Description

This document will be focused on helping you setup a secure web hosting environment on a Centos VPS (Virtual Private Server). For other Linux or Unix-like systems many of the actual configuration options will be similar or identical but some file names, file paths, commands, etc may be different depending on the operating system. Therefore, instructions for your particular system may vary. It does not matter what operating system you use, only that you are comfortable and familiar with it. You’re free to adapt the instructions here to your setup or search for something more specific on the Internet.

Purpose & Scope

This document starts from scratch and assumes you have just received or setup a new VPS with Centos Linux on it and have done no configuration yet. The theory here is to start in a very restrictive state and selectively allow access to the required services or functionality as needed. In this way, we’re not unnecessarily exposing ourselves to potential threats before we’ve had a chance to properly setup the environment.

Mandatory Setup

Filesystem

1. Secure sshd
2. Create user accounts / groups (usermod, useradd, userdel, groupadd, groupdel)
3. Filesystem permissions (chmod)
4. Filesystem ownership (chown)
5. Sudo Configuration (visudo)
6. Generate 4096 Bit RSA public/private encryption keypair
7. Installation and configuration of SELinux

Networking

8. Netfilter IPtables / IP6Tables firewall rules
9. Installation and configuration of Fail2ban
10. Installation and configuration of Denyhosts
11. Enable Network Time Protocol ntp/ntpdate
12. Set system timezone, Example: ln -sf /usr/share/zoneinfo/America/Los_Angeles /etc/localtime

Webserver

13. Installation and configuration of Apache httpd
14. Installation and configuration of nginx
15. Installation and configuration of PHP-FPM
16. Installation and configuration of SSL/TLS certificates
17. Installation and configuration of mod_security
18. Installation and configuration of mod_evasive
19. Installation and configuration of mod_ssl

Database

20. Installation and configuration of MariaDB / MySQL
21. Database container setup
22. Database dumps and backups

Optional Setup

These things are not necessary but will certainly help you in your day to day management of the server and/or clients by providing useful stats, log analysis, secure file-sharing and database management.

Post Setup Options

Log Inspection & Analysis Tools

• Installation and configuration of AWStats – Website analytics and detailed visitor statistics.
• Installation and configuration of iCinga – Open source, scalable, enterprise-level system monitoring and notification tools.
• Installation and configuration of Log Analyzer – Visual system log analyzer.
• Piwik Analytics – Extendable open source self-hosted web analytics platform, Free, 100% data ownership, user privacy protection.
  

  Secure Filesharing Solution

• Installation and configuration of Own Cloud – Secure self-hosted DropBox-like solution. 100% data ownership and control.

Browser based GUI for MariaDB / MySQL

• Installation and configuration of PHPmyAdmin – Web front-end for MySQL / MariaDB.
• Backup script written for Bash – Backup important directories and files (system configuration, webroots, databases, system log files).

Security Analysis & Auditing Tools

• chkrootkit – Scan the system for rootkits, suspicious changes, files or other malicious behaviours.
• rkhunter – Scan the system for rootkits, suspicious changes, files or other malicious behaviours.