You are not logged in.

#1 2014-06-13 06:52:36

gvenkat1994
Member
Registered: 2014-04-13
Posts: 34

LAMP hosting a web server security questions

I'm hosting a web server on my computer that is related to some college project work. This is the first time I'm hosting a website and I have quite a few questions about network security(please bear with me if my questions are really dumb, I don't know much about this stuff yet).
Firstly, I've setup everything LAMP related. I can access localhost and files in /srv/http. I only want to share these files on my local college network, not to the whole world. Is there a way to setup in this manner?
Also, can any person now access my root or home folders now that I'm hosting online? If they can, what security measures do I need to take?
I'd be grateful if you guys would answer these questions, or could point me towards links that answer these particular questions well.
Thank you.

Offline

#2 2014-06-13 07:14:31

Spider.007
Member
Registered: 2004-06-20
Posts: 1,175

Re: LAMP hosting a web server security questions

Have a look at https://httpd.apache.org/docs/2.4/howto/access.html It might also be a good idea to have a look at iptables to secure other ports as well.

Offline

#3 2014-06-13 12:02:02

drcouzelis
Member
From: Connecticut, USA
Registered: 2009-11-09
Posts: 4,092
Website

Re: LAMP hosting a web server security questions

gvenkat1994 wrote:

Also, can any person now access my root or home folders now that I'm hosting online? If they can, what security measures do I need to take?

No, the only files that can be accessed are the files served by the web server, which means "/srv/http".

Offline

#4 2014-07-19 23:10:54

Gregosky
Member
From: UK
Registered: 2013-07-26
Posts: 173

Re: LAMP hosting a web server security questions

I'm not an expert however I am maintaining couple of servers and I follow some rules that allow at least to detect dodgy actions (therefore there is for sure better way of doing things, I just don't know it yet).

First and most important be very careful what are you hosting on your server. Especially when it comes to any mysql/psql manipulation (sql injection attacks that may lead to your database being compromised and potential zero day vulnerabilities of your sql server exploited), uploading data by users (they may upload something dodgy and try to use flaws in your logic to execute it and then try to exploit zero day vulnerabilities of kernel to elevate their privileges level), posting stuff by users (XSS attacks). I'm hosting OpenCart on one of servers and generally I follow news feeds about eventual security holes of that system, I patch it each time new version is published and when I have time I learn how it's coded so I know where potential risks may be.

If I was you I would run web server in chrooted environment and I would make sure no task done by id involves root access (I'm personally using nginx for last couple of months and it's fairly easy to achieve). PHP should also be chrooted (quite fundamental since probably PHP will primarily be used to break in). Any password should be no less than 50 characters long and of course if you store database passwords in php files ensure proper access levels so they are not world-readable.

Mentioning world-readable folders - ensure folders structure of your www is as much strict as possible (so generally no executable flag on files, restricted umask, generally make everything you can read-only unless required by your web site). If your web site allows uploads from people or needs to write something on HDD then definitely I would try to isolate such folder as much as possible and probably I would mount separate resource with restrictions (ro, noexec, whatever-possible etc).

Generally if you keep your web site under version control then definitely it would be a good idea to check for changes every a while - just in case. Also read your logs every now and then - investigate anything suspicious (do not ignore things).

I will not mention firewall would probably be a good idea (I might be wrong but I'm quite sure iptables is by default included in bare bones installation, you just need to configure rules and enable service).

Offline

Board footer

Powered by FluxBB