Making Apache secure on Ubuntu 14.04

Question

I am wanting to host a small site at home and have installed Apache etc like this :

1. sudo apt-get update
2. sudo apt-get install tasksel
3. sudo tasksel install lamp-server

That all worked and everything is up and running.

Now I am used to working with XAMPP to develop and I did not want to use that live as many references said it was not very secure.

So my question is, now that I have Apache/PHP & MySql installed by the above method; how is the level of security by default ?

Is there ways to make it more secure and perhaps a check-list or run-down of any changes that might be recommended ?

Clarification : the LAMP server would be a live site, not one in development.

Answer 1

I run my own LAMP servers on Ubuntu connected to the Internet, so I always follow the same guidelines. Usually, I'll check the following :

• In Apache, remove the documentation or at least don't present it to trough the web server (by removing the link /etc/apache2/conf-enabled/apache2-doc.conf)
• In Apache, be sure that unnecessary modules are not loaded. With Ubuntu, this is done by removing the links in the /etc/apache2/mods-enabled. Each link point to a file in the /etc/apache2/mods-available directory that loads and configure a module at a time.
• You may want to review and enable the /etc/apache2/conf-available/security.conf. They propose some security tips, that are not activated by default :
• Denying access to the whole filesystem except for the directories that you would explicitly allow later
• modifying the server banner to give as less as possible information on the running software.
• In PHP, check that you don't print too much logging information on the screen in case of error (parameters in the section Error handling and logging of the /etc/php4/apache2/php.ini file. The comments in the file give a lot of information on what is preferable to do)

• No need to expose your MySQL server to the Internet. By default, in Ubuntu, the Mysql server listen only on localhost. Check /etc/mysql/my.cnf in the section mysqld for the parameter bind-address. It should be on 127.0.0.1 :

  bind-address = 127.0.0.1

• Don't install more services on this server than what you need.

• Don't forget to apply update when they arrive.
• Don't rely only on the configuration of the LAMP server only, don't forget you also have to put run a PHP application that can introduce some security threats (input validation and all this stuff to avoid typing SQL query in input field to retrieve from the DB more information that you would have given yourself, ...)

These are the first things on the top of my mind. Of course you can find more detailed howto and guides on the Internet :

• Security in Mysql 5.5
• Security consideration in PHP
• Security tips for Apache 2.4

Answer 2

Here is what I generally do after a LAMP setup: (for development use, not production)

• Disable apache2 from starting automatically:

  sudo update-rc.d apache2 disable
  

  When you want to use, you may start it by:

  sudo service apache2 start
  

• Disable mysql from starting automatically:

  echo "manual" | sudo tee /etc/init/mysql.override
  

  When you want to use, you may start it by:

  sudo service mysql start
  

• Block incoming ports 80 & 3306 on firewall to secure your LAMP from invasion:

  sudo iptables -A INPUT -p tcp --dport 80 -j DROP
  sudo iptables -A INPUT -p tcp --dport 3306 -j DROP
  

  (As a matter of fact, I block all the incoming ports except a few critical ones, but Linux security is a different topic!)