Here is the latest version of my growing mind map that will help you to secure your Linux box. While some node are clearly targeted toward Joomla!, you can still safely apply a lot of my recommendations to any LAMP (Linux, Apache, MySQL, PHP) server.

 

This mind map is an ongoing work, that is why it has also a version number in it (v1.6). As soon as I will learn new tricks, the mind map will be updated.

map

Added Crash – Kernel Panic / Password / Intrusion Detection / Joomla! links / PHP settings / mod security

New mind map are currently in development:

  • Linux Compromised Server Checklist
  • Linux Server What to monitor

By clicking read more, You'll be able to go through the checklist as text, or download the mind map as a PDF (2MB)

 


  • Anomaly detection
    • FAF file anomaly finder
    • ~ secheck
      • secheck is a script which imitates currently existing log checkers but with a focus on security. secheck does some basic system security checking, then emails to output to a given user.

        openBSD scripts

        run opensuse/debian also

        use YaST to install

    • antivirus
      • virus database update auto in crontab
      • FREE for personal use
    • server health
  • More security
    • Apache
      • modules
        • mod_evasive
          • escape denial of service attack
          • limit number of requests per seconds for an IP
          • ~ read more HERE
        • mod_security
        • mod_php
          • to avoid
            • php script run with apache user
            • php script can change files across clients on server
            • only one php.ini for all domains and users
            • only one php version
        • use mod_fcgi instead
          • php scripts run with user rights
          • per client/user/directory  a php.ini
          • run php4 and php5 in same apache
          • run != php version per directory
      • remove uneeded modules
        • golden rule: less code less vulnerability
          • vi /etc/sysconfig/apache2
      • server-tuning.conf
        • tuning
          • worker is better but only if php fastcgi as mod_php not multithreaded
          • forked with mod_php, use more memory
        • use threading model not forked
          • only with php fastcgi
      • http.conf tuning
        • set
          • Timeout 20
          • KeepAliveTimeout 2
          • HostnameLookups off
          • KeepAlive Off
        • ~ more? google
      • htaccess
        • in some directory
        • not really secure
    • file system
      • correct owner and group
        • example: user cedric in group www-data
      • Use ONLY Correct permissions
        • the less right the better
          • 0600 PHP Scripts
            0755 Non-PHP Scripts (*.cgi, *.pl, *.pm, *.py, *.e)
            0644 Non-Script Files (Images, CSS, HTML, Templates, Etc)
            0755 All Folders (Any folder you would find below public_html)

        • NEVER chmod 777
        • fix permissions automatically
          • files
            • alias fixpermF='find . -type f -exec chmod 644 {} \;'
          • directories
            • alias fixpermD='find . -type d -exec chmod ago=+rx {} \;'
          • if stable (just db changes, images), make it read only in httpdocs
            • find . -type f -exec chmod 444 {} \; find . -type d -exec chmod 555 {} \;
      • Apache must refuse acccess to files with too much permissions
      • Searching for modified files on the server
        • check files permissions often
        • use FAF file anomaly finder
    • passwords
      • NEVER EVER REUSE ANY PASSWORD
        • passwords

          MUST BE UNIQUE

          per services, functions

          • ex: mysql password = ftp password = joomla! password
      • not human readable + not based on dictionnary
      • generate them at least 128 bits with all character
    • PHP
      • compile your own php
      • Do not use PHP4, end of life since 2008!
      • php.ini
        • register_globales = off
        • allow_url_fopen = off
        • file_uploads = off
        • display_errors = off
        • expose_php = Off
          • ; Decides whether PHP may expose the fact that it is installed on the server ; (e.g. by adding its signature to the Web server header).  It is no security ; threat in any way, but it makes it possible to determine whether you use PHP ; on your server or not.

