Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


VPS LAMP Security - Is my way right?
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

VPS LAMP Security - Is my way right?

ReyRey Member
edited February 2017 in Help

Hello everyone,
I'm not an expert sys and every day I try to learn new things specially for the security so this is what I did (Debian 8 minimal):

  • No root login

BASIC FIREWALL

iptables -P INPUT DROP
iptables -P FORWARD DROP

iptables -A INPUT -i lo -j ACCEPT

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT

iptables -A INPUT -p tcp -m multiport --destination-ports 22,80,443 -j ACCEPT

  • Proftpd with chroot in the user's home

  • Apache 2.4 with lets encrypt

  • Php5

expose_php=Off
log_errors=On
error_log=/var/log/mylog/php_scripts_error.log
file_uploads=Off
allow_url_fopen=Off
allow_url_include=Off

disable_functions = I don't know what put here, what do you suggest? At the moment there are these:

pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,

  • Php5-FPM

SetHandler "proxy:unix:/var/run/php5-fpm/mydomain.com.sock|fcgi://localhost/"
Server API FPM/FastCGI

So the file are executed with the user.

  • Mysql 5.5 with mysql_secure_installation

  • Fail2ban

Other things? Thanks

Thanked by 1WSS

Comments

  • raindog308raindog308 Administrator, Veteran
    edited February 2017

    Rey said: Hello everyone, I'm not an expert sys and every day I try to learn new things

    image

    Rey said: Proftpd with chroot in the user's home

    I just can't get excited about FTP, unless you have customers that need it. SFTP is so much better. For one thing, not everything is sent in plain text.

    An alternative to fail2ban is CSF...more beginner-friendly. Same idea - active firewall, temp block for password bruting, etc.

    I'd change the SSH port just to avoid the noise and attacks - doesn't really increase security but it does.

    If you're running mail, I'd either only accept on localhost or put in some serious anti-spam, etc.

    BTW, you could also disable password login entirely (only ssh keys).

    Another thing I like to do is send an email whenever someone logs in. Obviously, this wouldn't work if it's a big public cpanel box with lots of users, but if you or only a small group are the only legit users, you could do that...e.g.: http://www.tecmint.com/get-root-ssh-login-email-alerts-in-linux/ (Just something I googled as an example.

    Thanked by 1Rey
  • ReyRey Member
    edited February 2017

    @raindog308 said:
    I just can't get excited about FTP, unless you have customers that need it. SFTP is so much better. For one thing, not everything is sent in plain text.

    An alternative to fail2ban is CSF...more beginner-friendly. Same idea - active firewall, temp block for password bruting, etc.

    I'd change the SSH port just to avoid the noise and attacks - doesn't really increase security but it does.

    If you're running mail, I'd either only accept on localhost or put in some serious anti-spam, etc.

    BTW, you could also disable password login entirely (only ssh keys).

    Another thing I like to do is send an email whenever someone logs in. Obviously, this wouldn't work if it's a big public cpanel box with lots of users, but if you or only a small group are the only legit users, you could do that...e.g.: http://www.tecmint.com/get-root-ssh-login-email-alerts-in-linux/ (Just something I googled as an example.

    I know CSF but I wanted to do all without GUI.. Just CLI.

    Yes change ssh port doesn't increase security, I read about that.

    Mails are a little big problem :D So at the moment I prefer to use google apps or yandex mail.

    Only ssh keys, I will do, thanks.

    I did it in past.. Too email sent :)

  • Rey said: I know CSF but I wanted to do all without GUI.. Just CLI.

    CSF Firewall can be used pure command line too. It's what I use for CSF config/setup on my Centmin Mod LEMP stacks https://centminmod.com/csf_firewall.html

    Thanked by 1Rey
  • Proftpd with chroot in the user's home

    Have a look at pureftpd or vsftpd

    Apache 2.4 with lets encrypt

    Have a look at better http servers.

    PHP 5

    Oh well ... (at least use v.7 if feasible)

    Thanked by 2WSS Rey
  • Also, sshguard is everything fail2ban isn't.

  • @bsdguy said:

    Proftpd with chroot in the user's home

    Have a look at pureftpd or vsftpd

    Tried in past vsftpd, I don't like.. anyway why do you suggest pureftpd? My point regard the security.. There will be ever things better of others things.

