more people are beginning to use them for their sites, game servers, or small hosting companies. With this comes as I was talking about in my last article inexperienced admins. Lots of people I spoke too are too intimated by the linux shell and try to administer their server completely from the control panel.
This short guide will show you a few copy and paste walkthroughs you can use to help secure your server, these should work with any control panel, the mod security update script however is only for apache2. Using these tools and using basic security procedures will help you keep your server secure and free of hackers, spammers, and other annoyances.

Using linux as a personal desktop helps a lot as well as it gets you used to using the command line. The other extremely valuable tool is google. I would probably be nowhere without google. You can look stuff up as you go and find about any answer to any question you may have, Plus there is lots of walkthroughs just like this one I am just putting all the basic ones together.

OK this is not a complete guide but those who are less experienced should be able to follow these walkthroughs and make their server more secure then it was before.
First thing, install apf, bfd, and dos deflate. Complete walkthrough HERE
Note: Dos deflate will not work with debian unless you disable ipv6.

Next install modsecurity using the simple guide from eth0.us, guide can be found HERE

After you install mod security make a directory in /etc called modsecurity. Use my update script found HERE (apache2 only)
This will get all the latest rules from gotroot.com when you have them at the bottom of the mod security configuration in httpd.conf put
Include /etc/modsecurity/apache2/rulename.conf
I suggest using them all besides rules.conf as it gives lots of false positives.

Now if you have shell users or are running redhat, fedora, or debian you most likely need to update your kernel. Now this isn't as hard as you would think, with this copy and paste guide I made that is all you have to do is copy and paste, same as these other tutorials.
The guide can be found HERE. I will be making one for debian soon but you just use any basic debian kernel how to and patch the kernel the same way as you do in this one.

Once you have modsecurity installed keep an eye on the audit log to make sure it is not giving any false positives or blocking legitimate web apps. With the ruleset and rules you have included it should not unless someone is using some oddball web app.
None of these will make your server totally secure, it takes basic security practices such as using strong passwords, not using the same password for everything, and keeping up with all the latest exploitrs and hacking methods.

If you ever get hacked don't go ranting about how you are gonna prosecute so and so, go find out how they done it, how they got in, and what you can do to prevent it again. You will most likely never track down the hackers and the FBI most likely will not care so secure your system and make sure it does not happen again. As I have explained before defacers can actually be helpful to admins. That's about it, good luck and stay on your toes.

More in Tux Machines

New Releases

  • Security-Oriented Qubes OS 3.2 Improves the Integrated Management Infrastructure
    Today, September 29, 2016, Joanna Rutkowska announced the general availability of the second point release of the Qubes OS 3 stable series of the security-oriented and open-source Linux-based computer operating system. Qubes OS 3.2 is a maintenance release, which means that it mostly adds general fixes and improvements to various of the distribution's core components and functionalities, including the integrated management infrastructure that was introduced as part of the previous update, Qubes 3.1, allowing users to also manage the "insides" of a virtual machine.
  • Alpine Linux 3.4.4 Is Out, Ships with Linux Kernel 4.4.22 LTS, OpenSSL Patches
    Today, September 28, 2016, Alpine Linux creator and lead developer Natanael Cop has the pleasure of announcing the release of the fourth maintenance update to the latest stable Alpine Linux 3.4 server-oriented operating system series. Alpine Linux 3.4.4 is out as the most advanced version, powered by the recently released, long-term supported Linux 4.4.22 kernel and bringing up-to-date components to make your Alpine Linux-based server(s) more stable and reliable than ever. Most of the core components have been updated, but the most important one is OpenSSL 1.0.2j, which received the latest security fixes, just like in the rest of the GNU/Linux distros.

Leftovers: Software

  • Web Publishing and Development: Free Tools Abound
    Are you involved in DevOps and web development, or are you aiming to be? If so, you're probably very aware of many of the tools from the open standards and open source arenas that can make your work easier. Still, these are always spreading out at a fast clip and there are some applications and tools that are rarely discussed. Here at OStatic, we try to regularly update our collections focused on them. In this post, you'll find our latest roundup of free resources for web development that range from complete online courses available for free to unsung applications.
  • Phoronix Test Suite 6.6.1 Released
  • Skype for Linux Alpha 1.9 Adds a Dark Theme, Notification Muting
  • GNOME Calendar Pencils In Great New Features
    GNOME Calendar is one of the few decent desktop calendaring apps available on Linux — and it's going to get better.
  • The future of GNOME Calendar
    Today, the Calendar Team had the first meeting in history. Isaque, Lapo, Renata, Vamsi and I attended it, and the meeting was extremely productive! In fact, we were able to sketch out the general direction that GNOME Calendar will head towards.

