It’s no secret that the Internet is stuffed with various bots that try to get into the ‘body’ of your site, or simply put — to hack it. Therefore, after installing a LAMP server, you need to configure it to protect your site from such attempts.
LAMP is a very popular combination of free and open source software and is used today to run millions of websites. Although many choose a more efficient LAMP stack based on nginx instead of Apache, there are still a significant number of users who choose LAMP for their projects. In fact, more than 30 per cent of active sites today are running on top of LAMP. The stack is considered reliable and is very suitable for working, with high performance and availability of Web applications. In this article, we are going to show you how to protect LAMP.
What is LAMP?
LAMP is a freely distributed and virtually free software suite. Four popular technologies are included in this bundle: Linux – the operating system; Apache – the Web server; MySQL- the database management system; and PHP – the programming language used to create Web resources.
The LAMP combination is:
- Linux server OS for performing the necessary tasks;
- Apache Web server, for which many additional modules have been created that solve the problem of working together with the Web server and scripts written in a variety of programming languages;
- MySQL DBMS that demonstrates excellent SQL query execution speed, and is ideal for small and medium-sized projects. MySQL runs on UNIX and Windows and is particularly easy to use;
- Server-side dynamic scripting language, which is generally PHP (but can also be Python or Perl).A significant advantage of this build is that it is great for fast deployment of the application because of the simple configuration, but still gives functionality in terms of scalability and isolation of components.
Among the disadvantages of such an assembly, the following should be highlighted: The application and the database use the same server resources (CPU, memory, I/O, etc), which gives poor performance and makes it difficult to determine the source (application or database) of this problem. There is also interference in the implementation of horizontal scaling.
Installing LAMP (Linux + Apache + MySQL + PHP/Perl/Python) is a fairly widely used option for configuring servers with Ubuntu. There are a large number of applications that are open source and written using the LAMP application stack. The popular ones are: Wiki encyclopaedias, content management systems (CMS), and management applications such as phpMyAdmin.
An important advantage of LAMP is its flexibility in the selection of databases, Web servers and scripting languages. The current replacement for MySQL is PostgreSQL and SQLite. Python, Perl and Ruby can be replaced by PHP. And nginx, Cherokee and Lighttpd are alternatives to Apache.
For quick LAMP installation, use Tasksel, which is a Debian/Ubuntu tool that installs multiple dependent packages on your system as a single task.
LAMP can be used for:
- If necessary, an environment for Web development and testing applications that are written for it. This is both for your own applications and for any CMS you need. You can run it on Windows and on Ubuntu.
- Creating a high-performance Web server on a virtual VPS server or on a dedicated server for hosting your projects.
- A server for version control systems.
- Self-learning administration.
- Economic purposes, to create your own server.
Why does LAMP security matter?
The security of your business starts with your database — the larger the business, the more the data that needs to be stored and processed. Servers are used to store a lot of data. For this reason, they are the main target of attackers.
Today, there are many ways to save your data and prevent hackers from taking over your confidential information, including special software, firewalls and antivirus programs. It is very important to properly configure them and professionally monitor events in order to protect data and prevent its theft.
A subset of information security or data security is ensuring the security of your data. With more reliance on computers, there are a number of potential threats to the data you store. Data may be lost due to a system crash, corrupted by a computer virus, deleted, or altered by a hacker. A simple user error can cause a file to be overwritten or deleted. In addition, lost devices, such as a tablet or smartphone, can cause your data to fall into the wrong hands.
Ways to secure Linux
Automatic updates: The LAMP stack is based on Linux and the whole open source community is working on its improvements. On Ubuntu VPS, all security updates and patches are available for automatic installation as soon as they reach the Ubuntu repositories; so make sure you set the system to automatically install these if you are concerned about security. In case this feature is not enabled on the server and you do not install the latest updates and patches manually, you are putting your server at risk of hacking.
To enable unattended automatic updates, you must install the unattended-upgrades package:
sudo apt-get install unattended-upgrades
To configure which package categories will be automatically updated, you must edit the /etc/apt/apt.conf.d/50unattended-upgrades file.
