Facebook Twitter Instagram
    TecAdmin
    • Home
    • FeedBack
    • Submit Article
    • About Us
    Facebook Twitter Instagram
    TecAdmin
    You are at:Home»Security»15 Best Security Tips for LAMP Stack

    15 Best Security Tips for LAMP Stack

    By RahulApril 19, 20225 Mins Read

    Many new system administrators forgot to apply security when configuring a web hosting environment for production use with Apache, MySQL, and PHP. I am trying to include all those security tips which we must be considered while preparing a new system for production use or any existing LAMP setup.

    Advertisement

    All the configuration changes used in this article will be updated in the following configuration files as per your operating systems. In some cases, the configuration files path may change. So make the change inappropriate files. After making changes restart related services to change take effect.

    For Ubuntu, Debian & LinuxMint:
    • Apache2: /etc/apache2/apache2.conf
    • PHP: /etc/php/[VERSION]/apache2/php.ini
    • MySQL: /etc/mysql/my.cnf or /etc/mysql/mysql.conf.d/mysqld.cnf
    For CentOS, RedHat & Fedora:
    • Apache: /etc/httpd/conf/httpd.conf
    • PHP: /etc/php.ini
    • MySQL: /etc/my.cnf

    #1. Hiding Version and OS Identity (Apache)

    The ServerTokens directive controls whether Server response header field which is sent back to clients. The ServerSignature configures the footer on server-generated documents. Edit the Apache configuration file and update the following directives as follows.

    • ServerSignature – shows version of Apache
       ServerTokens Prod
      
    • ServerTokens – provides OS versions along with other confidential server details.
       ServerSignature Off
      

    #2. Disable Directory Listing (Apache)

    If directory listing is enabled in Apache. Then all the files and directories list will be shown on the web page if no default document exists. Add following configuration in Apache to disable directory listing server wide.

    <Directory />
        Options -Indexes 
    </Directory>
    

    After that, you can enable a listing per-directory basis if required.

    #3. Restricting File and Directory Access (Apache)

    Restricting access on basis of Directory, File the Location in Apache.

    Restrict Directory

    To restrict directory and files access from users, It will only allowed the ips are defined with Allow from.

    <Directory "/home/user/public_html">
        Order Deny,Allow
        Deny from all
        Allow from 192.168.1.0/24
        Allow from .example.com
    </Directory>
    

    Restrict File

    We can also restrict specific file using File directive like below.

    <File data.xml>
        Order deny,allow
        Deny from all
    </File>
    

    Restrict Location

    The Location directive limits the scope of the enclosed directives by URL.

    <Location /admin>
        Order Deny,Allow
        Deny from all
        Allow from 192.168.1.0/24
        Allow from .example.com
    </Location>
    

    #4. Disable Server Side Includes and CGI (Apache)

    We can simply disable server-side includes and CGI execution by defining directory tag. Add below in Apache virtual host configuration file.

    <Directory "/home/user/public_html">
       Options -Includes -ExecCGI
    </Directory>
    

    #5. Restrict PHP Information Leakage (PHP)

    By default, PHP installation exposes to the world that PHP is installed on the server, which includes the PHP version within the HTTP header (Eg: X-Powered-By: PHP/5.4.20). Read More

    To hide this values from header edit php.ini and update below directive to Off

    expose_php = Off
    

    #6. Disable Remote Code Execution (PHP)

    If allow_url_fopen is enabled on your setup, It allows functions like file_get_contents() and the include and requires statements that can retrieve data from HTTP or FTP remote locations and execute their code.

    allow_url_fopen=Off
    allow_url_include=Off
    

    #7. Disable Dangerous PHP Functions (PHP)

    We can disable any PHP function using the disable_functions directive in the PHP configuration file. Disable all the functions which can be harmful and not used in applications.

    disable_functions =exec,shell_exec,passthru,system,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source,proc_open,pcntl_exec
    

    #8. Limit PHP Access To File System (PHP)

    The open_basedir directive set the directories from which PHP is allowed to access files

    open_basedir="/home/user/public_html"
    

    #9. Disable Unused PHP Modules (PHP)

    PHP supports “Dynamic Extensions” to load in the PHP environment. We can disable any unused module to load in the system by changing the configuration file name.

    cd /etc/php.d/
    mv oci8.ini oci8.ini.disable
    

    #10. Enable Limits in PHP (PHP)

    To allow users to upload files of maximum size, update following configuration value.

     upload_max_filesize = 2M  #Maximum 2Mb of file user can upload
    

    Maximum execution time of each script

     max_execution_time = 30  # seconds
    

    Maximum amount of time each script may spend parsing request data

    max_input_time = 60  # seconds
    

    #11. Restrict Remote MySQL Access (MySQL)

    If your application environment does not require to access the database remotely, then disable all remote connections for the database server. The easier way to do it force the MySQL server to listen only on 127.0.0.1 (localhost).

