This list is an ongoing work and since the version 1.0 (01 March 2008), a lot of nodes/ideas and now links have been added. The tree is also now a  lot more structured...

Secure, Safe, Fast Linux Hosting sound silly as nothing can be fast and secure at the same time, but I've compiled a list of things that are worth doing if you are maintaining your own server. This list is clearly targeted for people running an open source stack made of Apache, MySQL, PHP and Linux.

By clicking read more, You'll be able to go through the checklist as HTML, or maybe you'll prefer the mindmap version HERE

 

mindmap

powered by Freemind, free mind mapping

  • Anomaly detection
    • FAF file anomaly finder
    • ~ secheck
      • secheck is a script which imitates currently existing log checkers but with a focus on security. secheck does some basic system security checking, then emails to output to a given user.

        openBSD scripts

        run opensuse/debian also

        use YaST to install

    • antivirus
      • clamav is free
      • virus database update auto in crontab
    • server health
  • More security
    • Apache
      • modules
        • mod_evasive
          • escape denial of service attack
          • limit number of requests per seconds for an IP
          • ~ read more HERE
        • mod_security
        • mod_php
          • to avoid
            • php script run with apache user
            • php script can change files across clients on server
            • only one php.ini for all domains and users
            • only one php version
        • use mod_fcgi instead
          • php scripts run with user rights
          • per client/user/directory  a php.ini
          • run php4 and php5 in same apache
          • run != php version per directory
      • remove uneeded modules
        • golden rule: less code less vulnerability
      • server-tuning.conf
        • tuning
          • worker is better but only if php fastcgi as mod_php not multithreaded
          • forked with mod_php, use more memory
        • use threading model not forked
          • only with php fastcgi
      • http.conf
        • switch DNS lookup off
      • htaccess
        • in some directory
        • not really secure
    • file system
      • less rights rules
        • the less right the better
          • Set permission to all .php files to 655
          • fix permissions automatically
            • files
              • alias fixpermF='find . -type f -exec chmod 644 {} \;'
            • directories
              • alias fixpermD='find . -type d -exec chmod ago=+rx {} \;'
      • check files right often
        • use FAF file anomaly finder
    • passwords
      • not human readable
      • generate them at least 128 bits with all character
        • see KEEPAS or equivalent for
    • PHP
      • disable functions
        • show_source
        • system
        • popen
        • proc_open
        • phpinfo
          • dont give info to outside world
        • exec
        • passthru
        • shell_exec
        • file_open_base
          • set to http root to avoid path transversal attack
        • example
          • disable_functions = system, exec, shell_exec, passthru, set_time_limit, error_log, ini_alter, dl, pfsockopen, openlog, syslog, readlink, symlink, link, leak, fsockopen, popen, escapeshellcmd, apache_child_terminate apache_get_modules, apache_get_version, apache_getenv, apache_note,apache_setenv,virtual, proc_open, phpinfo, passthru, show_source

      • disable SAFE_MODE
      • compile your own php
      • expose_php = Off
        • ; Decides whether PHP may expose the fact that it is installed on the server ; (e.g. by adding its signature to the Web server header).  It is no security ; threat in any way, but it makes it possible to determine whether you use PHP ; on your server or not.

      • display_errors = off
      • file_uploads = off
      • allow_url_fopen = off
      • register_globales = off
  • Keep system secured
    • Limit access
    • Block access
      • firewall
      • block ftp server
        • use secure copy instead
          • winscp
    • Maintenance policy
      • always up to date
        • linux rpm package
        • PHP
        • MYSQL
    • Monitoring
  • Getting more Speed
    • Iterative process
      • fix objectives
        • so many xxxxx users in system
        • so many open sessions
        • best response time
      • load system
        • record testcases
        • Apache JMETER
          • create virtual users to simulate load
      • measures
        • quality!
        • better
        • worse
          • rollback changes
      • small changes
        • first software changes
        • last infrastructure changes
        • you may want to increase server memory
          • cheap today
          • may work
    • software changes
      • Apache
        • reduce DNS lookup
        • modules
          • mod_deflate
            • PHP can also zip response but not very efficient
            • cpu cost vs bandwidth
            • ~ read more HERE
          • mod_expires
            • set expire header on files, pics, js
            • tell the browser to not request file before xx days/months
            • ~ read more HERE
      • PHP
        • Install PHP Opcode cache
          • file based
          • memory based
          • APC
      • Mysql
        • tuning
          • Use tuning-primer.sh
          • buffer, settings in my.ini
          • allocate more buffer to select, join, sort operations
          • use innodb engine (transactionnal row locking) where it make sense per table
          • prefer myIsam (transactional table locking)
          • use memory base table for sessions tables
        • monitoring
          • look at slow queries
          • quality of schema, index missing
            • use explain query
          • look at full table scan
            • use explain query
              • add index
        • crontab
          • optimize tables and index on purpose
            • per day, week
          • rebuild statistics
      • webpages
        • less js, css, images include
        • reduce content size
          • space
    • infrastructure
      • expensive $$$$ €€€€
      • mutiple apache
        • one tuned for static content, gif, zip, html, pdf
        • one for dynamic php, perl
      • multiple database server
        • tuning, allocate more buffer
        • complex, costly
      • memcache
      • ideas
  • Load Tests
    • Load produce per  page is based on
      • user interaction: their speed and behaviour
      • size of page
        • number of static element
          • images
          • css
          • files
          • DNS lookup for external embeded file
        • business logic
        • shared ressource
      • database access
    • Use a tool to create virtual users
    • Many tools on the market
    • apache
  • Joomla
    • remove uneeded components
    • use Joomla 1.5 and APC for caching
      • alternatively use com_pagecache
    • less rights, do not use apache user as owner, and group
      • maintenance is difficult
  • Intrusion detection
    • crontab
      • Possible Exploit Script Report
        • scan files with regex after pattern

