Tips for Securing a LAMP Server

David’s answer is a good baseline of the general principles of server hardening. As David indicated, this is a huge question. The specific techniques you take could depend highly on your environment and how your server will be used. Warning, this can take a lot of work in a test environment to build out and get done right. Followed by a lot of work to integrate into your production environment, and more importantly, business process.

First, however, check to see if your organization has any hardening policies, as those might be the most directly relevant. If not, depending on your role, this might be a great time to build them out. I would also recommend tackling each component separately from the bottom up.

The L
There are lots of good guides available to help you out. This list may or may not help you depending on your distribution.

The A
Apache can be fun to secure. I find it easier to harden the OS and maintain usability than either Apache or PHP.

The M

The P
This runs headlong into the whole idea of Secure Programming Practices, which is an entire discipline of its own. SANS and OWASP have a ridiculous amount of information on the subject, so I won’t try to replicate it here. I will focus on the runtime configuration and let your developers worry about the rest. Sometimes the ‘P’ in LAMP refers to Perl, but usually PHP. I am assuming the latter.

Related Posts:

  1. Explanation of polkitd Unregistered Authentication Agent
  2. WordPress sites being filled with random PHP files
  3. What permissions should my website files/folders have on a Linux webserver?
  4. Is it normal to get hundreds of break-in attempts per day?
  5. How to handle security updates within Docker containers?
  6. How to check if an RSA public / private key pair match
  7. REJECT vs DROP when using iptables
  8. “POSSIBLE BREAK-IN ATTEMPT!” in /var/log/secure — what does this mean?
  9. How to add a security group to a running EC2 Instance?
  10. Heartbleed: how to reliably and portably check the OpenSSL version?
  11. What is the difference between /sbin/nologin and /bin/false?
  12. Chmod 777 to a folder and all contents [duplicate]
  13. Cannot connect to the Docker daemon at unix:/var/run/docker.sock. Is the docker daemon running?
  14. How do I grep recursively?
  15. “Couldn’t find a file descriptor referring to the console” on Ubuntu bash on Windows
  16. How can I recursively find all files in current and subfolders based on wildcard matching?
  17. How to install grub after installing Windows 10
  18. -bash: syntax error near unexpected token `newline’ for display command
  19. SSH using python script
  20. mysql_config not found when installing mysqldb python interface
  21. Linux error while loading shared libraries: cannot open shared object file: No such file or directory
  22. Shell command to tar directory excluding certain files/folders
  23. QEMU: /bin/sh: can’t access tty; job control turned off
  24. Meaning of exit status 1 returned by linux command
  25. How does “cat << EOF" work in bash?
  26. X11 forwarding request failed on channel 0
  27. What is difference between arm64 and armhf?
  28. Extract file basename without path and extension in bash
  29. How to change permissions for a folder and its subfolders/files in one step
  30. mysql_config not found when installing mysqldb python interface
  31. linux command to get size of files and directories present in a particular folder?
  32. ./configure : /bin/sh^M : bad interpreter
  33. Compile the Fortran program in Windows using gfortran
  34. How can I set the ‘backend’ in matplotlib in Python?
  35. Yum fails with – There are no enabled repos.
  36. How to get the process ID to kill a nohup process?
  37. Unable to establish SSL connection upon wget on Ubuntu 14.04 LTS
  38. Writing a simple shell in C using fork/execvp
  39. Using ls to list directories and their total sizes
  40. configure: error: cannot run C compiled programs
  41. What does set -e mean in a bash script?
  42. “find: paths must precede expression:” How do I specify a recursive search that also finds files in the current directory?
  43. Pipe to/from the clipboard in a Bash script
  44. Difference between exec, execvp, execl, execv?
  45. what does -zxvf mean in tar -zxvf filename? 
  46. Retrieve last 100 lines logs
  47. Configuring Apache for localhost
  48. Restarting cron after changing crontab file?
  49. cd into directory without having permission
  50. What does ‘bash -c’ do?
  51. How do I know the script file name in a Bash script?
  52. WordPress can’t find temporary folder, but folder it’s looking at has correct permissions
  53. WordPress cloning issue
  54. How to run a server on port 80 as a normal user on Linux?
  55. Copying a large directory tree locally? cp or rsync?
  56. Check if port is open or closed on a Linux server?
  57. Moving an already-running process to Screen
  58. When does `cron.daily` run?
  59. Permission denied (publickey). SSH from local Ubuntu to Amazon EC2 server
  60. How to run a command multiple times, using bash shell?
  61. LVM dangers and caveats
  62. How to reconnect to a disconnected ssh session
  63. Should I quit using Ifconfig?
  64. How to know from which yum repository a package has been installed?
  65. SSL Certificate Location on UNIX/Linux
  66. What is “-bash: !”: event not found”
  67. tar – Remove leading directory components on extraction
  68. Keeping a linux process running after I logout
  69. Force dig to resolve without using cache
  70. How to list Apache enabled modules?
  71. How to forcibly close a socket in TIME_WAIT?
  72. Colors in bash after piping through less?
  73. How can I monitor hard disk load on Linux?
  74. Why does sudo command take long to execute?
  75. How to display certain lines from a text file in Linux?
  76. What’s the reverse DNS command line utility?
  77. Can you have more than one ~/.ssh/config file?
  78. How can I export the privileges from MySQL and then import to a new server?
  79. Is there a directory equivalent of /dev/null in Linux?
  80. How to force nginx to resolve DNS (of a dynamic hostname) everytime when doing proxy_pass?
  81. Can I send some text to the STDIN of an active process running in a screen session?
  82. How can I get processor/RAM/disk specs from the Linux command Line? [duplicate]
  83. GPG does not have enough entropy
  84. Is there a way to see the execution tree of systemd?
  85. Why don’t EC2 ubuntu images have swap?
  86. How to determine the hostname from an IP address in a Windows network?
  87. SSHFS mount that survives disconnect
  88. Temporarily ignore my `~/.ssh/known_hosts` file?
  89. How to get TX/RX bytes without ifconfig?
  90. create home directories after create users
  91. Curl: disable certificate verification
  92. How do I redirect subdomains to a different port on the same server?
  93. Running Cron every 2 hours [duplicate]
  94. How to apply a filter to real time output of `tail -f `?
  95. How to check the physical status of an ethernet port in Linux?
  96. What does “debconf: delaying package configuration, since apt-utils is not installed” mean?
  97. Practical maximum open file descriptors (ulimit -n) for a high volume system
  98. In Linux, what is the difference between “buffers” and “cache” reported by the free command?
  99. How to handle relative urls correctly with a reverse proxy
  100. Where’s the conventional place to store git repositories in a linux file system tree?

Leave a Comment