Checklist For Securing Linux Web Server In 10 Steps Or Less

•

3 likes•3,822 views

This is a basic workbook for you to follow as a checklist. Learn the basic approaches to securing linux based web servers without getting too technical. This talk will be useful for anyone running a linux server with full root access. You don't need to be an experienced system administrator to understand and use the content of this talk. But if you are a full time system admin you will get to know a structured way of looking at server security. The following types of servers running Linux Virtual Private Server/Dedicated Server/Rackspace Cloud Instance/Amazon EC2 Not going to help if you have your website on Shared servers like Dreamhost/Go Daddy/Host Gator

Technology

Feedback and comments @makash | akashmahajan@gmail.com

Securing Linux Web Server in 10 Steps or Less
This document is in addition to the slides of Securing Linux Web Server in 10 Steps or Less. Consider this as
a starting block for Linux server hardening activities.

Assumptions
 You have root access to the Linux server
 You are running either Ubuntu 10.04 LTS or above or a Debian variant. If you are using another distribution
like CentOS etc. please understand the reasoning and substitute your commands.

Checklist
 Reduce the attack surface
 Start with a mini distro and add software on top of it.
 # tasksel install openssh-server
 # tasksel install lamp-server
 See which processes are listening on the external IP address
 # netstat –nltup -4
 Stop or remove services from running or booting up
 # /etc/init.d/<service name> stop
 # update-rc.d <service name> remove
 Stop services from listening on external IP address
 bind-address=127.0.0.1
 Patch and Update your server
 # apt-get update && apt-get upgrade
 Secure your access with SSH
 Remove Root Login
 Ideally use public keys with passphrases
 Add another directive in /etc/sshd_config
 AllowUsers <user@host>
 Secure Apache Web server
 In /etc/apache2/conf.d/security
 Uncomment line number 27 ServerTokens Prod
 Uncomment line number 39 ServerSignature Off
 Keep file owner as the user which uploads and group as www-data
 Secure MySQL if database server and web server are on the same host
 In /etc/mysql/my.cnf
 bind-address=127.0.0.1
 Execute following command
 # mysql_secure_installation
 Create a new user for each new database and only give access to the following
 SELECT, INSERT, UPDATE, DELETE, ALTER, CREATE
 Specify the host where the user can login from. Ideally this should be localhost and never ‘%’
 Enable Uncomplicated Firewall
 ufw allow
 ufw allow <Ports you want>
 ufw default deny
 ufw allow from <external IP> to <current host IP> port 3306

Workbook for http://slidesha.re/JMDS7F Page 1 of 1 ©Akash Mahajan 2012

More from Akash Mahajan

On Writing Well - A talk given at WinjaBlogs Session

Akash Mahajan

App sec in the time of docker containers

Akash Mahajan

Venom vulnerability Overview and a basic demo

Akash Mahajan

Security in the cloud Workshop HSTC 2014

Akash Mahajan

INCOMPLETE - OUTLINE for RootConf 2014 - The little-servcie-which-wasn't-there

Akash Mahajan

The real incident of stealing a droid app+data

Akash Mahajan

Believe It Or Not SSL Attacks

Akash Mahajan

I haz your mouse clicks and key strokes

Akash Mahajan

Hackers versus Developers and Secure Web Programming

Akash Mahajan

Web site users are facing new and improved threats nowadays. These range from clickjacking, json injection to likejacking among others. Companies like Google, Mozilla, Microsoft etc. have started implementing new HTTP response headers to counter some of the advanced attacks against their website users. Some of the new attacks aren't well understood by the application developers and hence they aren’t using the new secure headers supported by the new browsers. This is either due to ignorance or in order to keep supporting older insecure browsers versions of Internet Explorer. This talk we will walkthrough what these attacks are, how this various security headers protect the web application users and what is the status of compatibility currently.

