LAMP security

[andrewholway]

Hi,

Having lost my girlfreind I have recently got lamp up and running in my bedroom(wehay). I have been playing for the past couple of weeks and have been really enjoying myself making my little php programs. A dark cloud is looming, counjered by a freind in the pub
"What is your security like". I stared at him agast.
"Linux is bombproof" I intoned.
"Yes" he replied "But I bet your code bloody well isnt!".

How do I test for this? I want to start bringing some actual sites online with forums and the suchlike soon but the fear has gripped me!

Cheers,

Andy

[the_oliver]

If your server is set up well then your security will not be a problem!  Linux is fairly 'bomb proof' as you put it, but only if you have it set up so!  A good place to start would be the fire-wall.  Try google for iptables.  Also try restricting down you ssh logins in the sshd config.  Complex root passwords also help.

As to security of php scripts this realy depend how you write them.  If you have them running under root, and storing important passwords on them then this can be a problem!
If your scripts are running under Apache (most likly) then they can only do what apache can do. If you realy wish to restrict this you need to play around with the directory tags in the httpd.conf file. 

Dont forget that no one can reed your php scripts unless they can log into your server.  The chance of a security problem from a php script is low.  (if your talking about the security of members areas and things, this is a difrent isue, and you should ask in the php area.)  Chances are the dark cloud is not neccecery!

[andrewholway]

Well, I trust its well set up. A week or so of running apache has taught me a few lessons. It seems the only real security black hole is SMTP. edging very carfully round that one. Lets hope phpBB doesn't hold any nasty surprises.

Thanks for your help. Andy

[Nameless12]

Learn basic hacks and you will learn how to defend your self.

[andrewholway]

How might I learn basic hacks? are you aware of any good sites or maybe people that might want to show me a few tricks?

Cheers,

Andy

[the_oliver]

SMTP is easly solved by requiring authentication.  Also important to stop you from getting black listed.  If your realy woried about it this to can be done over an SSL connection.

[andrewholway]

Mail Im not worried about. I receive mail for my domain thru gmail and send it via my isp's smtp. Port 25 is closed on my firewall so no probs there.

More concerned about how I have my apache set up.

Cheers

Andy--

[steviewdr]

You need to disable all apache modules you dont use. If you dont need php - dont use it.
If you do use php etc. you can limit its use to a specific virtual host.

There are various hardening tricks for apache. Apache can be run in a chroot jail. There is a hardened version of PHP also. There is suPHP also. A google for "hardening apache" should get some good tips.

-steve

[andrewholway]

Steve,

Thanks very muchly, often its just knowing the right term to use in google.

Andy