Hardening CentOS 7 - LAMP

Support for security such as Firewalls and securing linux
Post Reply
Posts: 1
Joined: 2015/04/21 20:44:01

Hardening CentOS 7 - LAMP

Post by bubbawny » 2015/04/21 21:00:06

Howdy folks:

I'm new to Linux and to CentOS 7. I've been learning and playing with various DIstros for about two months, though I've been dabbling with Linux on and off for a few years. I'm really more of an application developer, with some knowledge of System / Network Admin.

I have been building a CentOS 7 VM (Virtual Box) as a prototype LAMP server to host a basic LAMP application. The idea is to move a basic LAMP app we have with Go Daddy (shared servers, just awful!) to either a Cloud VPS like Digital Ocean or a managed VPS like A Small Orange Cloud VPS or to bring it in house.

As you know, each of those choices has pros and cons. But I'm leaning towards bringing it in house. Mainly because I cannot find any reputable information that identifies a quality and reliable VPS managed VPS provider. A Small ORange looks good, but they sure have had a lot of outages and SiteGround doesn't look too bad but it seems pretty costly. I could go with Digital Ocean, but then I'm responsible for full management, which is ok, or I could bring my site in house where I can control everything in my companies infrastructure.

So if we forget about all the CONS of doing that for a moment (like not having full redundant data centers, etc.), I'd like to ask a question about hardening a CentOS server. Assuming some of the basics, like firewalling, closing unnecessary ports but 80/443/25, what else would one do to harden a CentOS server from security threats? Are there any guides out there that can help? Are there any pre-hardened CentOS VMs designed for use as Public LAMP servers?

The site we need to run is really a basic LAMP app. Nothing to it. But at this point, managing security threats has been a function of the hosting provider, but if I bring it in house it becomes our responsibility.

Just looking for guidance and would think there would be common settings and security policy guidelines that might help me get a jump on what it would take to harden a CentOS 7 LAMP server from maliciousness (hacking, Intrusions, DDOS).

Are there any recommendations about CentOS IPS/IPD packages that are recommended? What about Apache 2.4 holes or security issues? or MariaDB or other security holes?

I'm a noob to this yes. But wise enough to try to identify those who know more than I do and identify some guidelines and best practices on this topic.

I think hosting a site internally makes sense for us, presuming I can reasonably harden the server from threats. I know new threats and issues are identified all the time. But given today's CentOS 7 maturity and support community, I would think that there's got to be some reasonable guidance on securing a server, and I'd like your help in shining a light on what I need to know.

Much apprecaited, folks. Sincerely.

User avatar
Forum Moderator
Posts: 29431
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Hardening CentOS 7 - LAMP

Post by TrevorH » 2015/04/22 00:48:41

Redhat backport fixes from the upstream developers and integrate them into the packages that are provided for RHEL (subsequently rebuilt by CentOS). This means that for most security vulnerabilities, fixing them is just a yum update away.
CentOS 6 will die in November 2020 - migrate sooner rather than later!
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 is dead, do not use it.
Full time Geek, part time moderator. Use the FAQ Luke

Posts: 1305
Joined: 2014/05/14 10:06:37
Location: UK

Re: Hardening CentOS 7 - LAMP

Post by giulix63 » 2015/04/22 08:09:42

Just follow standard best practices: Only install from reputed repositories, update frequently and as soon as possible when a critical security update is available, do not disable SELinux. I'd advise against bringing in house: There's really no advantage to that, only disadvantages. Disallow root ssh access, disallow ssh password login (use RSA keys). If at all possible, do not run your own DNS or internet-facing mail server unless absolutely necessary. As far as the firewall is concerned, I never really liked RH/Fedora/CentOS default firewall tools, so I opted for shorewall (it's in epel), but that's me. Also, to block offending IP addresses, I use a custom solution. Have fun looking at your access logs, sit back and relax ;)

P.S. In the past, I've also tried other tricks/tools, like running SSH on a non-standard port, port-knocking and running a IDS, but have found that they're really overkill for a simple web site. If you really want to invest in something, invest in learning how to use mod_security effectively.
Root is evil: Do not use root (sudo) to run any of the commands specified in my posts unless explicitly indicated. Please, provide the necessary amount of context to understand your problem/question.

Post Reply

Return to “CentOS 7 - Security Support”