Secure HTTP Headers c0c0n 2011 Akash Mahajan

Akash Mahajan

Php security

Akash Mahajan

Secure passwords-theory-and-practice

Akash Mahajan

Top 10 web application security risks akash mahajan

Akash Mahajan

Web application security

Akash Mahajan

Web application security

Akash Mahajan

Web application security

Akash Mahajan

Secure Programming In Php

Akash Mahajan

Startups Security

Akash Mahajan

More from Akash Mahajan (18)

On Writing Well - A talk given at WinjaBlogs Session

App sec in the time of docker containers

Venom vulnerability Overview and a basic demo

Security in the cloud Workshop HSTC 2014

INCOMPLETE - OUTLINE for RootConf 2014 - The little-servcie-which-wasn't-there

The real incident of stealing a droid app+data

Believe It Or Not SSL Attacks

I haz your mouse clicks and key strokes

Hackers versus Developers and Secure Web Programming

Secure HTTP Headers c0c0n 2011 Akash Mahajan

Php security

Secure passwords-theory-and-practice

Top 10 web application security risks akash mahajan

Web application security

Secure Programming In Php

Startups Security

Recently uploaded

Whatsapp Number Escorts Call girls 8617370543 Available 24x7 Mcleodganj Call Girls Service Offer Genuine VIP Model Escorts Call Girls in Your Budget. Mcleodganj Call Girls Service Provide Real Call Girls Number. Make Your Sexual Pleasure Memorable with Our Mcleodganj Call Girls at Affordable Price. Top VIP Escorts Call Girls, High Profile Independent Escorts Call Girls, Housewife Women Escorts Call Girl, College Girls Escorts Call Girls, Russian Escorts Call girls Service in Your Budget.

Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model

Deepika Singh

Scaling API-first – The story of a global engineering organization Ian Reasor, Senior Computer Scientist - Adobe Radu Cotescu, Senior Computer Scientist - Adobe Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe

apidays

AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)

Samir Dash

Vector Search -An Introduction in Oracle Database 23ai.pptx

Remote DBA Services

Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving

Edi Saputra

presentation ICT roal in 21st century education

jfdjdjcjdnsjd

Tracing the root cause of a performance issue requires a lot of patience, experience, and focus. It’s so hard that we sometimes attempt to guess by trying out tentative fixes, but that usually results in frustration, messy code, and a considerable waste of time and money. This talk explains how to correctly zoom in on a performance bottleneck using three levels of profiling: distributed tracing, metrics, and method profiling. After we learn to read the JVM profiler output as a flame graph, we explore a series of bottlenecks typical for backend systems, like connection/thread pool starvation, invisible aspects, blocking code, hot CPU methods, lock contention, and Virtual Thread pinning, and we learn to trace them even if they occur in library code you are not familiar with. Attend this talk and prepare for the performance issues that will eventually hit any successful system. About authorWith two decades of experience, Victor is a Java Champion working as a trainer for top companies in Europe. Five thousands developers in 120 companies attended his workshops, so he gets to debate every week the challenges that various projects struggle with. In return, Victor summarizes key points from these workshops in conference talks and online meetups for the European Software Crafters, the world’s largest developer community around architecture, refactoring, and testing. Discover how Victor can help you on victorrentea.ro : company training catalog, consultancy and YouTube playlists.

Finding Java's Hidden Performance Traps @ DevoxxUK 2024

Victor Rentea

EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER

MadyBayot

Three things you will take away from the session: • How to run an effective tenant-to-tenant migration • Best practices for before, during, and after migration • Tips for using migration as a springboard to prepare for Copilot in Microsoft 365 Main ideas: Migration Overview: The presentation covers the current reality of cross-tenant migrations, the triggers, phases, best practices, and benefits of a successful tenant migration Considerations: When considering a migration, it is important to consider the migration scope, performance, customization, flexibility, user-friendly interface, automation, monitoring, support, training, scalability, data integrity, data security, cost, and licensing structure Next Wave: The next wave of change includes the launch of Copilot, which requires businesses to be prepared for upcoming changes related to Copilot and the cloud, and to consolidate data and tighten governance ShareGate: ShareGate can help with pre-migration analysis, configurable migration tool, and automated, end-user driven collaborative governance

