Glad you took my comments as intended and didn’t think I was flaming you.

You are 100% correct in stating that “phpMyAdmin isn’t alone in having security vulnerabilities”. In Fact, phpMyAdmin has a good track record in resolving all security threats reported to/by US-CERT.

The reason for my comments regarding phpMyAdmin and others was because your article targeted novices. This is also why I strongly recommend disabling networking. A novice should learn the intricacies of GRANTS and MySQL administration in general before deploying and administrating a tool intended to make it easy for them shoot off a toe. Hopefully, anyone intending to administrate a DBMS is comfortable with some SQL, if not, this is the ideal time to learn some, and better to do so locally than through a web interface which will abstract away the SQL layer.

As regards Yum and other such tools… I wouldn’t trust any; RedHat or otherwise. Source builds are the only way to install “secure” software… but in fairness to your efforts, that may not be a “novice” topic.

The reason to remove networking on the DBMS is not so much a fear of a threat originating from the network layer, but more of a concern regarding a novice administrator who may make mistakes in configuration while learning (and inadvertently exposing himself to something hostile on the network layer).

Good luck with your site!

D

Thanks for your comments, feedback is always welcome! I agree with your observations for the most part, but remember that my guide is aimed at the newbie or intermediate Linux user and someone that wants to host their own LAMP server. Anyway, here are my views…

phpMyAdmin: phpMyAdmin isn’t alone in having security vulnerabilities. WordPress, Apache, MySQL all have them, the list goes on. My recommendation is to use Yum (more on that in a moment) and keep everything up to date. In 8 years my LAMP servers have never had a security vulnerability compromised as a result of using phpMyAdmin. But a lazy administrator may do if it’s not kept up to date, good passwords, etc… as with any other service.

Turning off unwanted daemons: My guide does already state that CentOS should be installed using the ‘custom’ setting, and removing everything from the list. Still, when you do this daemons such as CUPS are still present (you can’t remove this at install time). Surely it’s good to know how to list these running services and learn how to disable them.

Yum: I know exactly where my software and updates come from… the CentOS Project repositories and it’s very closely aligned to the RHEL repositories. In fact you can’t always get the latest versions of software unless they’re approved by CentOS and fully tested (PHP is a good example). I wouldn’t recommend that people use repositories like utterramblings unless they know what they are doing and it’s not for an enterprise production LAMP server. For example, Read this, I won’t start quoting from their FAQ but I trust it no less than the RHEL repositories.

MySQL: I’ve not done this so I will test when I get time. I don’t think having networking enabled for MySQL is a high security risk though given IPTABLES is running and my guide states the use of TCP Wrappers. http://dev.mysql.com/doc/refman/5.0/en/security-against-attack.html

VSFTP: I’m not trying to secure the transport layer otherwise SSH is also a great option and one I use myself. I’m aiming this guide at novice to moderate users of Linux that want a web server up and running (LAMP).

Apache: Great tips here especially not using * in the virtualhost section.

It’s good to get others views on this as it’s a popular topic on my website, despite being over 5 years old now!

Ray

phpMyAdmin : I’d avoid this like the plague; it has had a million-and-one security flaws over the years and even if you got it cleaned up completely, it’s a vector of choice into your system. Meaning attackers will be constantly looking to use it as a way into you system. One look at your logs will show you that bots are scanning for it’s presence.

Turning off un-needed daemons : why install them to begin with? It serves no purpose to install potential vulnerabilities if all your going to do is turn it off. Since you’re starting with a fresh OS build, deselect all software you don’t need. This narrows your attack surface and offers the added bonus of conserving resources.

Yum : as soon as you type that into your console you’ve lost any sense of security. You have no idea where that software has come from, who packaged it, nor how it was built. remember the great redhat gcc 2.96 issue? They grabbed a developers snapshot of gcc (without gnu’s knowledge) and used it to build all their rpms for their redhat 8 release. Over the next six months people everywhere were discovering corrupt tables in their mysql implementations with no way to recover. The issue was eventually traced back to redhat’s rpms. If you didn’t build it, don’t trust it! (secure is the goal, right?). This gives you the added bonus of letting you remove pieces of the software that you don’t need, narrowing the attack surface. Not going to offer CGI access? Don’t even even compile in CGI capabilities.

MySQL : remove its networking capabilities and force it to work over unix domain sockets. When you run “netstat -an | grep LISTEN”, you should NOT see 3306 as a bound port. The DBMS is for the local hosting user’s, they don’t need to access the daemon from outside of the environment; and now, attackers can’t either.

VSFTP : is not very secure at all. Your already supporting sshd, why not offer SFTP access? You don’t need to add any extra software, you just need to enable it and add a couple rules to your firewall. Now you’ll have end-to-end encryption, again, narrowing your attack surface.

Apache conf : turn off tokens (set to prod), don’t use * in the virtualhost; it’s a rare thing when you really want all sites gloaming onto all adapters. More often then not you’ll want to restrict each container to a specific IP.

I hope you founf something helpful or useful in that.

You only need port 80 inbound to your home for browsing.

Btw, I don’t know all of the daemons you suggest to disable. Maybe I need some of them, or maybe some others can be turn off. Do you have a reference somewhere which will give us more information about those daemons ?