      • rkhunter
        • check for rootkit periodically
        • too late if alarm
      • chkrootkit
        • check for rootkit periodically
        • too late if alarm
      • every 4 hours send an email with results to admin
      • File Anomaly Detection
    • tripwire
      • extreme but secure
      • hash every file on filesystem
        • detect file tampering
      • keep hash database secure for further equality check on safe medium
  • Backup
    • crontab
      • daily/weekly/monthly database backup
        • automysqlbackup.sh
          • create email google account
          • get an email daily of database content
      • tar and FTP the result
    • MySQL
      • backup
        • daily, weekly
        • use automysqlbackup.sh to receive daily mail with mysql data
comments powered by Disqus

You might like also

Thief acting on forums
  I was contacted 2 days ago by a thief. This technique is quite old (at least 3 years) but always worth mentioning. Your bank will credit the amount in a few days but. . . the certified check is a stolen one that will take 3 to 4 week to be rejected by your bank. Enough time for robber to get the item and some money from you (they will pick up the item and ask for the shipping …
3348 Days ago
Joomla 1.5.13 Security Release Available
The Joomla Project announces the immediate availability of Joomla 1.5.13 [Wojmamni ama baji]. This is a security release and users are strongly encouraged to upgrade immediately. This release contains 26 bug fixes, two moderate-level security fixes and one low-level security fix. It has been 3 weeks since Joomla 1.5.12 was released on July 1, 2009. The Development Working Group's goal is to continue to provide regular, frequent updates to the Joomla community. Statistics Statistics for the 1.5.13 release period: Joomla …
3464 Days ago
Acunetix free edition now available
I will use it on my host very soon, if you have your own root server, this tool must be part of your administrator toolbox. Joomla! team use it to test the core framework, so we should be on the safe side, unfortunately we are are all using too many plug-ins that may be unsecure.. Here is how a report generated using Acunetix WVS look like (PDF - 1.5MB). Acunetix Web Vulnerability Scanner automatically scans your web applications / website …
3533 Days ago
No Thumbnail was found
This list is an ongoing work and since the version 1.0 (01 March 2008), a lot of nodes/ideas have been added. Secure, Safe, Fast Linux Hosting sound silly as nothing can be fast and secure at the same time, but I've compiled a list of things that are worth doing if you are maintaining your own server. This list is clearly targeted for people running an open source stack made of Apache, MySQL, PHP and Linux. By clicking read more, …
3778 Days ago
No Thumbnail was found
First let's refresh some definitions...set user ID (SUID) The SUID permission causes a script to run as the user who is the owner of the script, rather than the user who started it. It is normally considered extremely bad practice to run a program in this way as it can pose many security problems. set group ID (SGID) The SGID permission causes a script to run with its group set to the group of the script, rather than the group …
3786 Days ago
No Thumbnail was found
Windows Vista includes a new defense against buffer overrun exploits called address space layout randomization. ASLR. is just a way to hide insecure code, and make harder automated attacks on millions of machine except if....but I will come on that laterAddress space layout randomization (ASLR) is a computer security technique which involves arranging the positions of key data areas, usually including the base of the executable and position of libraries, heap, and stack, randomly in a process' address space.[WIKIPEDIA] In …
4398 Days ago
No Thumbnail was found
IBM Alphaworks have release a library for supporting the IETF SSH-2 protocol aka SSH (WikiPedia)IBM Secure Shell Library for Java is a lightweight implementation of the IETF SSH-2 protocol. The library currently implements only the basic SSH features such as password log-in and command execution. Advanced features such as tunning and X-forwarding are currently not supported. …
4746 Days ago
No Thumbnail was found
The National Security Agency (NSA)NSA/ Central Security Service (NSA/CSS) is a United States government agency responsible for both the collection and analysis of message communications, and for the security of government communications against similar agencies elsewhere. It is a part of the Department of Defense. ... ) [WikiPedia]has developed and distributed configuration guidance for Microsoft Windows NT and Windows 2000 in the form of configuration guides. These guides are currently being used throughout the government and by numerous entities as …
4829 Days ago
No Thumbnail was found
Some examples of what is going on in online eBanking applications securities...Lloyds TSB is going from a 2 stage login system to a securid (2 stage login definition at WikiPedia)in order to reduce online fraud...First, users must enter a username and password. Then, on a second screen, they are asked to use drop-down menus to choose three letters from a self-chosen memorable piece of information. The aim of using menus rather than the keyboard has been to defeat so-called "keyloggers", …
4833 Days ago
No Thumbnail was found
After Microsoft Warns of New Security Threat System monitoring programs, called rootkits, may pose a serious danger to your PC. it is time to see what offering is available to protect our PCs...A root kit is a set of tools used by an intruder after cracking a computer system. These tools can help the attacker maintain his or her access to the system and use it for malicious purposes. Root kits exist for a variety of operating systems such as …
4833 Days ago