Hardening CentOS 7 - LAMP

[bubbawny]

Howdy folks:

I'm new to Linux and to CentOS 7. I've been learning and playing with various DIstros for about two months, though I've been dabbling with Linux on and off for a few years. I'm really more of an application developer, with some knowledge of System / Network Admin.

I have been building a CentOS 7 VM (Virtual Box) as a prototype LAMP server to host a basic LAMP application. The idea is to move a basic LAMP app we have with Go Daddy (shared servers, just awful!) to either a Cloud VPS like Digital Ocean or a managed VPS like A Small Orange Cloud VPS or to bring it in house.

As you know, each of those choices has pros and cons. But I'm leaning towards bringing it in house. Mainly because I cannot find any reputable information that identifies a quality and reliable VPS managed VPS provider. A Small ORange looks good, but they sure have had a lot of outages and SiteGround doesn't look too bad but it seems pretty costly. I could go with Digital Ocean, but then I'm responsible for full management, which is ok, or I could bring my site in house where I can control everything in my companies infrastructure.

So if we forget about all the CONS of doing that for a moment (like not having full redundant data centers, etc.), I'd like to ask a question about hardening a CentOS server. Assuming some of the basics, like firewalling, closing unnecessary ports but 80/443/25, what else would one do to harden a CentOS server from security threats? Are there any guides out there that can help? Are there any pre-hardened CentOS VMs designed for use as Public LAMP servers?

The site we need to run is really a basic LAMP app. Nothing to it. But at this point, managing security threats has been a function of the hosting provider, but if I bring it in house it becomes our responsibility.

Just looking for guidance and would think there would be common settings and security policy guidelines that might help me get a jump on what it would take to harden a CentOS 7 LAMP server from maliciousness (hacking, Intrusions, DDOS).

Are there any recommendations about CentOS IPS/IPD packages that are recommended? What about Apache 2.4 holes or security issues? or MariaDB or other security holes?

I'm a noob to this yes. But wise enough to try to identify those who know more than I do and identify some guidelines and best practices on this topic.

I think hosting a site internally makes sense for us, presuming I can reasonably harden the server from threats. I know new threats and issues are identified all the time. But given today's CentOS 7 maturity and support community, I would think that there's got to be some reasonable guidance on securing a server, and I'd like your help in shining a light on what I need to know.

Much apprecaited, folks. Sincerely.

[TrevorH]

Redhat backport fixes from the upstream developers and integrate them into the packages that are provided for RHEL (subsequently rebuilt by CentOS). This means that for most security vulnerabilities, fixing them is just a yum update away.

[giulix63]

Just follow standard best practices: Only install from reputed repositories, update frequently and as soon as possible when a critical security update is available, do not disable SELinux. I'd advise against bringing in house: There's really no advantage to that, only disadvantages. Disallow root ssh access, disallow ssh password login (use RSA keys). If at all possible, do not run your own DNS or internet-facing mail server unless absolutely necessary. As far as the firewall is concerned, I never really liked RH/Fedora/CentOS default firewall tools, so I opted for shorewall (it's in epel), but that's me. Also, to block offending IP addresses, I use a custom solution. Have fun looking at your access logs, sit back and relax

P.S. In the past, I've also tried other tricks/tools, like running SSH on a non-standard port, port-knocking and running a IDS, but have found that they're really overkill for a simple web site. If you really want to invest in something, invest in learning how to use mod_security effectively.