What are the ways of keeping a shared LAMP server secure, assuming SSH access is available for every user?
Edit: I am mainly thinking of securing the server from the users themselves and between themselves.
Tell me more
×
IT Security Stack Exchange is a question and answer site for
IT security professionals. It's 100% free, no registration required.
|
|
|||||
|
|
It’s probably impossible, but you can make it harder for an attacker to succeed. Strengthen your defenses: Security harden the system (maybe referencing one of the following checklists)
Add: A decent comparison of the above tools is described here: http://www.lifelinux.com/selinux-vs-apparmor-vs-grsecurity-345.html Keep up to date on security patches. Get visibility:
All of the above will require continual effort. That is security. |
|||||||
|
|
First thing to do in my opinion is to change ssh port to something non standard and install something like fail2ban. Also it could be useful to tweak the firewall to block access from the outside to unused ports (maybe just allow 80, 423, 25 and ssh... it depends) |
|||
|
In addition to the other answers: The permissions of programs (cgi, php, etc.) executed by the webserver is an issue: If they run with the permissions of the webserver, a malicious user can access the files provided by others users. I am thinking of configuration files with database credentials here. If those programs run with the permission of the individual users, they may modify program files themselves. This might make it easier to exploit security issues in the applications, for example a .php script might not properly validate file names when it saves files. And the users needs write permissions in the web directory, so the php program has write permissions there, too. SourceForge has released an apache module and a fuse file system that allows for finer grained permissions:
|
|||
|
|