More Android Leftovers

  • ​Google beats back Oracle again in Java Android case
    To recap, Oracle claimed the 37 Java application programming interface (API) packages Google used to develop Android are covered by copyright. Of course, that's not really the issue. True, the the US Federal Circuit Court of Appeals foolishly ruled that APIs could be copyrighted. But the US District Court for the Northern District of California ruled in May 2016 that Google's use of the Java APIs were not subject to copyright licensing fees. Instead, Android's use of the APIs was covered by "fair use."
  • Google’s Open Source Fuchsia OS: The Mystery Linux Distro
    Few things are more tantalizing than a good mystery, and Google is making waves for an open source-centric mystery that may end up having profound implications. It all started in August when an extensive and unusual code repository for a new operating system called Fuchsia was discovered online, and now the growing source code set is on GitHub. Thus far, Google officials have been mostly mum on the aim of this operating system, although they have made a few things clear in chat forums. Two developers listed on Fuchsia's GitHub page — Christopher Anderson and Brian Swetland — are known for their work with embedded systems. The Verge, among other sites, has made a few logical deductions about the possible embedded systems focus for Fuchsia: “Looking into Fuchsia's code points gives us a few clues. For example, the OS is built on Magenta, a “medium-sized microkernel” that is itself based on a project called LittleKernel, which is designed to be used in embedded systems,” the site reports. The GitHub postings that confirm that Fuchsia is based on Magenta are particularly notable because Magenta has had applications in the embedded systems space. Here are some direct quotes: "Magenta is a new kernel that powers the Fuchsia OS. Magenta is composed of a microkernel as well as a small set of userspace services, drivers, and libraries necessary for the system to boot, talk to hardware, load userspace processes and run them, etc. Fuchsia builds a much larger OS on top of this foundation."
  • As Blackberry pulls out of handset business it has some big patent strategy calls to make

Leftovers: Ubuntu

  • Budgie-Remix Makes Progress With Ubuntu 16.10 Base, Beta 2 Released
    Budgie-Remix, the unofficial Ubuntu spin making use of the Budgie Desktop, has released its 16.10 Beta 2 milestone following this week's Yakkety Yak Beta 2 release. Budgie-Remix is re-based to the latest Ubuntu 16.10 Yakkety package changes. In addition, a number of the Budgie-0Remix packages have been working their way into Debian proper and thus are available to Ubuntu 16.10 users via the official channels. Now available this way is the budgie-desktop package, Moka icon theme, Faba icon theme, and the Arc theme. The Ubuntu repository has also pulled in the Budgie artwork and wallpaper packages too.
  • Yakkety Yak Final Beta Released
  • Canonical Launches Commercial Support for Kubernetes
    Canonical, the lead commercial vendor behind the open-source Ubuntu Linux operating system, is getting into the Kubernetes market. Canonical now offers a freely available implementation of Kubernetes as well as commercial-support options. "I have no doubt that Kubernetes will be one of the major container co-ordination systems," Mark Shuttleworth, founder of Ubuntu, told ServerWatch.
  • [How To] Build an Ubuntu Controlled Sous-Vide Cooker
    I’ll be honest with you from the off: I had zero idea what sous-vide cooking was before I started writing this post. Wikipedia dutifully informs me that’s Sous-Vide is a style of cooking that involves a vacuum, bags, and steam.
  • Mintbox Mini Pro Linux Mini PC Launches For $395
    This week a new version of the popular Mintbox Mini Linux PC has been launched for $395 in the form of the Mintbox Mini Pro which is now equipped with 120 GB of SSD mSATA together with 64-bit AMD A10-Micro6700T system-on-a-chip with Radeon R6 graphics and features 8GB of DDR3L. The latest Mintbox Mini Pro is shipped preloaded with the awesome Linux Mint 18 operating system and includes a microSD card slot a serial port, and a micro SIM card reader. The new Mintbox Mini Pro is the same size as the original and measures 4.3 x 3.3 x 0.9 inches in size and weighs in at around 255g. The Linux mini PC incorporates a fanless design and features an all-metal case made of aluminium and zinc.