        • disable SAFE_MODE
        • disable functions
          • show_source
          • system
          • popen
          • proc_open
          • phpinfo
            • dont give info to outside world
          • exec
          • passthru
          • shell_exec
          • file_open_base
            • set to http root to avoid path transversal attack
              • ubuntu     /var/www/vhosts:/tmp
              • opensuse   /srv/www/vhosts:/tmp
          • example
            • disable_functions = system, exec, shell_exec, passthru, set_time_limit, error_log, ini_alter, dl, pfsockopen, openlog, syslog, readlink, symlink, link, leak, fsockopen, popen, escapeshellcmd, apache_child_terminate apache_get_modules, apache_get_version, apache_getenv, apache_note,apache_setenv,virtual, proc_open, phpinfo, passthru, show_source

  • Keep system secured
  • Getting more Speed
    • Iterative process
      • fix objectives
        • so many readonly users in system
        • so many registered users open sessions
        • best response time X in seconds
      • load system
        • record testcases
        • Apache JMETER
          • create virtual users to simulate load
      • measures
        • quality!
        • better
        • worse
          • rollback changes
      • small changes
        • first software changes, you can win a lot there and its cheap
        • last infrastructure changes
        • you may want to increase server memory
          • cheap today
          • may work
    • software changes
      • Apache
        • reduce DNS lookup
        • modules
          • mod_deflate
            • PHP can also zip response but not very efficient
            • cpu cost vs bandwidth
            • ~ read more HERE
          • mod_expires
            • set expire header on files, pics, js
            • tell the browser to not request file before xx days/months
            • ~ read more HERE
            • apache mod_expires.conf
          • mod_header
            • apache mod_header.conf
          • mod_pagespeed
            • optimize HTML on the fly and save in a cache
            • apply most of Yahoo YSLOW rules automatically
            • avoid optimizing manually Joomla! Drupal, Wordpress sites
            • ~ read more HERE
        • hotlinking
      • PHP
        • Install PHP Opcode cache
          • file based
          • memory based
            • APC
      • Mysql
        • configuration tuning
          • Use tuning-primer.sh
          • buffer, settings in my.ini
          • allocate more buffer to select, join, sort operations
          • use innodb engine (transactionnal row locking) where it make sense per table
          • prefer myIsam (transactional table locking)
          • use memory base table for sessions tables
        • monitoring
          • look at slow queries
          • quality of schema, index missing
            • use explain query
          • look at full table scan
            • use explain query
              • add index
        • crontab
          • optimize tables and index on purpose
            • per day, week
            • mysqlcheck -op -u user_name –all-databases
          • rebuild statistics
      • webpages
      • ~ Best Practices for Speeding Up Your Web Site
    • infrastructure
      • expensive $$$$ €€€€
      • mutiple apache
        • one tuned for static content, gif, zip, html, pdf
        • one for dynamic php, perl
      • multiple database server
        • tuning, allocate more buffer
        • complex, costly
      • memcache
      • ideas
      • Use CDN
        • a network of servers containing copies of data placed at various points in a network all over the world  that maximize bandwidth / speed access to the data for users

          are expensive but

          Google let you use their CDN for all AJAX library (jquery more than 80KB, mottols the same size)

          • ex: http://ajax.googleapis.com/ajax/libs/jquery/1.2.6/jquery.js
          • ~ read more HERE

          search for other "offload asset" in google

      • server settings
        • No energy saving!
          • some hosting provider compile their own kernel and are agressive on energy saving
          • check cpu speed
            • cat /proc/cpuinfo
            • cpufreq-info
            • check max accepted
          • full speed all the time
            • cpufreq-set -c 0 -d 2GHz
    • Joomla
      • remove (deinstall)
        • uneeded components
        • uneeded modules
        • less code less security threat more speed
      • Remove unnecessary content
        • remove unecessary modules, plugins, components
      • use Joomla 1.5 and APC for caching
        • alternatively use com_pagecache
      • less rights, do not use apache user as owner, and group
        • maintenance is difficult
      • ~ visit Joomla! performance forums
    • Worth Reading
  • Load Tests
    • Load produce per  page is based on
      • user interaction: their speed (think time) and behaviour
      • size of page
        • number of static element
          • images
          • css
          • files
          • DNS lookup for external embeded file
        • business logic
        • shared ressource
      • database access
    • Use a tool to create virtual users
    • Many tools on the market
    • apache
  • Intrusion detection
    • crontab
      • Possible Exploit Script Report
        • scan files with regex after pattern

      • File Anomaly Detection
        • generates audit reports for data matching specific characteristics
        • ~ read more HERE
      • every 4 hours send an email with results to admin
    • Useful bash commands
      • listOpenConections
        • lsof -i
      • listinternetconnection
        • netstat -lptu
    • Rootkit detection
      • rkhunter
        • check for rootkit periodically
          • everyday at 1AM

            0 1 *  * * nice -n 19 /usr/local/bin/rkhunter --checkall 2>&1 | mail -s "rkhunter output" This email address is being protected from spambots. You need JavaScript enabled to view it.