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff

sammart93

💉💊+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHABI}}+971581248768 +971581248768 Mtp-Kit (500MG) Prices » Dubai [(+971581248768**)] Abortion Pills For Sale In Dubai, UAE, Mifepristone and Misoprostol Tablets Available In Dubai, UAE CONTACT DR.Maya Whatsapp +971581248768 We Have Abortion Pills / Cytotec Tablets /Mifegest Kit Available in Dubai, Sharjah, Abudhabi, Ajman, Alain, Fujairah, Ras Al Khaimah, Umm Al Quwain, UAE, Buy cytotec in Dubai +971581248768''''Abortion Pills near me DUBAI | ABU DHABI|UAE. Price of Misoprostol, Cytotec” +971581248768' Dr.DEEM ''BUY ABORTION PILLS MIFEGEST KIT, MISOPROTONE, CYTOTEC PILLS IN DUBAI, ABU DHABI,UAE'' Contact me now via What's App…… abortion Pills Cytotec also available Oman Qatar Doha Saudi Arabia Bahrain Above all, Cytotec Abortion Pills are Available In Dubai / UAE, you will be very happy to do abortion in Dubai we are providing cytotec 200mg abortion pill in Dubai, UAE. Medication abortion offers an alternative to Surgical Abortion for women in the early weeks of pregnancy. We only offer abortion pills from 1 week-6 Months. We then advise you to use surgery if its beyond 6 months. Our Abu Dhabi, Ajman, Al Ain, Dubai, Fujairah, Ras Al Khaimah (RAK), Sharjah, Umm Al Quwain (UAQ) United Arab Emirates Abortion Clinic provides the safest and most advanced techniques for providing non-surgical, medical and surgical abortion methods for early through late second trimester, including the Abortion By Pill Procedure (RU 486, Mifeprex, Mifepristone, early options French Abortion Pill), Tamoxifen, Methotrexate and Cytotec (Misoprostol). The Abu Dhabi, United Arab Emirates Abortion Clinic performs Same Day Abortion Procedure using medications that are taken on the first day of the office visit and will cause the abortion to occur generally within 4 to 6 hours (as early as 30 minutes) for patients who are 3 to 12 weeks pregnant. When Mifepristone and Misoprostol are used, 50% of patients complete in 4 to 6 hours; 75% to 80% in 12 hours; and 90% in 24 hours. We use a regimen that allows for completion without the need for surgery 99% of the time. All advanced second trimester and late term pregnancies at our Tampa clinic (17 to 24 weeks or greater) can be completed within 24 hours or less 99% of the time without the need surgery. The procedure is completed with minimal to no complications. Our Women's Health Center located in Abu Dhabi, United Arab Emirates, uses the latest medications for medical abortions (RU-486, Mifeprex, Mifegyne, Mifepristone, early options French abortion pill), Methotrexate and Cytotec (Misoprostol). The safety standards of our Abu Dhabi, United Arab Emirates Abortion Doctors remain unparalleled. They consistently maintain the lowest complication rates throughout the nation. Our Physicians and staff are always available to answer questions and care for women in one of the most difficult times in their lives. The decision to have an abortion at the Abortion Cl

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...

?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@

Following the popularity of “Cloud Revolution: Exploring the New Wave of Serverless Spatial Data,” we’re thrilled to announce this much-anticipated encore webinar. In this sequel, we’ll dive deeper into the Cloud-Native realm by uncovering practical applications and FME support for these new formats, including COGs, COPC, FlatGeoBuf, GeoParquet, STAC, and ZARR. Building on the foundation laid by industry leaders Michelle Roby of Radiant Earth and Chris Holmes of Planet in the first webinar, this second part offers an in-depth look at the real-world application and behind-the-scenes dynamics of these cutting-edge formats. We will spotlight specific use-cases and workflows, showcasing their efficiency and relevance in practical scenarios. Discover the vast possibilities each format holds, highlighted through detailed discussions and demonstrations. Our expert speakers will dissect the key aspects and provide critical takeaways for effective use, ensuring attendees leave with a thorough understanding of how to apply these formats in their own projects. Elevate your understanding of how FME supports these cutting-edge technologies, enhancing your ability to manage, share, and analyze spatial data. Whether you’re building on knowledge from our initial session or are new to the serverless spatial data landscape, this webinar is your gateway to mastering cloud-native formats in your workflows.

