TurnKey Linux Virtual Appliance Library

Is the Lamp Stack sufficiently hardened and secure to be in production?

Is the Lamp Stack sufficiently hardened and secure to be in production?

 

As far as all the that is running on it like apache, mysql, php, etc.

Jeremy's picture

That is a very subjective question...

And the answer would probably depend on what you are planning to host on it. If it was a general information provision type workload (without much in the way of personal/private info) then I would personally feel quite happy using it as is. As the consquences of a potential breach rise, so would my efforts to 'lock it down'.

There are a number of things you could do which would harden it without much work. Firstly you could enable the IPTables firewall (although it is probably superfluous if you are running on AWS). Also any services that you don't use (eg Webmin, Webshell) could be stopped (and their corresponding ports blocked). Also setting up SSH conectivity via keys (rather than passwords) is also more secure.

Apache, php and MySQL are all from the Debian repos and as such will receive automatic security patches/updates daily (as/when they are released) so these shouldn't be an issue. In fact as MySQL is bound to localhost and not available externally (except via phpMyAdmin) the risks of MySQL being compromised directly are low (although obviously attacks such as via SQL injection etc can't be ruled out - but apply to Apache/php rather than MySQL itself directly)

Jeremy's picture

That is a very subjective question...

And the answer would probably depend on what you are planning to host on it. If it was a general information provision type workload (without much in the way of personal/private info) then I would personally feel quite happy using it as is. As the consquences of a potential breach rise, so would my efforts to 'lock it down'.

There are a number of things you could do which would harden it without much work. Firstly you could enable the IPTables firewall (although it is probably superfluous if you are running on AWS). Also any services that you don't use (eg Webmin, Webshell) could be stopped (and their corresponding ports blocked). Also setting up SSH conectivity via keys (rather than passwords) is also more secure.

Apache, php and MySQL are all from the Debian repos and as such will receive automatic security patches/updates daily (as/when they are released) so these shouldn't be an issue. In fact as MySQL is bound to localhost and not available externally (except via phpMyAdmin) the risks of MySQL being compromised directly are low (although obviously attacks such as via SQL injection etc can't be ruled out - but apply to Apache/php rather than MySQL itself directly)

Post new comment

The content of this field is kept private and will not be shown publicly. If you have a Gravatar account, used to display your avatar.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <p> <span> <div> <h1> <h2> <h3> <h4> <h5> <h6> <img> <map> <area> <hr> <br> <br /> <ul> <ol> <li> <dl> <dt> <dd> <table> <tr> <td> <em> <b> <u> <i> <strong> <font> <del> <ins> <sub> <sup> <quote> <blockquote> <pre> <address> <code> <cite> <strike> <caption>

More information about formatting options

Leave this field empty. It's part of a security mechanism.
(Dear spammers: moderators are notified of all new posts. Spam is deleted immediately)