In our previous post we learned how to setup a new LAMP server from scratch. LAMP Server Setup
Now we will look for few basic steps we can follow to secure our LAMP server.
Disable SSH Root Login
Disable Root SSH login. Better if you can change the default SSH port too. But make sure that the new port is open for connection in you Firewall. Disable Root SSH login
Install Linux Malware Detect software
Change directory where you want to download the package
# cd /usr/local/src
Now download the package
# wget http://www.rfxn.com/downloads/maldetect-current.tar.gz
Then extract the tar file
# tar -zxvf maldetect-current.tar.gz
# cd maldetect-1.6.3/
Then install the Software
# ./install.sh
Linux Malware Detect v1.6
installation completed to /usr/local/maldetect
config file: /usr/local/maldetect/conf.maldet
exec file: /usr/local/maldetect/maldet
exec link: /usr/local/sbin/maldet
exec link: /usr/local/sbin/lmd
cron.daily: /etc/cron.daily/maldet
then nodify Maldet config file to reflect your Email address for email notification
# vi /usr/local/maldetect/conf.maldet
email_alert=”1″
email_addr=”youremailaddress@gmail.com”
Initiate the first scan manually
# maldet -a
bash: maldet: command not found
# export PATH=$PATH:/usr/local/sbin
# maldet -a
Linux Malware Detect v1.6.3
maldet(4345): {scan} signatures loaded: 15489 (12678 MD5 | 2034 HEX | 777 YARA | 0 USER)
maldet(4345): {scan} building file list for , this might take awhile…
maldet(4345): {scan} setting nice scheduler priorities for all operations: cpunice 19 , ionice 6
maldet(4345): {scan} file list completed in 0s, found 1717 files…
maldet(4345): {scan} scan of (1717 files) in progress…
maldet(4345): {scan} 1717/1717 files scanned: 0 hits 0 cleaned
maldet(4345): {scan} scan completed on : files 1717, malware hits 0, cleaned hits 0, time 235s
maldet(4345): {scan} scan report saved, to view run: maldet –report 181230-0756.4345
Install and enable “CSF” firewall for added security
Functionality needs to be tested after enabling this feature just to make sure it’s not blocking any legitimate request. You can get latest version from Download CSF
# wget https://download.configserver.com/csf.tgz
# tar -xzf csf.tgz
# cd csf
# sh install.sh
Don’t forget to:
A. Configure the following options in the csf configuration to suite your server: TCP_, UDP_, IPV6, TCP6_, UDP6_
B. Restart csf and lfd
C. Set TESTING to 0 once you’re happy with the firewall, lfd will not run until you do so
Test required iptables modules
# perl /usr/local/csf/bin/csftest.pl
RESULT: csf should function on this server
CSF logfiles location can be found in the file /etc/csf/csf.logfiles
We should modify the PHP configuration and disable commonly abused php functions (disable_functions). This needs to be tested as few web scripts may break with some of these functions disabled
disable_functions = show_source, system, shell_exec, passthru, exec, popen, proc_open, ini_set
Make sure your CMS and associated plugins are updated. Widely used CMS like WordPress, Joomla etc. are having specific security plugins