LAMP hardening techniques

We’re launching a new small business server product in the coming weeks, ideal for small businesses that need automated backups (and restores), shared internet, shared files, and one or two other goodies. The server is only available for rent starting at 200€/month (including maintenance). This product is, to some degree, the culmination of about 3 years of running our own, small, hosting environment which, as far as we can tell, has not (yet) been compromised. I doubt we could keep a determined hacker from getting in but we’ve so far been able to keep the script kiddies at bay. Here are some of the things we’ve learned along the way.

Use a firewall, even a software-based firewall such as the Endian Firewall. You’ll have to work some magic internally if you want to use host-based routing, but more complication just makes hacking more complicated and unless you have a really juicy target, most hackers will go elsewhere (we presume).
Install and configure mod_security (claims to protect against xss and many other things automagically). We haven’t been able to verify its functionality, but just knowing there’s another layer there makes us feel better 😀


  • turn off fopen wrappers
  • turn off register globals
  • turn off expose_php
  • disable unused functions and classes
  • install only the extensions you’re sure you’ll need

Disable other server side scripting engines and CGI (assuming you are running PHP as an apache module)
Turn off other unused services

  • email
  • telnet
  • ftp
  • ssh
  • etc.

Uninstall unneeded software (such as the whole Gnome interface and anything that requires runlevel 5 to function – this is a server after all). You might even consider starting building the server with a base in stall of Debian or Ubuntu Server (both of which fit in 64 MB of memory).
Log everything and increase the log history (double-edged sword).

Don’t expose what web server you are running (or PHP or any other server-side technologies) in HTTP responses. In fact, if possible, alter the server signature (and fingerprint) to something unrecognizable or too generic to be of much help.

I’m sure there are more tips I’m forgetting, but these should help you get started. I’d love to hear others experiences and tips if you care to share…

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.