Hardening LAMP stack (part 1)

This article begins series of posts which are meant to create very SECURE but also easy to manage web server on Linux box. I start from default Debian 6.0 Stable installation and move on configuring various parts of the system.

We start from:

APACHE - PUTTING IT IN CHROOT JAIL

# compile apache2
  ./configure --prefix=/usr/local/apache --disable-userdir --disable-include
 make
 make install

# prepare new root environment for apache
  mkdir -p /srv/chroot/apache/

# create /usr/local directory in new environment
  mkdir -p /srv/chroot/apache/usr/local

# move built and installed apache to new environment
  mv /usr/local/apache /srv/chroot/apache/usr/local

# link it under old installation directory for easy updates
  ln -s /srv/chroot/apache/usr/local/apache /usr/local/apache

# stisfy all apache's library dependencies by copying it to new /lib directory
  mkdir -p /srv/chroot/apache/lib

 ldd /chroot/apache/usr/local/apache/bin/httpd

 (copy it to new /lib)

# copy strace (and it's dependencies) for debug purposes (remove it in production)
  mkdir -p /srv/chroot/apache/bin

 cp `which strace` /srv/chroot/apache/bin

 ldd `which strace`

 (copy it to new /lib)

# first launch (with strace), probably something will be missing
 chroot /srv/chroot/apache /bin/strace /usr/local/apache/bin/httpd

# name resolution
  mkdir -p /srv/chroot/apache/etc

 cp /etc/nsswitch.conf /srv/chroot/apache/etc/  #make sure that access to passwd is set to 'files'

 cp /lib/libnss_files.so.2 /srv/chroot/apache/lib

# dns name resolution
  cp /lib/libnss_dns.so.2 /srv/chroot/apache/lib

 cp /etc/hosts /srv/chroot/apache/etc

 cp /etc/resolv.conf /srv/chroot/apache/etc

# create special devices which apache uses
  mkdir /srv/chroot/apache/dev

 mknod -m 666 /srv/chroot/apache/dev/null c 1 3

 mknod -m 666 /chroot/apache/dev/zero c 1 5

 mknod -m 644 /chroot/apache/dev/random c 1 8

# create /tmp directory
  mkdir /srv/chroot/apache/tmp

 chmod +t /srv/chroot/apache/tmp

 chmod 777 /srv/chroot/apache/tmp

# create /etc/passwd & /etc/group files
  echo "www-data:x:33:33:Apache:/:/sbin/nologin" > /srv/chroot/apache/etc/passwd

 echo "www-data:x:33:" > /srv/chroot/apache/etc/group

# prepare /var directory in new environment (in jail) for test-site
  mkdir -p /srv/chroot/apache/var/www

 cd /srv/chroot/apache/var/www

 mkdir -p test-site/bin

 mkdir -p test-site/cgi-bin

 mkdir -p test-site/data

 mkdir -p test-site/htdocs

 mkdir -p test-site/logs

# link it for easier updates of future web applications

 ln -s /srv/chroot/apache/var/www /var/www

# second launch, now it should start, if not, use strace to find out why
 chroot /srv/chroot/apache /usr/local/apache/bin/httpd

APACHE - PRELIMINARY HARDENING 

# proper files & directories privilages
  chown -R root:root /usr/local/apache

 find /srv/chroot/apache/usr/local/apache -type d | xargs chmod 755

 find /srv/chroot/apache/usr/local/apache -type d | xargs chmod g-s

 find /srv/chroot/apache/usr/local/apache -type f | xargs chmod 644

 find /srv/chroot/apache/usr/local/apache/bin -type f | xargs chmod 744

# configuration and logs can be read only by root
  chmod -R go-r /srv/chroot/apache/usr/local/apache/conf

 chmod -R go-r /srv/chroot/apache/var/www/site-test/logs