Secure, Safe, Fast Linux Hosting

I know that Secure, Safe, Fast #Linux Hosting sound silly as nothing can be fast and secure at the same time, but I’ve compiled a list of things that are worth doing if you are maintaining your own server. This list is clearly targeted for people running an open source stack made of Apache, MySQL, PHP and #Linux.

This list is an ongoing work, thta is why it has also a version number in it (v1.0). As soon as I will learn new tricks, the list will be updated.

By clicking read more, You’ll be able to go through the checklist, or maybe you’ll prefer the mindmap version HERE

Secure, Safe,
Fast Linux Hosting

v 1.0

• PHP settings
  • disable functions
    • show_source
    • system
    • popen
    • proc_open
    • phpinfo
      • dont give info to outside world
    • exec
    • passthru
    • shell_exec
    • file_open_base
      • set to http root to avoid path transversal attack
  • disable SAFE_MODE
  • compile your own php
    • use hardened PHP patch
      • ~ http://www.hardened-php.net/
    • remove unused library
• Check often crontab
  • FAF file anomaly finder
    • report change of file
    • generates audit reports
    • ~ http://rfxnetworks.com/faf.php
  • chkrootkit
    • check for rootkit periodically
    • too late if alarm
  • rkhunter
    • check for rootkit periodically
    • too late if alarm
  • Possible Exploit Script Report

    • scan files with regex after pattern

  • secheck
    • openBSD scripts
    • run opensuse/debian also
  • daily/weekly/monthly database backup
    • create google account
    • automysqlbackup.sh
  • antivirus
    • clamav is free
    • virus database update auto
• More security
  • Apache
    • mod_security
      • kind of software firewall
      • based on regular expressions
      • predifined rulesets
        • www.gotroot.com
        • www.modsecurity.org
      • fake apache signature: NOYB
    • mod_evasive
      • escape denial of service attack
    • mod_php
      • to avoid
        • php script run with apache user
        • php script can change files across clients on server
        • only one php.ini for all domains and users
        • only one php version
      • use mod_fcgi instead
        • php scripts run with user right
        • per client/user a php.ini
        • run php4 and php5 in same apache
        • run != php version per directory
    • remove uneeded modules
    • server-tuning.conf
      • tuning
        • worker is better but only if php fastcgi as mod_php not multithreaded
        • forked with mod_php, use more memory
      • use threading model not forked
        • only with php fastcgi
  • file system
    • less rights rules
      • the less right the better
    • check files right often
  • htaccess
    • in some directory
    • not really secure
  • passwords
    • not human readable
• Keep system secured
  • ssh
    • only public private key login
    • monitor brute force attempt with sshdfilter
      • ~ http://www.csc.liv.ac.uk/~greg/sshdfilter/
  • block ftp server
    • use secure copy instead
      • winscp
  • firewall
    • A Stateful Packet Inspection (SPI) firewall, Login/Intrusion Detection and Security application
    • CSF
      • ~ http://www.configserver.com/cp/csf.html
  • keep linux rpm package up to date
  • check server health
    • ~ http://www.rfxnetworks.com/sim.php
    • get emails, cpu memory status
  • tripwire
    • extreme but secure
    • hash very file on filesystem
    • keep hash database secure for further equality check on safe medium
• Getting more Speed
  • Install PHP Opcode cache
    • file based
    • memory based
    • APC
      • advanced PHP cache
      • use by wikipedia
      • 100% more output speed
  • reduce DNS lookup
    • less js, css, images include
    • mod_deflate
      • PHP can also zip response
        • cpu cost vs bandwidth
    • mod_expires
      • set expire header on files, pics, js
      • tell the browser to not request file before xx days/months
  • infrastructure
    • mutiple apache
      • one tuned for static content, gif, zip, html, pdf
      • one for dynamic php, perl
    • multiple database server
      • tuning, allocate more buffer
      • complex, costly
    • memcache
    • ideas

      • ~ Wikipedia Architecture

        ~

        ebay infrastructure

  • put more memory in server
• Load Tests
  • Load produce per page is based on
    • user interaction: their speed and behaviour
    • size of page
      • number of static element
        • images
        • css
        • files
        • DNS lookup for external embeded file
      • business logic
      • shared ressource
        • database access
      • quality of schema, index missing
  • Use a tool to create virtual users
    • fix objectives
      • so many xxxxx users in system
      • so many open sessions
      • best response time
    • iterative process
    • small changes
    • load system
      • better
      • worse
        • rollback changes
  • Many tools on the market
    • ~ I like webperformance suite