Configuring the firewall: On Linux Ubuntu, the UFW firewall configuration tool is disabled by default. You can enable it with one command: sudo ufw enable. After activation, open access to OpenSSH and Apache and if necessary, allow access to other services with the sudo ufw allow [port number] command. Allow access to basic services like OpenSSH and Apache:
sudo ufw allow 22 sudo ufw allow 80 sudo ufw allow 443
Enabling access to other services is pretty easy. Just replace the port number in the above examples with the port number of the service you want to provide access to, and that’s it. The firewall rules will remain active even after the system is restarted.
Disabling unused services: If you have active services that you don’t use, you can simply disable them. For example, if you have a service like Dovecot running on a server and you are not using it, stop and disable the service using the following commands:
sudo systemctl stop dovecot.service sudo systemctl disable dovecot.service
Ways to secure Apache Fail2ban: This is a utility for a Web server on Ubuntu, designed to register unauthorised intrusions. The software monitors log files and registers failed login attempts and their number, and detects automatic attacks. When the utility recognises an attempt to compromise the system, the IP from which the requests were made is blocked. In iptables, a new chain is simply added and the attack on the server can be considered a failure. To install Fail2ban, run the following command:
sudo apt-get install fail2 ban
Create a copy of the default configuration file, so that you can safely make changes:
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
Edit the jail.local file:
sudo nano /etc/fail2ban/jail.local The [SSHD] block should look like this: [sshd] enabled = true port = ssh filter = sshd logpath = /var/log/auth.log maxretry = 5 bantime = 600
Save the file and restart Fail2ban for the changes to take effect:
sudo systemctl restart fail2ban.service
Enable Fail2ban at system startup:
sudo systemctl enable fail2ban.service
Install and enable mod_security: Mod_security is a Web application firewall (WAF) that can be installed as an optional module for Apache. It can be used to protect the Web server from numerous attacks, such as SQL injection, session hijacking, cross-site scripting, bad user agents and many others. To install and enable mod_security, run the following commands:
sudo apt-get install libapache2-modsecurity sudo a2enmod security2
OWASP ModSecurity is another utility to protect Apache from DoS and DDoS attacks. The module also works with IP addresses, identifying those from which suspicious requests occur and placing them in the blacklist.
After installation, you must configure the module and enable the OWASP ModSecurity Core Rule Set (CRS):
sudo mv /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf
Then open /etc/modsecurity/modsecurity.conf and add the following parameters:
SecRuleEngine On SecResponseBodyAccess Off SecRequestBodyLimit 8388608 SecRequestBodyNoFilesLimit 131072 SecRequestBodyInMemoryLimit 262144
Save and close the file. Delete the current CRS and load the OWASP CRS using the following commands:
sudo mv /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf
Install and Enable mod_evasive
Mod_evasive is an Apache module that can be used to protect a Web server from DoS (Denial of Service), DDoS (Distributed Denial of Service) and brute force attacks. To install mod_evasive on the server, run the following command:
Install and Enable mod_evasive
Open the default configuration file in /etc/apache2/mods-enabled/evasive.conf and change the settings to look like the following:
<IfModule mod_evasive20.c> <IfModule mod_evasive20.c> DOSPageCount 5 DOSSiteCount 50 DOSPageInterval 1 DOSSiteInterval 1 DOSBlockingPeriod 600 DOSLogDir “/var/log/mod_evasive” </IfModule>
Save and close the file. Create a directory for the log files:
sudo mkdir /var/log/mod_evasive sudo chown -R www-data: /var/log/mod_evasive
Restart Apache:
sudo systemctl restart apache2.service
Data protection
By default, Apache stores a large amount of information that requires protection; so to ensure the security of the Web server, confidential data is best hidden. This can be done via the conf file. First, create a custom.conf file in the conf-available folder of the Apache Web server and paste the following lines there:
*** ServerTokens Prod ServerSignature Off TraceEnable Off Options all -Indexes Header unset ETag Header always unset X-Powered-By FileETag None ***
After that, enable the configuration with the sudo a2enconf custom.conf command and restart Apache.
