If you’re considering getting a LAMP server (LAMP stands for Linux, Apache, MySQL, PHP), whether it’s a Virtual Private Server (VPS) or a Dedicated Server, the first thing you need to do is to secure it.
This guide will provide a general outline on how to set up your server properly. I’ll take you through the most important points you need to be aware of, as well as introduce you to some excellent tools that you can use.
Step 1 - Firewall Setup
The first step to secure your server is using a firewall. A firewall acts as a barrier between your server and the outside world by checking that any incoming traffic is safe and blocking any malicious traffic. There are plenty of firewall solutions you can choose from, but we’ll look at two of the most popular:
UFW
UFW is an uncomplicated firewall and a good solution since it requires minimum configuration. It provides a user-friendly way to create customized firewall rules and it works with both IPV4 and IPV6 networks. By default, if UFW is disabled, make sure you enable it if you want to configure UFW. UFW firewall has GUI interface too, under the name of Gufw.
Iptables
Iptables is a popular firewall that comes with the Linux kernel and is enabled by default in Linux. Like UFW, it can work with both IPV4 and IPV6. For managing IPV6, there is another version of iptables called ip6tables.
Unlike UFW, the iptables syntax is quite hard to master. However, the upside is that it offers the ability to create security configurations at a more granular level and is therefore, a powerful tool for protecting your server.
Step 2 - Secure Remote Login Setup
As a server administrator, you’ll need to log into your server regularly across the internet. This remote connection needs to be secured and encrypted. One way to achieve that is by implementing secure SSH connection to your server.
There are two main methods of connecting via SSH:
Password-based Connection
As its name suggests this type of connection requires you to enter a password each time you want to login via SSH. Whilst this method requires less configuration, it is less secure since it is susceptible to brute force attacks.
Certificate-based Connection
This type of connection requires both the server and the client machine to exchange their public key, which is used to encrypt the connection as well as authenticate one another. This type of connection is more complex to configure than the password-based approach, but the upside is that it's a much more secure method of connecting to your server.
Step 3 - Install Malware Analysis
Monitoring your server periodically using a malware scanner aims to detect unauthorized access to your server by malicious software. Below are two of the most popular free rootkit scanners for malware analysis of your server:
Chkrootkit
This popular rootkit scanner looks for any suspicious rootkit processes on a Linux server. Though chkrootkit cannot detect every possible type of malware, it is definitely a good starting point. I should emphasize that you shouldn’t rely solely on chkrootkit for a comprehensive malware analysis of the server, but rather consider it as an entry level solution.
Rkhunter
Rkhunter, like chkrootkit, looks for rootkits in the system. It also has the ability to identify hidden files, wrong permissions, and suspicious strings as well. It can run on any Unix-based system. Rkhunter combined with chkrootkit is a good combination for basic malware detection.
Step 4 – Set Up Intrusion Detection
Think of intrusion detection like an alarm system that detects unauthorized access to your server. Two of the most popular intrusion detection systems are shown below:
Aide
Aide is a free file and directory integrity checker which works like a tripwire. First, it builds a database of the current state of the system. Then, it verifies the integrity of any file in the system by comparing it with the known database. If there are any significant changes to the integrity of the system, it will notify the server administrator.
Bro
Bro is a network based Intrusion Detection System (IDS) which monitors your network for any unusual activity. The way Bro works, is by initially creating policies based on the generated events on the network and its current state or policies. If it detects anything unusual; it will create an alert, change firewall rules, update event logs etc. It’s a very versatile tool, but the downside is that it has a steep learning curve which can prove difficult for beginners.
Step 5 – Set Up SFTP Instead Of FTP
As an administrator, you’re going to need to upload or download files from your server from time to time. The most popular File Transfer Protocol (FTP) is prone to security vulnerabilities, as the login authentication occurs in plain-text format which is susceptible to interception. A more secure option is to switch to Secure File Transfer Protocol, or SFTP, which can be easily installed and configured on the server.
Step 6 - Regular Updates and Server Patching
If your server is Linux- or Unix-based, make sure you update and upgrade your kernel as the distributor updates the kernel periodically. Updating the kernel will make sure your system is stable and has the latest security patches in place as well as any new kernel function on offer. Leaving an unpatched server is like leaving an open invitation to a hacker.
Step 7 - Set Permissions Properly
File permissions on the server are very important. Any misconfiguration in permission settings will allow an attacker to take control of your server very easily. When configuring permissions, you should ensure that you only give your system users the permission that they need.
You should implement default umask policies for any new files created in Linux server to restrict file permissions. Also, the use of Set Group Identification (SGID) and Set User Identification (SUID) in file and directories will limit certain permissions of users and groups in sensitive directories and files. It will do this without restricting their ability to use the features of the server that they are permitted to use (i.e. forgotten password features).
Server Security is a Vital Consideration
The points I have raised here are a general guideline to get you started to ensure you have the minimum level of security in place on your server. Of course, security is a broad subject and it is something that you need to be constantly aware of and remain vigilant.