    Apache 2.4 with lets encrypt

    Have a look at better http servers.

    Same here.

    PHP 5

    Oh well ... (at least use v.7 if feasible)

    I prefer to not compile or use other repo.

  • @WSS said:
    Also, sshguard is everything fail2ban isn't.

    Thanks I will take a look.

  • WSS said: Also, sshguard is everything fail2ban isn't.

    On Linux, fail2ban seems to be the standard choice, but I also prefer sshguard. For one, fail2ban requires python to be running the whole time ...

    Thanked by 1WSS
  • @Rey

    IT security happens to be my professional field. But hey, do whatever you please ...

  • @bsdguy said:
    @Rey

    IT security happens to be my professional field. But hey, do whatever you please ...

    ...and yet you're still advertising IPv4 in your sig?!

  • Heavily OT but frankly IPv6 is idiocy pure.

    For one I posit that 4 Giga-Addresses are plenty enough. Actually I doubt that there are even 4 Giga customers connected. But that's not the point.

    Looking at whole /8 of e.g. us-american universities and corporations that is where the IP4 problem is.

    Moreover IPv6 has serious problems, incl. with regard to security by being 128 bits wide. utterly unnecessary one might add.

    Iff one felt that IP4 wasn't large enough (which, again, is debatable) then the fucking bloody obvious solution would have been 64 bit IPs.

    As far as I'm concerned those responsable for the pervert idiocy of IPv6 should be given the choice between being crucified or spending the rest of their days in a looney bin.

  • @bsdguy said:
    @Rey

    IT security happens to be my professional field. But hey, do whatever you please ...

    Ok then explain your opinion about pureftp instead proftpd.

  • @Rey

    You mean, I should convince you? Won't happen.
    I don't see that you were in a position to put up conditions to be met. Just stay with proftpd. I couldn't care less.

  • @Rey, you might find https://cipherli.st/ helpful.

    Thanked by 3ipguru Rey doughnet
  • @bsdguy said:
    @Rey

    You mean, I should convince you? Won't happen.
    I don't see that you were in a position to put up conditions to be met. Just stay with proftpd. I couldn't care less.

    Great.. You know how the community works. Keep your IT Security with yourself and your friend imaginary.

  • ProFTPd has had securty issues in the past. vsftpd is fairly basic (and sometimes annoying), but it is generally considered more secure. PureFTPd is generally a good middle ground.

    Thnk of this as: ProFTPd is sendmail, vsftpd is Qmail, and PureFTPd is Postfix.

    Also, bsdguy may be a bit abrasive, but once you get past his body funk and that wiry hair, he's a big teddy bear.

    Thanked by 1Rey
  • On my Debian 8 and Ubuntu 16.04 servers I set some basic systemd service security features on mariadb, nginx, and php.

    [Service] PrivateTmp=true PrivateDevices=true NoNewPrivileges=true ProtectSystem=full ProtectHome=true

    Here's the systemd documentation for different settings you can set for your services.
    https://www.freedesktop.org/software/systemd/man/systemd.exec.html

    Thanked by 1Rey
  • ReyRey Member
    edited February 2017

    Anyone about disable_functions of php? Don't touch? Remove and add or simply add these other functions? (found googling):

    exec,system,passthru,shell_exec,escapeshellarg,escapeshellcmd,proc_close,proc_open,dl,popen,show_source
    
  • sinsin Member
    edited February 2017

    Rey said: Anyone about disable_functions of php? Don't touch? Remove and add or simply add these other functions? (found googling):

    Here's what I have disabled on my personal servers:

    shell_exec,exec,system,symlink,passthru,proc_open,popen,pclose,show_source,pcntl_exec,dl,posix_getpwuid,posix_kill,posix_mkfifo,posix_setpgid,posix_setsid,posix_setuid,posix_uname

    I run pretty much all Wordpress sites and I haven't had any issues with disabling those functions (although I only use a couple of plugins on each Wordpress install like Yoast, Supercache, etc).

    I mean you probably don't need to disable functions but I do it anyways.

    Since you're using Apache have you thought about using ModSecurity?

    Thanked by 1Rey
Sign In or Register to comment.