        • too late if alarm
        • ~ read more HERE
      • chkrootkit
        • check for rootkit periodically
          • everyday at 1AM
          • 0 1 *  * * nice -n 19 /sbin/chkrootkit 2>&1 | mail -s "rkhunter output" This email address is being protected from spambots. You need JavaScript enabled to view it.
        • too late if alarm
        • ~ read more HERE
      • tripwire
        • extreme but secure
        • hash every file on filesystem
          • detect file tampering
        • keep hash database secure for further equality check on safe medium: NOT ON SERVER
  • Backup
    • crontab
      • daily/weekly/monthly database backup
        • automysqlbackup.sh
          • create email google account
          • get an email daily of database content
          • ~ read more HERE
      • tar and FTP the result
    • MySQL
      • backup
        • daily, weekly
        • use automysqlbackup.sh to receive daily mail with mysql data
  • Crash - Kernel Panic
    • Check Content of
      • vi /var/log/warn

        • Look for entries that fall within the period of crashes. If entries show an incorrect software configuration, or the crash is systemically related to a service, or exhibit other unexpected behavior? If you find relevant entries that has been caused due to an incorrect software configuration, then make sure that the affected software (service / application) is configured correctly. The log files of the service or application may also contain additional information about the cause of an incorrectly configured software. If you find an entry that is provided with the classification EMERG, a system-critical event occurred. A system-critical event may be responsible for the crash of the server.

        Browse the messages that were

        logged during the last boot, for

        entries that point to an error.

        • dmesg | grep [Ee]rro
        • dmesg | grep [Dd]efect
        • dmesg | grep [Ff]aul
        • dmesg | grep [Nn]o
        • dmesg | grep [Ff]ail
        • dmesg | grep [Ii]ncorrect
        • dmesg | grep [Bb]ad
comments powered by Disqus

You might like also

Linux what to monitor v1.0.0
I use to make mind map to organize my ideas, or to organize huge amount of data in a tree manner. Maintaining your own root server is time consuming, to say the least, but it will also force you to put your energy in areas where there is a lot of new things to learn. Here I present you a mind map that contains most of the tools and ideas of what you should monitor on a Linux server.   …
2929 Days ago
Linux has never been looking so good as with MeeGo 1.1
MeeGo is a Linux-based open source mobile operating system project which was announced at Mobile World Congress in February 2010 by Intel and Nokia in a joint press conference. Its aim is to merge the efforts of Intel on Moblin and of Nokia on Maemo into one project. It is hosted by the Linux Foundation. Free and Open Source of course. Visit http://meego.com/ for more informations …
3189 Days ago
Linux Kernel development figures
How Fast it is Going, Who is Doing It, What They are Doing, and Who is Sponsoring It: An August 2009 Update The kernel which forms the core of the Linux system is the result of one of the largest cooperative software projects ever attempted. Regular 2-3 month releases deliver stable updates to Linux users, each with significant new features, added device support, and improved performance. The rate of change in the kernel is high and increasing, with over 10,000 …
3478 Days ago
Nintendo DS Linux Kernel Booting
Developers have gotten the kernel booted on the Nintendo DS as well as a simple sash shell and some text games. More at http://www.dslinux.org/ and in their forums. …
5066 Days ago
No Thumbnail was found
Unusual case where you can put a computer using VIA Mini-ITX mainboards …
5242 Days ago
No Thumbnail was found
by Gsurface on 23 Oct 2004"With Novell's recent release of their SLES9 server (Suse Linux Enterprise Server), I decided to compare their new offering against Microsoft's Windows 2003 Server (Enterprise Edition) in a Windows based network environment. Can SLES9 be a viable server solution as an answer to using a Windows 2003 Server? ... Conclusions As you can see, Novell's SLES9 is a very worthy contender to Microsoft's Win2k3 Server in a Windows environment. Not only does SLES9 perform better …
5246 Days ago