[olug] Fwd: Linux Web Server Hardening (LAMP + Wiki)

Jeff Hinrichs - DM&T jeffh at dundeemt.com
Tue Jan 29 03:08:55 UTC 2013


General Security Guide Lines:
1) Turn off all services and unplug network cable (most secure)
2) Only turn on and plugin what is necessary for your production site.
2a) NO insecure services (no telnet, ftp, etc.  use only the secure
versions sftp, etc BUT only if absolutely needed)
3) Remember, production != development
4) https for everything.  No reason today not to do this.
5) Don't write your own encryption routines for any thing or any reason -
use tested/supported libraries.
6) Salt and Hash - no naked passwords - if a site has a maximum password
length or restricts characters -- DO NOT USE IT.  If they are salting and
hashing then this is not a consideration until you hit the max POST size.
 Everyone gets their own salt too.
7) ALWAYS cleanse user input - assume each user input area is an attack
vector that will be used against you.
8) Try to break into your own site from a public terminal.  If you can get
access to sensitive info with your credentials, then you have problems.

There is much more, but if you do this at a minimum you'll be better off
than many, many other sites.  OWASP is a good resource, thick, verbose,
mind numbing, but good  none the less.



On Mon, Jan 28, 2013 at 8:03 PM, Jay Bendon <jaybocc2 at gmail.com> wrote:

> Heres some resources i've found:
>
> http://security.stackexchange.com/questions/993/hardening-linux-server
> https://www.nsa.gov/ia/_files/factsheets/rhel5-pamphlet-i731.pdf
> http://people.redhat.com/sgrubb/files/hardening-rhel5.pdf
> https://www.owasp.org/index.php/Main_Page
>
> As to the linux isn't secure statement, that person should feel free to
> play in traffic and on railroad tracks, etc, for spreading that FUD.
>
> --Jay
>
>
> On Mon, Jan 28, 2013 at 7:52 PM, Jason Troy <jason.troy at gmail.com> wrote:
>
> > I'm curious if there are any LAMP users on the list who want to share
> > resources. One person responded to this post with "use win-doze, linux
> > isn't secure!".
> >
> > --JT
> > ---------- Forwarded message ----------
> > From: "Jeffrey Walton" <noloader at gmail.com>
> > Date: Jan 28, 2013 2:01 AM
> > Subject: Linux Web Server Hardening (LAMP + Wiki)
> > To: "Security Basics List" <security-basics at securityfocus.com>
> >
> > Hi All,
> >
> > Is anyone aware of a hardening guide for a Linux LAMP server with a
> > Wiki component?
> >
> > I have an older Linux Server hardening book, but nothing recent. I
> > have not seen a Wiki hardening document.
> >
> > Thanks in advance,
> >
> > Jeff
> >
> > ------------------------------------------------------------------------
> > Securing Apache Web Server with thawte Digital Certificate
> > In this guide we examine the importance of Apache-SSL and who needs an
> SSL
> > certificate.  We look at how SSL works, how it benefits your company and
> > how your customers can tell if a site is secure. You will find out how to
> > test, purchase, install and use a thawte Digital Certificate on your
> Apache
> > web server. Throughout, best practices for set-up are highlighted to help
> > you ensure efficient ongoing management of your encryption keys and
> digital
> > certificates.
> >
> >
> >
> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
> > ------------------------------------------------------------------------
> > _______________________________________________
> > OLUG mailing list
> > OLUG at olug.org
> > https://lists.olug.org/mailman/listinfo/olug
> >
> _______________________________________________
> OLUG mailing list
> OLUG at olug.org
> https://lists.olug.org/mailman/listinfo/olug
>



-- 
Best,

Jeff Hinrichs
402.218.1473



More information about the OLUG mailing list