[olug] Fwd: Linux Web Server Hardening (LAMP + Wiki)

Rob Townley rob.townley at gmail.com
Tue Jan 29 09:19:04 UTC 2013


Aptitude search harden



On Monday, January 28, 2013, Jeff Hinrichs - DM&T <jeffh at dundeemt.com>
wrote:
> General Security Guide Lines:
> 1) Turn off all services and unplug network cable (most secure)
> 2) Only turn on and plugin what is necessary for your production site.
> 2a) NO insecure services (no telnet, ftp, etc.  use only the secure
> versions sftp, etc BUT only if absolutely needed)
> 3) Remember, production != development
> 4) https for everything.  No reason today not to do this.
> 5) Don't write your own encryption routines for any thing or any reason -
> use tested/supported libraries.
> 6) Salt and Hash - no naked passwords - if a site has a maximum password
> length or restricts characters -- DO NOT USE IT.  If they are salting and
> hashing then this is not a consideration until you hit the max POST size.
>  Everyone gets their own salt too.
> 7) ALWAYS cleanse user input - assume each user input area is an attack
> vector that will be used against you.
> 8) Try to break into your own site from a public terminal.  If you can get
> access to sensitive info with your credentials, then you have problems.
>
> There is much more, but if you do this at a minimum you'll be better off
> than many, many other sites.  OWASP is a good resource, thick, verbose,
> mind numbing, but good  none the less.
>
>
>
> On Mon, Jan 28, 2013 at 8:03 PM, Jay Bendon <jaybocc2 at gmail.com> wrote:
>
>> Heres some resources i've found:
>>
>> http://security.stackexchange.com/questions/993/hardening-linux-server
>> https://www.nsa.gov/ia/_files/factsheets/rhel5-pamphlet-i731.pdf
>> http://people.redhat.com/sgrubb/files/hardening-rhel5.pdf
>> https://www.owasp.org/index.php/Main_Page
>>
>> As to the linux isn't secure statement, that person should feel free to
>> play in traffic and on railroad tracks, etc, for spreading that FUD.
>>
>> --Jay
>>
>>
>> On Mon, Jan 28, 2013 at 7:52 PM, Jason Troy <jason.troy at gmail.com> wrote:
>>
>> > I'm curious if there are any LAMP users on the list who want to share
>> > resources. One person responded to this post with "use win-doze, linux
>> > isn't secure!".
>> >
>> > --JT
>> > ---------- Forwarded message ----------
>> > From: "Jeffrey Walton" <noloader at gmail.com>
>> > Date: Jan 28, 2013 2:01 AM
>> > Subject: Linux Web Server Hardening (LAMP + Wiki)
>> > To: "Security Basics List" <security-basics at securityfocus.com>
>> >
>> > Hi All,
>> >
>> > Is anyone aware of a hardening guide for a Linux LAMP server with a
>> > Wiki component?
>> >
>> > I have an older Linux Server hardening book, but nothing recent. I
>> > have not seen a Wiki hardening document.
>> >
>> > Thanks in advance,
>> >
>> > Jeff
>> >
>> >
------------------------------------------------------------------------
>> > Securing Apache Web Server with thawte Digital Certificate
>> > In this guide we examine the importance of Apache-SSL and who needs an
>> SSL
>> > certificate.  We look at how SSL works, how it benefits your company
and
>> > how your customers can tell if a site is secure. You will find out how
to
>> > test, purchase, install and use a thawte Digital Certificate on your
>> Apache
>> > web server. Throughout, best practices for set-up are highlighted to
help
>> > you ensure efficient ongoing management of your encryption keys and
>> digital
>> > certificates.
>> >
>> >
>> >
>>
http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
>> >
------------------------------------------------------------------------
>> > _______________________________________________
>> > OLUG mailing list
>> > OLUG at olug.org
>> > https://lists.olug.org/mailman/listinfo/olug
>> >
>> _______________________________________________
>> OLUG mailing list
>> OLUG at olug.org
>> https://lists.olug.org/mailman/listinfo/olug
>>
>
>
>
> --
> Best,
>
> Jeff Hinrichs
> 402.218.1473
> _______________________________________________
> OLUG mailing list
> OLUG at olug.org
> https://lists.olug.org/mailman/listinfo/olug
>



More information about the OLUG mailing list