Question - System hardening - potential issues?

Hi guys,

One of our client would like to do some hardening of the LAMP server where Eramba is installed and was wondering if it would bring any issues. Here’s what he wants to implement:

o Disable webdav module
change apache configuration file to comment the following lines
##LoadModule dav_module modules/
##LoadModule dav_fs_module modules/
o Disable status and info module
change apache configuration file to comment the following lines
##LoadModule status_module modules/
##LoadModule info_module modules/
o Disable autoindex module
change apache configuration file to comment the following lines
##LoadModule autoindex_module modules/
o Disable proxy module
##LoadModule proxy_module modules/
##LoadModule proxy_balancer_module modules/
##LoadModule proxy_ftp_module modules/
##LoadModule proxy_http_module modules/
##LoadModule proxy_connect_module modules/
##LoadModule proxy_connect_module modules/
o Disable user directories module
##LoadModule userdir_module modules/
o Run apache in a non root user
change apache configuration file
o Apache service account must be deactivated and no shell
/usr/sbin/usermod -L
chsh -s /sbin/nologin
o Ensure that only apache service account can access to the documentRoot by changing posix permissions
Chown -R <user_apache>:<group_apache>
chmod -R 700
o Deny the / access by default
. . .
Order deny,allow
Deny from all
AllowOverride None
Options None
. . .
o Allow explicitly the directory which can be access and define the right privilieges – to adjust depending the needs of application
<Directory “/path/webroot”>
Order allow,deny
allow from all

o <Directory "/path/to/upload
php_admin_flag engine

o include_path = « /path/to/only/phpfile«
o open_basedir = “/path/execute/phpfile”
o upload_tmp_dir =”/data/tmp/upload”  depend de comment est codé l’application, il faudra voir le php.ini fournit avec l’application
o register_globals = 0
o allow_url_fopen = 0
o allow_url_include = 0
o session.use_cookies = 1
o session.use_only_cookies = 1
o session.use_trans_sid = 0
o session.use_strict_mode = 0
o session.cookie_httponly = 1
o session.cookie_secure = 1
o session.hash_function = sha512
o disable_function=dl,escapeshellarg,escapeshellcmd,exec,extract,get_cfg_var,get_current_user,getcwd,getenv,getlastmo,getmygid,getmyinode,getmypid,getmyuid,ini_restore,ini_set,passthru,pcntl_alarm,pcntl_exec,pcntl_fork,pcntl_get_last_error,pcntl_getpriority,pcntl_setpriority,pcntl_signal,pcntl_signal_dispatch,pcntl_sigprocmask,pcntl_sigtimedwait,pcntl_sigwaitinfo,pcntl_strerrorp,pcntl_wait,pcntl_waitpid,pcntl_wexitstatus,pcntl_wifexited,pcntl_wifsignaled,pcntl_wifstopped,pcntl_wstopsig,pcntl_wtermsig,php_uname,phpinfo,popen,posix_getlogin,posix_getpwuid,posix_kill,posix_mkfifo,posix_setpgid,posix_setsid,posix_setuid,posix_ttyname,posix_uname,posixc,proc_close,proc_get_status,proc_nice,proc_open,proc_terminate,ps_aux,putenv,readlink,runkit_function_rename,shell_exec,show_source,symlink,syslog,system,curl_exec,curl_multi_exec,parse_ini_file, apache_child_terminate,apache_get_modules,apache_setenv,define_syslog_variables

o Create and use a non-admin account
o Disable Old password hashing “Edit the /etc/mysql/my.cnf and add the following command into [mysqld] section: old-passwords=0”
o Disable local_infile privilege “Edit the /etc/mysql/my.cnf and add the following command into [mysqld] section local-infile=0 secure-file-priv=/dev/null”
o Enable secure_auth “Edit the /etc/mysql/my.cnf and add the following command into [mysqld] section : secure-auth=1”
o Disable symbolic link “Edit the /etc/mysql/my.cnf and add the following command into [mysqld] section : symbolic-links = 0”

Does anyone sees any potential issues?

1 Like

Hi there,

I think it would be good to give it a go, in fact i would be interested in knowing how it goes :slight_smile: they can try, i would suggest one change at time and not all together.

if they know this much about linux then perhaps is best they dont use our VM in the first place…the VM is intended for those with absolute no knowledge of linux!

ps. is not LAMP based.

Ok, I’ll tell our client to give it a try and give you guys a feedback

I’m curious to know what the outcome of applying these changes was. Any chance of an update?