Securing Linux webservers?

[Recursion]

Hey,

I was just wondering how people secured their Linux webservers? Typically what I'd do is:

- Change SSH port to something obscure
- Install some sort of firewall and only allow public services through
- Turn off server signatures on Apache/Lighttpd
- Install RKHunter/Chkrootkit
- Setup e-mail on SSH login
- Keep the OS and services up to date
- Install suPHP
- Install mod_security
- Disable rare/dangerous PHP functions
- Secure /tmp with noexec & nosuid

Anymore people would recommend?

[HarrySX]

This entirely depends on what server I'm configuring - e.g. what it's used for. However, my standard procedure is the following:

- Disable SSH password authentication, in favour of public key authentication.
- Secure /tmp, /dev/ etc.
- Install CSF, always. Configure to my usual standard.
- Compile Apache & PHP with mod_security and various others.
- Install SuPHP.
- Install LMD.
- Reboot into CloudLinux with KSplice.
- Check permissions.

Probably more too, not got my procedure list up.

---------- Post added 16-06-2011 at 07:32 PM ----------

Hey,

I was just wondering how people secured their Linux webservers? Typically what I'd do is:

- Change SSH port to something obscure
- Install some sort of firewall and only allow public services through
- Turn off server signatures on Apache/Lighttpd
- Install RKHunter/Chkrootkit
- Setup e-mail on SSH login
- Keep the OS and services up to date
- Install suPHP
- Install mod_security
- Disable rare/dangerous PHP functions
- Secure /tmp with noexec & nosuid

Anymore people would recommend?

Just wondering why you disable PHP functions? What are your servers typically used for?

[Recursion]

It's being used for typical hosting, without a control panel though.

Generally I thought disabling PHP functions was just another layer of protection against shell scripts and the like. I'm hosting fairly tech savvy people I know, which is exactly why I'm hardening it as much as possible!

Funnily enough it's on a VPS from you guys

[HarrySX]

It's being used for typical hosting, without a control panel though.

Generally I thought disabling PHP functions was just another layer of protection against shell scripts and the like. I'm hosting fairly tech savvy people I know, which is exactly why I'm hardening it as much as possible!

Funnily enough it's on a VPS from you guys

I used to have the same mind set, but I manage 3,000 shared clients on a daily basis and have a pretty thorough understanding of Linux security now.

Disabling PHP functions will obstruct things like root kit shells, but they're more of a nuisance and annoyance than anything else. If a hacker wants to do harm to your server, they'll get around disabling PHP functions eventually or just use Perl, Ruby etc. Many people forget that PHP isn't the only server side language enabled on web servers. As well as this, disabling PHP functions will be rather frustrating for legitimate clients - what about vBulletin or other applications that require the use of shell_exec, popen etc?

True security is with keeping your kernel up to date and getting the permissions right. But if you do wish to disable such functions, remember to disable php.ini override within the SuPHP configuration.