6

I'm paying for a VPS and hoping to launch my first website on it in the next few days.

I'm worried there might be some glaringly obvious security holes in the standard setup, so I'm keen to get some tips. About the only thing I know is to turn off error reporting in PHP and create users/privileges for MySQL. Any more stuff along those lines?

I'm using:

  • cPanel and WHM
  • CentOS 5
  • PHP
  • MySQL
  • Google apps as mail server (so maybe I should disable built in mailer server somehow?!)
Scott Pack
  • 14,907
  • 10
  • 53
  • 83
Haroldo
  • 189
  • 1
  • 7
  • 5
    I really have to advise against doing what you intend to do. You should not put anything on the Internet until you have some decent knowledge and understanding of the system(s) involved. Instead, you should set up a test system (virtual machines are great for this) to learn and practice on before going live. We see far too many inexperienced people asking questions along the lines of "My web site has been hacked - what do I do now?". – John Gardeniers Jun 01 '10 at 00:17
  • Hi John, sounds like great advice, i'll do that, still specific tips are still useful – Haroldo Jun 01 '10 at 07:48

4 Answers4

7

There are a few security principles/tips you need to keep in mind:

  • Shut down the services you don't need

    If you don't need a specific service, shut it down. One thing less to worry about, especially regarding security.

  • Follow the least privilege principle

    If a service does not need to have super privileges, just give it the privileges it needs. For instance, if your web application doesn't need to drop tables, there's no need to enable the drop privilege in MySQL.

  • Have your services updated regarding security updates

    This is very important! From time to time, security holes are discovered. It's very important to have your applications updated when it comes to security issues.

  • Don't use default credentials

    Just don't use it. They're evil :) For instance, MySQL's root user doesn't have a password. Create one.

  • Backup everything that's important

    Backup everything you need to rebuild your server, and I mean everything. Also, test your backups on a regular basis. This is valid not only for security reasons, but also for business continuity reasons. One never knows when a backup might be needed.

Hope this helps!

Marco Ramos
  • 3,120
  • 23
  • 25
  • thanks Marco, are there any specific things you can think of? I remember someone saying something about changing the default mysql password for example.. – Haroldo May 31 '10 at 19:04
  • @Haroldo: yep, I've jsut edited my answer. Btw, here's how to change the default password in MySQL: http://www.cyberciti.biz/faq/mysql-change-root-password/ – Marco Ramos May 31 '10 at 19:07
  • hey marco, that's very kind of you, i'll look into everything! **Keen to hear more so please keep em coming** - hopefully this could be a really useful beginners resource... – Haroldo May 31 '10 at 19:11
  • 1
    Just a note about backups - Backup to something completely separated from the hosted environment and held offline e.g. burn it off to a CD every week or month. This ensures no virus payload can trash both your host AND your backups. – Chris Thorpe Apr 08 '11 at 12:01
2

Also try to force to bind mysql listening to localhost if it is acceptable for you (Listen directive) or even better, if possible, remove network support for mysql.

Xavier Maillard
  • 201
  • 2
  • 4
1

See also my first "production" debian server configuration

Always, always, always use the built-in package manager to install software - in Centos' case, that means Yum - http://wiki.centos.org/PackageManagement/Yum. This ensures that there's one central way to track and install security updates. Installing software from source on production servers is a security nightmare because you have to track and manually install security updates for all of it by hand.

Make sure you have a firewall in place, which only allows the services you need inbound - you could start with http://www.larted.org.uk/~dom/computing/code/iptfirewall

PHP should be hardened by disabling as many of the following functions as you don't need: http://www.eukhost.com/forums/f42/disabling-dangerous-php-functions-6020/

also make sure PHP is set to log errors, not display them.

Community
  • 1
David North
  • 760
  • 1
  • 5
  • 12
0

I recommend reading the NSA Operating Systems Guides for Red Hat Enterprise Linux 5. What applies for RHEL also applies for CentOS.

bugaboo
  • 109
  • 2