Making my web server secure

[JimmiJames]

I used SUSE 10.1, installed apache, mysql, php and ispconfig.

I was able to build a php page with content from a database so everything is working fine.

So now, before I put the site on the outside, what do I need to look for, install or test out to make my web server secure.

also, my web server will be behind a hardware firewall.

[kevan]

Hi,
You can enable the firewall to only allow certain ports to be open /sbin/SuSEfirewall2 start/stop and edit the /etc/sysconfig/SuSEfirewall2 script until you get it right.
As regards apache, you can restrict access by editing the httpd.conf file to allow only restricted ip addresses, logins etc, add https security for additional safety whilst using passwords etc. etc
SuSE is a great package.
Best
Kevan

[mbgj]

Slightly advanced security can be achived by

apache load and activate mod_secure

this is a software firewall that filters requests, whereas the normal hardware firewall just closes ports.

You may want to look at serverSignature and serverTokens - these in Apache influence what is shown to the outside world in terms of OS and version.


PHP switch off PHP's signature x-powered

In your php.ini (based on your distribution this can be found in various places, like /etc/php.ini, /etc/php5/apache2/php.ini, etc.) locate the line containing “expose_php On” and set it to Off:

Any user input field make sure it's restricted to max length and input is striped off any malicious characters and validated.
PHPbuilder has a nice class over here
http://builder.com.com/5100-6371_14-6078577.html

That'll give you a fairly "secure" environment.

Best of luck
Expat