Secure, Safe, Fast Linux Hosting v1.4.0
This list is an ongoing work and since the version 1.0 (01 March 2008), a lot of nodes/ideas and now links have been added. The tree is also now a lot more structured…
Secure, Safe, Fast #Linux Hosting sound silly as nothing can be fast and secure at the same time, but I’ve compiled a list of things that are worth doing if you are maintaining your own server. This list is clearly targeted for people running an open source stack made of Apache, MySQL, PHP and #Linux.
By clicking read more, You’ll be able to go through the checklist as HTML, or maybe you’ll prefer the mindmap version HERE
powered by Freemind, free mind mapping
- Anomaly detection
- FAF file anomaly finder
- report unusual change of files
- generates audit reports
- ~ http://rfxnetworks.com/faf.php
- ~ secheck
secheck is a script which imitates currently existing log checkers but with a focus on security. secheck does some basic system security checking, then emails to output to a given user.
openBSD scripts
run opensuse/debian also
use YaST to install
- antivirus
- clamav is free
- virus database update auto in crontab
- server health
- ~ http://www.rfxnetworks.com/sim.php
- get emails, cpu memory status
- restart if need some components
- read more HERE
- ~ http://www.rfxnetworks.com/sim.php
- FAF file anomaly finder
- More security
- Apache
- modules
- mod_evasive
- escape denial of service attack
- limit number of requests per seconds for an IP
- ~ read more HERE
- mod_security
- kind of software firewall
- based on regular expressions
- predifined rulesets
- fake apache signature: NOYB
- ~ read more HERE
- mod_php
- to avoid
- php script run with apache user
- php script can change files across clients on server
- only one php.ini for all domains and users
- only one php version
- to avoid
- use mod_fcgi instead
- php scripts run with user rights
- per client/user/directory a php.ini
- run php4 and php5 in same apache
- run != php version per directory
- mod_evasive
- remove uneeded modules
- golden rule: less code less vulnerability
- server-tuning.conf
- tuning
- worker is better but only if php fastcgi as mod_php not multithreaded
- forked with mod_php, use more memory
- use threading model not forked
- only with php fastcgi
- tuning
- http.conf
- switch DNS lookup off
- htaccess
- in some directory
- not really secure
- modules
- file system
- less rights rules
- the less right the better
- Set permission to all .php files to 655
- fix permissions automatically
- files
- alias fixpermF=’find . -type f -exec chmod 644 {} \;’
- directories
- alias fixpermD=’find . -type d -exec chmod ago=+rx {} \;’
- files
- the less right the better
- check files right often
- use FAF file anomaly finder
- less rights rules
- passwords
- not human readable
- generate them at least 128 bits with all character
- see KEEPAS or equivalent for
- PHP
- disable functions
- show_source
- system
- popen
- proc_open
- phpinfo
- dont give info to outside world
- exec
- passthru
- shell_exec
- file_open_base
- set to http root to avoid path transversal attack
- example
disable_functions = system, exec, shell_exec, passthru, set_time_limit, error_log, ini_alter, dl, pfsockopen, openlog, syslog, readlink, symlink, link, leak, fsockopen, popen, escapeshellcmd, apache_child_terminate apache_get_modules, apache_get_version, apache_getenv, apache_note,apache_setenv,virtual, proc_open, phpinfo, passthru, show_source
- disable SAFE_MODE
- compile your own php
- use hardened PHP patch
- remove unused library
- expose_php = Off
; Decides whether PHP may expose the fact that it is installed on the server ; (e.g. by adding its signature to the Web server header). It is no security ; threat in any way, but it makes it possible to determine whether you use PHP ; on your server or not.
- display_errors = off
- file_uploads = off
- allow_url_fopen = off
- register_globales = off
- disable functions
- Apache
- Keep system secured
- Limit access
- ssh
- only public private key login
- monitor brute force attempt with sshdfilter
- ssh
- Block access
- firewall
- A Stateful Packet Inspection (SPI) firewall, Login/Intrusion Detection and Security application
- CSF
- ~ http://www.configserver.com/cp/csf.html
- read more HERE
- block ftp server
- use secure copy instead
- winscp
- use secure copy instead
- firewall
- Maintenance policy
- always up to date
- linux rpm package
- PHP
- MYSQL
- always up to date
- Monitoring
- Limit access
- Getting more Speed
- Iterative process
- fix objectives
- so many xxxxx users in system
- so many open sessions
- best response time
- load system
- record testcases
- Apache JMETER
- create virtual users to simulate load
- measures
- quality!
- better
- worse
- rollback changes
- small changes
- first software changes
- last infrastructure changes
- you may want to increase server memory
- cheap today
- may work
- fix objectives
- software changes
- Apache
- reduce DNS lookup
- modules
- mod_deflate
- PHP can also zip response but not very efficient
- cpu cost vs bandwidth
- ~ read more HERE
- mod_expires
- set expire header on files, pics, js
- tell the browser to not request file before xx days/months
- ~ read more HERE
- mod_deflate
- PHP
- Install PHP Opcode cache
- file based
- memory based
- APC
- advanced PHP cache
- use by wikipedia
- 100% more output speed
- ~ read more HERE
- Install PHP Opcode cache
- Mysql
- tuning
- Use tuning-primer.sh
- buffer, settings in my.ini
- allocate more buffer to select, join, sort operations
- use innodb engine (transactionnal row locking) where it make sense per table
- prefer myIsam (transactional table locking)
- use memory base table for sessions tables
- monitoring
- look at slow queries
- quality of schema, index missing
- use explain query
- look at full table scan
- use explain query
- add index
- use explain query
- crontab
- optimize tables and index on purpose
- per day, week
- rebuild statistics
- optimize tables and index on purpose
- tuning
- webpages
- less js, css, images include
- reduce content size
- space
- Apache
- infrastructure
- expensive $$$$ €€€€
- mutiple apache
- one tuned for static content, gif, zip, html, pdf
- one for dynamic php, perl
- multiple database server
- tuning, allocate more buffer
- complex, costly
- memcache
- ideas
ebay infrastructure
- Iterative process
- Load Tests
- Load produce per page is based on
- user interaction: their speed and behaviour
- size of page
- number of static element
- images
- css
- files
- DNS lookup for external embeded file
- business logic
- shared ressource
- number of static element
- database access
- Use a tool to create virtual users
- Many tools on the market
- ~ I like webperformance suite
- Apache JMETER is free
- apache
- Load produce per page is based on
- Joomla
- remove uneeded components
- use Joomla 1.5 and APC for caching
- alternatively use com_pagecache
- less rights, do not use apache user as owner, and group
- maintenance is difficult
- Intrusion detection
- crontab
- Possible Exploit Script Report
scan files with regex after pattern
- rkhunter
- check for rootkit periodically
- too late if alarm
- chkrootkit
- check for rootkit periodically
- too late if alarm
- every 4 hours send an email with results to admin
- File Anomaly Detection
- Possible Exploit Script Report
- tripwire
- extreme but secure
- hash every file on filesystem
- detect file tampering
- keep hash database secure for further equality check on safe medium
- crontab
- Backup
- crontab
- daily/weekly/monthly database backup
- automysqlbackup.sh
- create email google account
- get an email daily of database content
- automysqlbackup.sh
- tar and FTP the result
- daily/weekly/monthly database backup
- MySQL
- backup
- daily, weekly
- use automysqlbackup.sh to receive daily mail with mysql data
- backup
- crontab
