# LAMP hardening techniques



## balancedmind (Jan 18, 2011)

Morning ladies and gentlemen (though I'm not sure how lucky I'm going to get with the former around these parts).

Recently a friend and I have been experimenting with Ubuntu Server and setting up a LAMP web server. We're rolling with 10.10, and the latest Apache, MySQL, and PHP packages. We installed phpBB3 on top of that and are looking to install the Wordpress framework soon.

Now, the only thing left to do is some proper hardening measures. I spend most of my Friday afternoon writing an iptables script from scratch (yes, I am a geek, that's what I spent my Friday evening on). You'll find it in the immediate reply to this post, as I'm having trouble with the forum's attatchment feature.

We've also changed the ownership of the /var/www folder and all subdirectories to be owned by a very limited user account and changed all files to the lowest permissions (as advised by this phpBB3 kb article: http://www.phpbb.com/kb/article/phpbb3-chmod-permissions/).


What I'd like from you all is other tips for hardening a LAMP stack that perhaps we haven't thought of yet. I'm not afraid of terminal work and scripts, but I still don't know a whole lot about the deep down internals of Linux as opposed to Windows, so I may need clarifications at times.

Many thanks in advance!


----------



## balancedmind (Jan 18, 2011)

# iptables script written Jan 16 2011 by Matt
# Designed to be whitelist approach, dropping all traffic
# unless it matches a specific rule stated below.
#
# Initial design is to allow TCP and UDP traffic for:
#
#  INBOUND:
#   - HTTP on port 80
#   - HTTPS on port 443
#   - SSH on port 22 
#   - VPN on 1723
#   - GRE (type 47)
#
#  OUTBOUND:
#   - DNS queries to 65.24.7.10 and 65.24.7.11 on port 53
#   - HTTP reply on port 80
#   - HTTPS on port 443
#   - FTP on ports 20 and 21
#   - SMTP on port 25
#   - IMAP on port 143


#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=
# Define networks
#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=

EXTERNAL_INT="eth0"            # External Internet interface
EXTERNAL_IP="insert_ip_here" # Internet Interface IP address

#---------------------------------------------------------------
# Flush current ruleset
#---------------------------------------------------------------

iptables --flush
iptables -t nat --flush
iptables -t mangle --flush

#---------------------------------------------------------------
# Now that the chains have been initialized, the user defined
# chains should be deleted. Weâ€™ll recreate them in the next step
#---------------------------------------------------------------

iptables --delete-chain
iptables -t nat --delete-chain
iptables -t mangle --delete-chain

#---------------------------------------------------------------
# If a packet doesnâ€™t match one of the built in chains, then
# The policy should be to drop it
#---------------------------------------------------------------

iptables --policy INPUT DROP
iptables --policy OUTPUT DROP

#---------------------------------------------------------------
# The loopback interface should accept all traffic
# Necessary for X-Windows and other socket based services
#---------------------------------------------------------------

iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

#---------------------------------------------------------------
# Initialize our user-defined chains
#---------------------------------------------------------------

iptables -N valid-src
iptables -N valid-dst

#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#
#
# Source and Destination Address Sanity Checks
#
# Drop packets from networks covered in RFC 1918 (private nets)
# Drop packets from external interface IP
#
#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#

iptables -A valid-src -s 10.0.0.0/8     -j DROP
iptables -A valid-src -s 172.16.0.0/12  -j DROP
iptables -A valid-src -s 192.168.0.0/16 -j DROP
iptables -A valid-src -s 224.0.0.0/4    -j DROP
iptables -A valid-src -s 240.0.0.0/5    -j DROP
iptables -A valid-src -s 127.0.0.0/8    -j DROP
iptables -A valid-src -s 0.0.0.0/8       -j DROP
iptables -A valid-src -d 255.255.255.255 -j DROP
iptables -A valid-src -s 169.254.0.0/16  -j DROP
iptables -A valid-src -s $EXTERNAL_IP    -j DROP
iptables -A valid-dst -d 224.0.0.0/4    -j DROP

#---------------------------------------------------------------
# Allow traffic already established to continue
#---------------------------------------------------------------

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED \
  -j ACCEPT

#---------------------------------------------------------------
# INBOUND:
#   - HTTP on port 80
#   - HTTPS on port 443
#   - SSH on port 22 
#   - VPN on 1723
#   - GRE (type 47)
#   - IMAP echo-replies
#---------------------------------------------------------------

iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p udp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -p udp --dport 443 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p udp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --sport 53 --dport 1024:65535 \
  -j ACCEPT
iptables -A INPUT -p udp --sport 53 --dport 1024:65535 \ 
  -j ACCEPT
iptables -A INPUT -p tcp --dport 1723 -j ACCEPT                                                                                                                   
iptables -A INPUT -p udp --dport 1723 -j ACCEPT
iptables -A INPUT -p gre -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT

#---------------------------------------------------------------
#  OUTBOUND:
#   - DNS queries to 65.24.7.10 and 65.24.7.11 on port 53
#   - GRE
#   - VPN on port 1723
#   - HTTP reply on port 80
#   - HTTPS on port 443
#   - FTP on ports 20 and 21
#   - SMTP on port 25
#   - IMAP echo-request
#---------------------------------------------------------------


iptables -A OUTPUT -p udp --dport 53 --sport 1024:65535 \
  -j ACCEPT
iptables -A OUTPUT -p gre -j ACCEPT 
iptables -A OUTPUT -p tcp --sport 1723 -j ACCEPT 
iptables -A OUTPUT -p tcp --dport 1723 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT 
iptables -A OUTPUT -p udp --dport 80 -j ACCEPT 
iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT 
iptables -A OUTPUT -p udp --dport 443 -j ACCEPT 
iptables -A OUTPUT -p tcp --dport 20:21 -j ACCEPT 
iptables -A OUTPUT -p udp --dport 20:21 -j ACCEPT 
iptables -A OUTPUT -p tcp --dport 25 -j ACCEPT 
iptables -A OUTPUT -p udp --dport 25 -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT


#---------------------------------------------------------------
# Allow all bidirectional traffic from firewall to the
# local network
#---------------------------------------------------------------

iptables -A INPUT   -j ACCEPT -p all -s 192.168.1.0/24
iptables -A OUTPUT  -j ACCEPT -p all -d 192.168.1.0/24

#---------------------------------------------------------------
# End Of File
#---------------------------------------------------------------


----------

