8

To be more specific, I would like to get some help, either through a tutorial or through a book, on how to configure an apache server to run securely and minimize the risks for commercial use.

-Important to note, I am not asking how to install it or minimally configure it, as I have learned to do this. I would like to further this knowledge by getting help on where to look or how to configure it the way E-commerce websites would to keep it secure.

I do understand this may be vague, and so I will not be expecting an in-depth tutorial, but if I could get help or tips on where I should look. I have tried everywhere, but it all ends with just installing it, and minimally securing it for testing purposes.

Scott Pack
  • 15,217
  • 5
  • 62
  • 91
  • I think that this question fits more to [unix.se](http://unix.stackexchange.com/). –  Dec 18 '11 at 10:16
  • Is there a reason you wish to install and maintain a server over getting dedicated hosting? Many advantages come with paying for dedicated hosting. Typically you get redundancy service which equates to less down time, which is a big thing for e-commerce. Also, this approach allows you to let a group of experts handle security issues which really would take a lot more than a few tutorials to get the hang of. Server security really is a full time job... There are many many more benefits to going for paid hosting... – Kenneth Dec 18 '11 at 13:16
  • 3
    @Kenneth Setting up and maintaining your own server has one very important advice: You can physically kick it, once in a while... –  Dec 18 '11 at 21:43
  • @YannisRizos ... So very very true!!! :) – Kenneth Dec 19 '11 at 01:27

2 Answers2

9

This is really a pretty stinking huge question. Based on your chosen tags it looks like you're asking for guidance on a LAMP stack, so we'll focus on that. There are already a number of related questions posted, so for some additional insights check out these questions:
MySQL Server Hardening
Hardening Linux Server
What are the best practices for hardening a php.ini file?
Apache Server Hardening

The specific techniques you take could depend highly on your environment and how your server will be used. Warning, this can take a lot of work in a test environment to build out and get done right. Followed by a lot of work to integrate into your production environment, and more importantly, business process.

First, however, check to see if your organization has any hardening policies, as those might be the most directly relevant. If not, depending on your role, this might be a great time to build them out. I would also recommend tackling each component separately from the bottom up.

The L
There are lots of good guides available to help you out. This list may or may not help you depending on your distribution.

The A
Apache can be fun to secure. I find it easier to harden the OS and maintain usability than either Apache or PHP.

The M

The P
This runs headlong into the whole idea of Secure Programming Practices, which is an entire discipline of its own. SANS and OWASP have a ridiculous amount of information on the subject, so I won't try to replicate it here. I will focus on the runtime configuration and let your developers worry about the rest. Sometimes the 'P' in LAMP refers to Perl, but usually PHP. I am assuming the latter.

Scott Pack
  • 15,217
  • 5
  • 62
  • 91
1

I suggest you take a look at Suhosin for PHP and mod_sec. Both are very good.

  • -1 `Both are very good.` is not an answer. You should consider expanding the answer to tell us what your suggestions are about, why you recommended them - what's so great about them. Adding to that, Suhosin has had no activity since 2007 (essentially a dead project)... Also, why did you choose to format the links as code? –  Dec 18 '11 at 10:45