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME

Safe Software

The microservices honeymoon is over. When starting a new project or revamping a legacy monolith, teams started looking for alternatives to microservices. The Modular Monolith, or 'Modulith', is an architecture that reaps the benefits of (vertical) functional decoupling without the high costs associated with separate deployments. This talk will delve into the advantages and challenges of this progressive architecture, beginning with exploring the concept of a 'module', its internal structure, public API, and inter-module communication patterns. Supported by spring-modulith, the talk provides practical guidance on addressing the main challenges of a Modultith Architecture: finding and guarding module boundaries, data decoupling, and integration module-testing. You should not miss this talk if you are a software architect or tech lead seeking practical, scalable solutions. About the author With two decades of experience, Victor is a Java Champion working as a trainer for top companies in Europe. Five thousands developers in 120 companies attended his workshops, so he gets to debate every week the challenges that various projects struggle with. In return, Victor summarizes key points from these workshops in conference talks and online meetups for the European Software Crafters, the world’s largest developer community around architecture, refactoring, and testing. Discover how Victor can help you on victorrentea.ro : company training catalog, consultancy and YouTube playlists.

Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024

Victor Rentea

Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood

Juan lago vázquez

JohnPollard-hybrid-app-RailsConf2024.pptx

JohnPollard37

In this keynote, Asanka Abeysinghe, CTO,WSO2 will explore the shift towards platformless technology ecosystems and their importance in driving digital adaptability and innovation. We will discuss strategies for leveraging decentralized architectures and integrating diverse technologies, with a focus on building resilient, flexible, and future-ready IT infrastructures. We will also highlight WSO2's roadmap, emphasizing our commitment to supporting this transformative journey with our evolving product suite.

Platformless Horizons for Digital Adaptability

WSO2

The Good, the Bad and the Governed - Why is governance a dirty word? David O'Neill, Chief Operating Officer - APIContext Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...

apidays

Effective data discovery is crucial for maintaining compliance and mitigating risks in today's rapidly evolving privacy landscape. However, traditional manual approaches often struggle to keep pace with the growing volume and complexity of data. Join us for an insightful webinar where industry leaders from TrustArc and Privya will share their expertise on leveraging AI-powered solutions to revolutionize data discovery. You'll learn how to: - Effortlessly maintain a comprehensive, up-to-date data inventory - Harness code scanning insights to gain complete visibility into data flows leveraging the advantages of code scanning over DB scanning - Simplify compliance by leveraging Privya's integration with TrustArc - Implement proven strategies to mitigate third-party risks Our panel of experts will discuss real-world case studies and share practical strategies for overcoming common data discovery challenges. They'll also explore the latest trends and innovations in AI-driven data management, and how these technologies can help organizations stay ahead of the curve in an ever-changing privacy landscape.

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery

TrustArc

💥 You’re lucky! We’ve found two different (lead) developers that are willing to share their valuable lessons learned about using UiPath Document Understanding! Based on recent implementations in appealing use cases at Partou and SPIE. Don’t expect fancy videos or slide decks, but real and practical experiences that will help you with your own implementations. 📕 Topics that will be addressed: • Training the ML-model by humans: do or don't? • Rule-based versus AI extractors • Tips for finding use cases • How to start 👨‍🏫👨‍💻 Speakers: o Dion Morskieft, RPA Product Owner @Partou o Jack Klein-Schiphorst, Automation Developer @Tacstone Technology

DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam

UiPathCommunity

Following the popularity of "Cloud Revolution: Exploring the New Wave of Serverless Spatial Data," we're thrilled to announce this much-anticipated encore webinar. In this sequel, we'll dive deeper into the Cloud-Native realm by uncovering practical applications and FME support for these new formats, including COGs, COPC, FlatGeoBuf, GeoParquet, STAC, and ZARR. Building on the foundation laid by industry leaders Michelle Roby of Radiant Earth and Chris Holmes of Planet in the first webinar, this second part offers an in-depth look at the real-world application and behind-the-scenes dynamics of these cutting-edge formats. We will spotlight specific use-cases and workflows, showcasing their efficiency and relevance in practical scenarios. Discover the vast possibilities each format holds, highlighted through detailed discussions and demonstrations. Our expert speakers will dissect the key aspects and provide critical takeaways for effective use, ensuring attendees leave with a thorough understanding of how to apply these formats in their own projects. Elevate your understanding of how FME supports these cutting-edge technologies, enhancing your ability to manage, share, and analyze spatial data. Whether you're building on knowledge from our initial session or are new to the serverless spatial data landscape, this webinar is your gateway to mastering cloud-native formats in your workflows.

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME

Safe Software

Dubai, often portrayed as a shimmering oasis in the desert, faces its own set of challenges, including the occasional threat of flooding. Despite its reputation for opulence and modernity, the emirate is not immune to the forces of nature. In recent years, Dubai has experienced sporadic but significant floods, testing the resilience of its infrastructure and communities. Among the critical lifelines in this bustling metropolis is the Dubai International Airport, a bustling hub that connects the city to the world. This article explores the intersection of Dubai flood events and the resilience demonstrated by the Dubai International Airport in the face of such challenges.

Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...

Orbitshub

Recently uploaded (20)

Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe

AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)

Vector Search -An Introduction in Oracle Database 23ai.pptx

Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving

presentation ICT roal in 21st century education

Finding Java's Hidden Performance Traps @ DevoxxUK 2024

EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME

Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024

Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood

JohnPollard-hybrid-app-RailsConf2024.pptx

Platformless Horizons for Digital Adaptability

Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery

DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME

Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...

Checklist For Securing Linux Web Server In 10 Steps Or Less

1. Feedback and comments @makash | akashmahajan@gmail.com Securing Linux Web Server in 10 Steps or Less This document is in addition to the slides of Securing Linux Web Server in 10 Steps or Less. Consider this as a starting block for Linux server hardening activities. Assumptions  You have root access to the Linux server  You are running either Ubuntu 10.04 LTS or above or a Debian variant. If you are using another distribution like CentOS etc. please understand the reasoning and substitute your commands. Checklist  Reduce the attack surface  Start with a mini distro and add software on top of it.  # tasksel install openssh-server  # tasksel install lamp-server  See which processes are listening on the external IP address  # netstat –nltup -4  Stop or remove services from running or booting up  # /etc/init.d/<service name> stop  # update-rc.d <service name> remove  Stop services from listening on external IP address  bind-address=127.0.0.1  Patch and Update your server  # apt-get update && apt-get upgrade  Secure your access with SSH  Remove Root Login  Ideally use public keys with passphrases  Add another directive in /etc/sshd_config  AllowUsers <user@host>  Secure Apache Web server  In /etc/apache2/conf.d/security  Uncomment line number 27 ServerTokens Prod  Uncomment line number 39 ServerSignature Off  Keep file owner as the user which uploads and group as www-data  Secure MySQL if database server and web server are on the same host  In /etc/mysql/my.cnf  bind-address=127.0.0.1  Execute following command  # mysql_secure_installation  Create a new user for each new database and only give access to the following  SELECT, INSERT, UPDATE, DELETE, ALTER, CREATE  Specify the host where the user can login from. Ideally this should be localhost and never ‘%’  Enable Uncomplicated Firewall  ufw allow  ufw allow <Ports you want>  ufw default deny  ufw allow from <external IP> to <current host IP> port 3306 Workbook for http://slidesha.re/JMDS7F Page 1 of 1 ©Akash Mahajan 2012

Checklist For Securing Linux Web Server In 10 Steps Or Less

Recommended

Recommended

More Related Content

More from Akash Mahajan

More from Akash Mahajan (18)

Recently uploaded

Recently uploaded (20)

Checklist For Securing Linux Web Server In 10 Steps Or Less