Security Basics mailing list archives
Re: securing linux webserver?
From: Hecber Cordova <hecber () gmail com>
Date: Tue, 01 Mar 2005 14:13:56 -0400
Hi, Some Tips: - Apache: - Enable only needed modules in Apache. - Install mod_security, and run apache in a jail with chroot. - Fix all security bugs in Apache installation (see Bugtraq). - See modules like mod_access, mod_auth, mod_rewrite and mod_ssl, may help. - MySQL: - Be carefull with the databases/tables permissions. If you run MySQL in the same host than apache, you must run MySQL only in localhost. - Use other user than root (Database Superuser), to connect your applications in php. - Linux: - Prevent root login in SSH. - Change SSH port (default 22). - Permit only SSHv2. - Allow access by IP address (if possible). - Allow access by user. - Install and Configure SELinux, or another RBAC for Linux Kernel. - Install and Configure iptables. Set default police to DROP, and set your own polices. - Install only needed package. - Install security fix for Linux Distribution. - Don't install X (you don't needed). Regards, Hécber Córdova El dom, 27-02-2005 a las 18:04 -0800, Kurt Leum escribió:
sorry to be so noob, A friend of mine set up a webserver: http://www.globalgamesearch.com problem is, he and I have no idea how to go about securing it; he started with SuSE Linux 9.1 with Apache 2.0, PHP 4.3.1, and MySQL out of the box and put it up. about half an hour ago, an intruder broke in, replaced SSHD with a back door, and pretty much screwed the system up. We're going to reinstall the system with minimal programs, extremely secure permissions and a basic firewall, but beyond that we have no clue what to do. Can anyone here please help me out on this? Thanks in advance for any help. __________________________________ Do you Yahoo!? Yahoo! Mail - Find what you need with new enhanced search. http://info.mail.yahoo.com/mail_250
Current thread:
- securing linux webserver? Kurt Leum (Feb 28)
- Re: securing linux webserver? Alejandro Flores (Mar 01)
- Re: securing linux webserver? John Doe (Mar 01)
- Re: securing linux webserver? Aman Raheja (Mar 01)
- Re: securing linux webserver? Hamish Stanaway (Mar 03)
- Re: securing linux webserver? Eduardo Kienetz (Mar 01)
- Re: securing linux webserver? AragonX (Mar 02)
- Re: securing linux webserver? xyberpix (Mar 01)
- Re: securing linux webserver? Aman Raheja (Mar 01)
- Re: securing linux webserver? Hecber Cordova (Mar 01)
- Re: securing linux webserver? Marco (Mar 01)
- Re: securing linux webserver? Hecber Cordova (Mar 02)
- Re: securing linux webserver? David Glosser (Mar 03)
- <Possible follow-ups>
- Re: securing linux webserver? Ivan Coric (Mar 01)
- RE: securing linux webserver? Smith, Ryan (Mar 01)
- Re: securing linux webserver? Kurt Leum (Mar 02)