21

What are the ways of keeping a shared LAMP server secure, assuming SSH access is available for every user?

Edit: I am mainly thinking of securing the server from the users themselves and between themselves.

claws
  • 2,145
  • 5
  • 19
  • 22
Olivier Lalonde
  • 5,039
  • 8
  • 31
  • 35

4 Answers4

14

It’s probably impossible, but you can make it harder for an attacker to succeed.

Strengthen your defenses:

Security harden the system (maybe referencing one of the following checklists)

http://iase.disa.mil/stigs/checklist/ (look for UNIX Security Checklist)
https://benchmarks.cisecurity.org/en-us/?route=downloads.multiform

Add:

grsecurity
Security-Enhanced Linux
AppArmor

A decent comparison of the above tools is described here: http://www.lifelinux.com/selinux-vs-apparmor-vs-grsecurity-345.html

Keep up to date on security patches.

Get visibility:

Deploy a HIDS (e.g. OSSEC) to help you detect when users are behaving bad.

All of the above will require continual effort. That is security.

Mike Sherrill 'Cat Recall'
  • 181
  • 9
Tate Hansen
  • 13,714
  • 3
  • 40
  • 83
  • Good strategy, I went a couple of steps further. Create yourself a dedicated "alert" email account that you can receive OSSEC alerts from. OSSEC (by default) will send email alerts for AppArmor violations as well as OSSEC warnings (and lots of other syslog alerts). I have personally detectedan intrusion on my shared hosting server this way. – stephanbuys Nov 12 '10 at 11:00
  • +1 for being realistic, +10 for being an optimist anyway :) – AviD Nov 18 '10 at 19:44
  • Does rooting a shared webhost provide the attacker access to all websites on that machine? – claws May 21 '12 at 12:27
  • Your link to ossec is broken, it returns 500 internal server error – Ferrybig Jul 02 '16 at 20:34
2

In addition to the other answers:

The permissions of programs (cgi, php, etc.) executed by the webserver is an issue:

If they run with the permissions of the webserver, a malicious user can access the files provided by others users. I am thinking of configuration files with database credentials here.

If those programs run with the permission of the individual users, they may modify program files themselves. This might make it easier to exploit security issues in the applications, for example a .php script might not properly validate file names when it saves files. And the users needs write permissions in the web directory, so the php program has write permissions there, too.

SourceForge has released an apache module and a fuse file system that allows for finer grained permissions:

Permissions bits are in a standard trio of "rwx" (read/write/execute) sets, but the normal "user" (owner), "group", and "other" categories are replaced by the trio of "project member", "project-initiated apache access", and "everyone".

Project Web Filesystem Permissions

Hendrik Brummermann
  • 27,118
  • 6
  • 79
  • 121
2

First thing to do in my opinion is to change ssh port to something non standard and install something like fail2ban.

Also it could be useful to tweak the firewall to block access from the outside to unused ports (maybe just allow 80, 423, 25 and ssh... it depends)

gbr
  • 2,000
  • 1
  • 16
  • 22
1

Basically there's nothing you can do to really make things secure as things such as wordpress always end up with massive security problems, as well as PHP itself etc.

The only way (I think) to be quite sure is to run each site in a separate virtual machine. This (almost) totally isolates one site from another, but it of course has the overhead of having to administer every VM, has more memory usage, more CPU cycles etc.

Oh and each VM needs all of the software patching continually.

It's certainly worth considering though as it's far more secure than trying to keep on top of all those sites.

John Hunt
  • 161
  • 6