mishav's picture

Is the Lamp Stack sufficiently hardened and secure to be in production?

 

As far as all the that is running on it like apache, mysql, php, etc.

Forum: 
Jeremy Davis's picture

And the answer would probably depend on what you are planning to host on it. If it was a general information provision type workload (without much in the way of personal/private info) then I would personally feel quite happy using it as is. As the consquences of a potential breach rise, so would my efforts to 'lock it down'.

There are a number of things you could do which would harden it without much work. Firstly you could enable the IPTables firewall (although it is probably superfluous if you are running on AWS). Also any services that you don't use (eg Webmin, Webshell) could be stopped (and their corresponding ports blocked). Also setting up SSH conectivity via keys (rather than passwords) is also more secure.

Apache, php and MySQL are all from the Debian repos and as such will receive automatic security patches/updates daily (as/when they are released) so these shouldn't be an issue. In fact as MySQL is bound to localhost and not available externally (except via phpMyAdmin) the risks of MySQL being compromised directly are low (although obviously attacks such as via SQL injection etc can't be ruled out - but apply to Apache/php rather than MySQL itself directly)

Jeremy Davis's picture

And the answer would probably depend on what you are planning to host on it. If it was a general information provision type workload (without much in the way of personal/private info) then I would personally feel quite happy using it as is. As the consquences of a potential breach rise, so would my efforts to 'lock it down'.

There are a number of things you could do which would harden it without much work. Firstly you could enable the IPTables firewall (although it is probably superfluous if you are running on AWS). Also any services that you don't use (eg Webmin, Webshell) could be stopped (and their corresponding ports blocked). Also setting up SSH conectivity via keys (rather than passwords) is also more secure.

Apache, php and MySQL are all from the Debian repos and as such will receive automatic security patches/updates daily (as/when they are released) so these shouldn't be an issue. In fact as MySQL is bound to localhost and not available externally (except via phpMyAdmin) the risks of MySQL being compromised directly are low (although obviously attacks such as via SQL injection etc can't be ruled out - but apply to Apache/php rather than MySQL itself directly)

Add new comment