Select Page

Secure, Safe, Fast Linux Hosting v1.3.0

This list is an ongoing work and since the version 1.0 (01 March 2008), a lot of nodes/ideas have been added.

Secure, Safe, Fast #Linux Hosting sound silly as nothing can be fast and secure at the same time, but I’ve compiled a list of things that are worth doing if you are maintaining your own server. This list is clearly targeted for people running an open source stack made of Apache, MySQL, PHP and #Linux.

By clicking read more, You’ll be able to go through the checklist, or maybe you’ll prefer the mindmap version HERE

The next mind map will be a how to forensic a hacked #Linux server…

Secure, Safe, Fast Linux Hosting  v 1.3.0

    • PHP settings
      • disable functions

        • show_source
        • system
        • popen
        • proc_open
        • phpinfo
          • dont give info to outside world
        • exec
        • passthru
        • shell_exec
        • file_open_base
          • set to http root to avoid path transversal attack
        • example
          • disable_functions = system, exec, shell_exec, passthru, set_time_limit, error_log, ini_alter, dl, pfsockopen, openlog, syslog, readlink, symlink, link, leak, fsockopen, popen, escapeshellcmd, apache_child_terminate apache_get_modules, apache_get_version, apache_getenv, apache_note,apache_setenv,virtual, proc_open, phpinfo, passthru, show_source

        disable SAFE_MODE

        compile your own php

        expose_php = Off

        • ; Decides whether PHP may expose the fact that it is installed on the server ; (e.g. by adding its signature to the Web server header).  It is no security ; threat in any way, but it makes it possible to determine whether you use PHP ; on your server or not.

        display_errors = off

        file_uploads = off

        allow_url_fopen = off

        register_globales = off

        post_max_size is not enabled, or is set to a high value. Allowing a large value may open up your server to denial-of-service attacks

        ~ check your settings with PhpSecInfo

    • Check often crontab
      • FAF file anomaly finder
      • chkrootkit
        • check for rootkit periodically
        • too late if alarm
      • rkhunter
        • check for rootkit periodically
        • too late if alarm
      • Possible Exploit Script Report
        • scan files with regex after pattern

      • ~ secheck
        • secheck is a script which imitates currently existing log checkers but with a focus on security. secheck does some basic system security checking, then emails to output to a given user.

          openBSD scripts

          run opensuse/debian also

          use YaST to install

      • daily/weekly/monthly database backup
        • create google account
        • automysqlbackup.sh
      • antivirus
        • clamav is free
        • virus database update auto
    • More security
      • Apache
        • mod_security
          • kind of software firewall
          • based on regular expressions
          • predifined rulesets
            • www.gotroot.com
            • www.modsecurity.org
          • fake apache signature: NOYB
        • mod_evasive
          • escape denial of service attack
        • mod_php
          • to avoid
            • php script run with apache user
            • php script can change files across clients on server
            • only one php.ini for all domains and users
            • only one php version
          • use mod_fcgi instead
            • php scripts run with user rights
            • per client/user/directory  a php.ini
            • run php4 and php5 in same apache
            • run != php version per directory
        • remove uneeded modules
          • less code less vulnerability
        • server-tuning.conf
          • tuning
            • worker is better but only if php fastcgi as mod_php not multithreaded
            • forked with mod_php, use more memory
          • use threading model not forked
            • only with php fastcgi
        • http.conf
          • switch DNS lookup off
      • file system
        • less rights rules
          • the less right the better
            • Set permission to all .php files to 655
            • fix permissions automatically
              • files
                • alias fixpermF=’find . -type f -exec chmod 644 {} \;’
              • directories
                • alias fixpermD=’find . -type d -exec chmod ago=+rx {} \;’
        • check files right often
          • use FAF file anomaly finder
      • htaccess
        • in some directory
        • not really secure
      • passwords
        • not human readable
    • Keep system secured
    • Getting more Speed
      • Install PHP Opcode cache
        • file based
        • memory based
        • APC
          • advanced PHP cache
          • use by wikipedia
          • 100% more output speed
      • reduce DNS lookup
        • less js, css, images include
        • mod_deflate
          • PHP can also zip response
            • cpu cost vs bandwidth
        • mod_expires
          • set expire header on files, pics, js
          • tell the browser to not request file before xx days/months
      • infrastructure
        • mutiple apache
          • one tuned for static content, gif, zip, html, pdf
          • one for dynamic php, perl
        • multiple database server
          • tuning, allocate more buffer
          • complex, costly
        • memcache
        • ideas
      • put more memory in server
    • Load Tests
      • Load produce per  page is based on
        • user interaction: their speed and behaviour
        • size of page
          • number of static element
            • images
            • css
            • files
            • DNS lookup for external embeded file
          • business logic
          • shared ressource
        • database access
      • Use a tool to create virtual users
        • fix objectives
          • so many xxxxx users in system
          • so many open sessions
          • best response time
        • iterative process
        • small changes
        • load system
          • better
          • worse
            • rollback changes
      • Many tools on the market
      • apache
    • MySQL
      • tuning
        • Use tuning-primer.sh
        • buffer, settings in my.ini
        • allocate more buffer to select, join, sort operations
        • use innodb engine (transactionnal row locking) where it make sense per table
        • prefer myIsam (transactional table locking)
        • use memory base table for sessions tables
      • monitoring
        • look at slow queries
        • quality of schema, index missing
          • use explain query
        • look at full table scan
          • use explain query
            • add index
      • backup
        • daily, weekly
        • use automysqlbackup.sh to receive daily mail with mysql data
    • Joomla
      • remove uneeded components
      • use Joomla 1.5 and APC for caching
        • alternatively use com_pagecache
      • less rights, do not use apache user as owner, and group
        • maintenance is difficult

About The Author

Cédric Walter

I worked with various Insurances companies across Switzerland on online applications handling billion premium volumes. I love to continuously spark my creativity in many different and challenging open-source projects fueled by my great passion for innovation and blockchain technology.In my technical role as a senior software engineer and Blockchain consultant, I help to define and implement innovative solutions in the scope of both blockchain and traditional products, solutions, and services. I can support the full spectrum of software development activities, starting from analyzing ideas and business cases and up to the production deployment of the solutions.I'm the Founder and CEO of Disruptr GmbH.

Categories