MySQL protection
The first thing to do to protect the MySQL service is to run the mysql_secure_installation script.
The script will help you complete important security tasks like setting up the root password, disabling remote administrator login, and deleting anonymous users.
Disabling MySQL remote access: If you do not perform remote operations on your MySQL server, disable remote access to the service. You can do this by editing the /etc/mysql/mysql.conf.d/mysqld.cnf file and changing the bind address to 127.0.0.1.
Restart the service for the changes to take effect using the following script:
sudo systemctl restart mysql.service
Creating individual MySQL users: Another thing you should consider is creating separate MySQL users for each database and application.
Log in to MySQL as root:
mysql -u root -p
You can create a MySQL database and grant all privileges to a new user using the following commands:
mysql> CREATE DATABASE new_db; mysql> GRANT ALL PRIVILEGES on new_db.* to ‘new_user’@’localhost’ identified by ‘PaSsW0rD’; mysql> FLUSH PRIVILEGES; mysql> EXIT
You can then use the newly created database and user for your application.
Disabling local infile: If you are not explicitly using local infile, then it is good to disable it. Again, edit the MySQL configuration file and add the following line under the [mysqld] block:
local-infile=0
Restart the MySQL service for the changes to take effect.
PHP protection
If you have moved on to PHP protection, we hope you are really concerned about the security issues of the LAMP server and have followed all the previous steps. The last stage is PHP protection.
Using php.ini, hide the basic data received from PHP by making the settings look like this:
*** expose_php = Off display_errors = Off mail.add_x_header = Off ***
Don’t forget to restart Apache so that the settings are up to date.
sudo systemctl restart apache2.service
Some PHP functions may pose a certain security risk to the Web server. To minimise the risks, you need to deactivate them via the php.ini file. First, configure disable_functions:
disable_functions = show_source,system,shell_exec,passthru,exec,phpinfo,popen,proc_open,allow_url_fopen,curl_exec,curl_multi_exec
Then, in the same file, turn off the remote PHP execution function:
*** allow_url_fopen=Off allow_url_include=Off ***
To limit the maximum execution time, find the max_execution_time, max_input_time and memory_limit settings in the file, and replace them with 30M, 30M and 40M, respectively.
Enabling open_basedir: The open_basedir directive allows you to set the location from which PHP is allowed to access files. Edit the php.ini file and set the correct location to match the current configuration:
open_basedir=”/path/to/the/directory/”
Don’t forget to restart Apache for the changes to take effect.
The last steps
1. Keep packages updated to their latest versions (compare the output of the following commands with the output of yum info [package]). The following commands will output the current versions of Apache, MySQL and PHP:
# httpd -v # mysql -V (capital V) # php –v
Another yum update [package] can be used to update the package to have the latest security packages.
2. Make sure that the configuration files can only be written by the root account:
# ls -l /etc/httpd/conf/httpd.conf # ls -l /etc/my.cnf # ls -l /etc/php.ini /etc/php.d/security.ini
3. Finally, if you have the option, run these services (Web server, database server and application server) in separate physical or virtual machines and secure the communication between them through a firewall, i.e., if one of them is compromised, the attacker will not have immediate access to the others. In this case, you may need to change some of the configurations described in this article. Keep in mind that these are just some examples that can be used to increase security on your LAMP server.
Appraisal
The scripts and commands described above are just a small part of the improvements you can make to secure your servers. It is important to note that the implementation of such methods of protection is very important and the sooner it’s done, the better. The longer you wait, the less effective the security measures will be.
LAMP security is now essential and should not be underestimated. Since one small error is enough to destroy an entire network, it makes sense to make a lot of effort to protect the server.
In this article, we looked at ways to protect LAMP in the form of MySQL protection, Apache protection, PHP protection and data protection. We have specified all the detailed commands and scripts that can be used in your codes. We hope the article will be useful for you and will help you in protecting your servers. Trust me, it is better to protect yourself in advance than to clean up the traces of intrusion, or even worse — to restore the entire system.