Hi guys,
One of our client would like to do some hardening of the LAMP server where Eramba is installed and was wondering if it would bring any issues. Here’s what he wants to implement:
Apache
o Disable webdav module
change apache configuration file to comment the following lines
##LoadModule dav_module modules/mod_dav.so
##LoadModule dav_fs_module modules/mod_dav_fs.so
o Disable status and info module
change apache configuration file to comment the following lines
##LoadModule status_module modules/mod_status.so
##LoadModule info_module modules/mod_info.so
o Disable autoindex module
change apache configuration file to comment the following lines
##LoadModule autoindex_module modules/mod_autoindex.so
o Disable proxy module
##LoadModule proxy_module modules/mod_proxy.so
##LoadModule proxy_balancer_module modules/mod_proxy_balancer.so
##LoadModule proxy_ftp_module modules/mod_proxy_ftp.so
##LoadModule proxy_http_module modules/mod_proxy_http.so
##LoadModule proxy_connect_module modules/mod_proxy_connect.so
##LoadModule proxy_connect_module modules/mod_proxy_ajp.so
o Disable user directories module
##LoadModule userdir_module modules/mod_userdir.so
o Run apache in a non root user
change apache configuration file
User
Group
o Apache service account must be deactivated and no shell
/usr/sbin/usermod -L
chsh -s /sbin/nologin
o Ensure that only apache service account can access to the documentRoot by changing posix permissions
Chown -R <user_apache>:<group_apache>
chmod -R 700
o Deny the / access by default
. . .
Order deny,allow
Deny from all
AllowOverride None
Options None
. . .
o Allow explicitly the directory which can be access and define the right privilieges – to adjust depending the needs of application
<Directory “/path/webroot”>
Order allow,deny
allow from all
o <Directory "/path/to/upload
….
php_admin_flag engine
PHP
o include_path = « /path/to/only/phpfile«
o open_basedir = “/path/execute/phpfile”
o upload_tmp_dir =”/data/tmp/upload” depend de comment est codé l’application, il faudra voir le php.ini fournit avec l’application
o register_globals = 0
o allow_url_fopen = 0
o allow_url_include = 0
o session.use_cookies = 1
o session.use_only_cookies = 1
o session.use_trans_sid = 0
o session.use_strict_mode = 0
o session.cookie_httponly = 1
o session.cookie_secure = 1
o session.hash_function = sha512
o disable_function=dl,escapeshellarg,escapeshellcmd,exec,extract,get_cfg_var,get_current_user,getcwd,getenv,getlastmo,getmygid,getmyinode,getmypid,getmyuid,ini_restore,ini_set,passthru,pcntl_alarm,pcntl_exec,pcntl_fork,pcntl_get_last_error,pcntl_getpriority,pcntl_setpriority,pcntl_signal,pcntl_signal_dispatch,pcntl_sigprocmask,pcntl_sigtimedwait,pcntl_sigwaitinfo,pcntl_strerrorp,pcntl_wait,pcntl_waitpid,pcntl_wexitstatus,pcntl_wifexited,pcntl_wifsignaled,pcntl_wifstopped,pcntl_wstopsig,pcntl_wtermsig,php_uname,phpinfo,popen,posix_getlogin,posix_getpwuid,posix_kill,posix_mkfifo,posix_setpgid,posix_setsid,posix_setuid,posix_ttyname,posix_uname,posixc,proc_close,proc_get_status,proc_nice,proc_open,proc_terminate,ps_aux,putenv,readlink,runkit_function_rename,shell_exec,show_source,symlink,syslog,system,curl_exec,curl_multi_exec,parse_ini_file, apache_child_terminate,apache_get_modules,apache_setenv,define_syslog_variables
Mysql
o Create and use a non-admin account
o Disable Old password hashing “Edit the /etc/mysql/my.cnf and add the following command into [mysqld] section: old-passwords=0”
o Disable local_infile privilege “Edit the /etc/mysql/my.cnf and add the following command into [mysqld] section local-infile=0 secure-file-priv=/dev/null”
o Enable secure_auth “Edit the /etc/mysql/my.cnf and add the following command into [mysqld] section : secure-auth=1”
o Disable symbolic link “Edit the /etc/mysql/my.cnf and add the following command into [mysqld] section : symbolic-links = 0”
Does anyone sees any potential issues?
they can try, i would suggest one change at time and not all together.