Language Selection

English French German Italian Portuguese Spanish

Quick Guide to Securing a Lamp Server

Filed under
Howtos

In the last few years on the Internet the price of dedicated servers have went down and more people are beginning to use them for their sites, game servers, or small hosting companies. With this comes as I was talking about in my last article inexperienced admins. Lots of people I spoke too are too intimated by the linux shell and try to administer their server completely from the control panel.
This short guide will show you a few copy and paste walkthroughs you can use to help secure your server, these should work with any control panel, the mod security update script however is only for apache2. Using these tools and using basic security procedures will help you keep your server secure and free of hackers, spammers, and other annoyances.

Using linux as a personal desktop helps a lot as well as it gets you used to using the command line. The other extremely valuable tool is google. I would probably be nowhere without google. You can look stuff up as you go and find about any answer to any question you may have, Plus there is lots of walkthroughs just like this one I am just putting all the basic ones together.

OK this is not a complete guide but those who are less experienced should be able to follow these walkthroughs and make their server more secure then it was before.
First thing, install apf, bfd, and dos deflate. Complete walkthrough HERE
Note: Dos deflate will not work with debian unless you disable ipv6.

Next install modsecurity using the simple guide from eth0.us, guide can be found HERE

After you install mod security make a directory in /etc called modsecurity. Use my update script found HERE (apache2 only)
This will get all the latest rules from gotroot.com when you have them at the bottom of the mod security configuration in httpd.conf put
Include /etc/modsecurity/apache2/rulename.conf
I suggest using them all besides rules.conf as it gives lots of false positives.

Now if you have shell users or are running redhat, fedora, or debian you most likely need to update your kernel. Now this isn't as hard as you would think, with this copy and paste guide I made that is all you have to do is copy and paste, same as these other tutorials.
The guide can be found HERE. I will be making one for debian soon but you just use any basic debian kernel how to and patch the kernel the same way as you do in this one.

Once you have modsecurity installed keep an eye on the audit log to make sure it is not giving any false positives or blocking legitimate web apps. With the ruleset and rules you have included it should not unless someone is using some oddball web app.
None of these will make your server totally secure, it takes basic security practices such as using strong passwords, not using the same password for everything, and keeping up with all the latest exploitrs and hacking methods.

If you ever get hacked don't go ranting about how you are gonna prosecute so and so, go find out how they done it, how they got in, and what you can do to prevent it again. You will most likely never track down the hackers and the FBI most likely will not care so secure your system and make sure it does not happen again. As I have explained before defacers can actually be helpful to admins. That's about it, good luck and stay on your toes.

More in Tux Machines

US Sanctions Against Chinese Android Phones, LWN Report on Eelo

  • A new bill would ban the US government from using Huawei and ZTE phones
    US lawmakers have long worried about the security risks posed the alleged ties between Chinese companies Huawei and ZTE and the country’s government. To that end, Texas Representative Mike Conaway introduced a bill last week called Defending U.S. Government Communications Act, which aims to ban US government agencies from using phones and equipment from the companies. Conaway’s bill would prohibit the US government from purchasing and using “telecommunications equipment and/or services,” from Huawei and ZTE. In a statement on his site, he says that technology coming from the country poses a threat to national security, and that use of this equipment “would be inviting Chinese surveillance into all aspects of our lives,” and cites US Intelligence and counterintelligence officials who say that Huawei has shared information with state leaders, and that the its business in the US is growing, representing a further security risk.
  • U.S. lawmakers urge AT&T to cut commercial ties with Huawei - sources
    U.S. lawmakers are urging AT&T Inc, the No. 2 wireless carrier, to cut commercial ties to Chinese phone maker Huawei Technologies Co Ltd and oppose plans by telecom operator China Mobile Ltd to enter the U.S. market because of national security concerns, two congressional aides said. The warning comes after the administration of U.S. President Donald Trump took a harder line on policies initiated by his predecessor Barack Obama on issues ranging from Beijing’s role in restraining North Korea to Chinese efforts to acquire U.S. strategic industries. Earlier this month, AT&T was forced to scrap a plan to offer its customers Huawei [HWT.UL] handsets after some members of Congress lobbied against the idea with federal regulators, sources told Reuters.
  • Eelo seeks to make a privacy-focused phone
    A focus on privacy is a key feature being touted by a number of different projects these days—from KDE to Tails to Nextcloud. One of the biggest privacy leaks for most people is their phone, so it is no surprise that there are projects looking to address that as well. A new entrant in that category is eelo, which is a non-profit project aimed at producing not only a phone, but also a suite of web services. All of that could potentially replace the Google or Apple mothership, which tend to collect as much personal data as possible.

today's howtos

Mozilla: Resource Hogs, Privacy Month, Firefox Census, These Weeks in Firefox

  • Firefox Quantum Eats RAM Like Chrome
    For a long time, Mozilla’s Firefox has been my web browser of choice. I have always preferred it to using Google’s Chrome, because of its simplicity and reasonable system resource (especially RAM) usage. On many Linux distributions such as Ubuntu, Linux Mint and many others, Firefox even comes installed by default. Recently, Mozilla released a new, powerful and faster version of Firefox called Quantum. And according to the developers, it’s new with a “powerful engine that’s built for rapid-fire performance, better, faster page loading that uses less computer memory.”
  • Mozilla Communities Speaker Series #PrivacyMonth
    As a part of the Privacy Month initiative, Mozilla volunteers are hosting a couple of speaker series webinars on Privacy, Security and related topics. The webinars will see renowned speakers talking to us about their work around privacy, how to take control of your digital self, some privacy-security tips and much more.
  • “Ewoks or Porgs?” and Other Important Questions
    You ever go to a party where you decide to ask people REAL questions about themselves, rather than just boring chit chat? Us, too! That’s why we’ve included questions that really hone in on the important stuff in our 2nd Annual Firefox Census.
  • These Weeks in Firefox: Issue 30

Red Hat Corporate News