    Edit the MySQL configuration file and update the following value.

    bind-address=127.0.0.1
    

    #12. Disable use of LOCAL INFILE (MySQL)

    Enabling LOCAL INFILE can be dangerous for your system security. If LOCAL INFILE is enabled on the server, a user can load any file ( like /etc/passwd, /etc/shadow ) to a table easily.

    To disable this edit MySQL configuration file and add following value under [mysqld] section.

    [mysqld]
    local-infile=0
    

    #13. Create Application Specific User in MySQL (MySQL)

    Do not use MySQL ‘root’ user for accessing the database through the application. It can be dangerous for your system. So make sure to create and use an application-specific user with limited access to the application database only. To create a MySQL account use the following command.

    [email protected]:~# mysql -u root -p 
    
    mysql> CREATE USER 'myusr'@'localhost' IDENTIFIED BY 'password';
    mysql> GRANT SELECT,INSERT,UPDATE,DELETE ON mydb.* TO 'myusr'@'localhost' IDENTIFIED BY 'password';
    mysql> FLUSH PRIVILEGES;
    

    #14. Improve Security with mysql_secure_installation (MySQL)

    After installing MySQL mysql_secure_installation command is very useful for securing MySQL server. This command will also enable password protection on root user.

    [email protected]:~# mysql_secure_installation 
    
    "Only required output is shown below. In actuality, you will see more output on-screen"
    
    Change the root password? [Y/n] y
    New password: **********
    Re-enter new password: **********
    
    Remove anonymous users? [Y/n] y
    Disallow root login remotely? [Y/n] y
    Remove test database and access to it? [Y/n] y
    Reload privilege tables now? [Y/n] y
    
    

    #15. Write Protect Configuration Files (Apache/MySQL/PHP)

    In this section we are protecting all our server configuration files used in LAMP Stack, So than no one can change these files.

    chattr +ai /etc/php.ini
    chattr +ai /etc/php.d/*
    chattr +ai /etc/my.cnf
    chattr +ai /etc/httpd/conf/httpd.conf
    

    Remember that after enabling write protection no user including root can update these files. In case you need to update any of files disable write protection first using the following command.

    chattr -ai filename
    

    We will keep updating useful LAMP security tips for this article. We also request you to suggest tips by adding them in the comments.

    Apache Apache2 httpd lamp MySQL PHP PHP5 security
    Share. Facebook Twitter Pinterest LinkedIn Tumblr Email WhatsApp

    Related Posts

    Installing PHP on Pop!_OS

    How to Install PHP 8.x on Pop!_OS

    Managing Dependencies with Composer: A Beginner’s Guide

    CodeIgniter Remove index.php Using .htaccess

    View 6 Comments

    6 Comments

    1. Herculano on February 1, 2019 12:54 pm

      My Apache Config does’nt have any ServerSignature

      Reply
    2. best web design on January 4, 2019 8:47 am

      This is really interesting, You’re a very skilled blogger.
      I’ve joined
      your feed and appearance forward to seeking more of your wonderful post.

      Also,
      I’ve shared your web site in my social networks!

      Reply
    3. support wala on June 12, 2018 9:59 am

      This can be a major security threat to your web server. Thank for sharing this informative blog.

      Reply
    4. Tomas on August 1, 2017 10:10 am

      May I ask why you write protect /etc/php.ini and other files?

      My thinking is that if you do chmod 0400 on the file then it will only be read by root. I believe it is sufficient to ensure no other process can write to it.

      If you want to write to the file then you need elevated privileges (aka root). It’s the same with chattr in essence, as long as you have root privileges, you can remove the attribute that was set with chattr and write to the file. Unless you think you will accidental make changes to the file while logged on as root, I don’t see much benefit in changing file attributes.

      Reply
      • Rahul K. on December 28, 2017 7:50 am

        HI Tomas, Yes chmod 400 is also enough for security. The tutorial is just to reference that you can use chattr for more security.

        Reply
    5. Marc on September 1, 2015 6:22 am

      Great article… Thanks

      But there must be many more security options, Please add them also.

      Reply

    Leave A Reply Cancel Reply

    Advertisement
    Recent Posts
    • How to Split Large Archives in Linux using the Command Line
    • System.out.println() Method in Java: A Beginner’s Guide
    • Split Command in Linux With Examples (Split Large Files)
    • Test Your Internet Speed from the Linux Terminal
    • 11 Practical Example of cat Command in Linux
    Facebook Twitter Instagram Pinterest
    © 2023 Tecadmin.net. All Rights Reserved | Terms  | Privacy Policy

    Type above and press Enter to search. Press Esc to cancel.