{"id":22919,"date":"2017-08-15T09:23:11","date_gmt":"2017-08-15T14:23:11","guid":{"rendered":"https:\/\/www.rosehosting.com\/blog\/?p=22919"},"modified":"2023-04-05T05:47:52","modified_gmt":"2023-04-05T10:47:52","slug":"how-to-secure-your-lamp-server","status":"publish","type":"post","link":"https:\/\/www.rosehosting.com\/blog\/how-to-secure-your-lamp-server\/","title":{"rendered":"How To Secure LAMP Server"},"content":{"rendered":"<div id=\"bsf_rt_marker\"><\/div><p><img decoding=\"async\" class=\"alignnone size-full wp-image-25108\" src=\"https:\/\/www.rosehosting.com\/blog\/wp-content\/uploads\/2017\/08\/How-to-secure-LAMP-server.jpg\" alt=\"How to secure LAMP server\" width=\"1200\" height=\"600\" srcset=\"https:\/\/www.rosehosting.com\/blog\/wp-content\/uploads\/2017\/08\/How-to-secure-LAMP-server.jpg 1200w, https:\/\/www.rosehosting.com\/blog\/wp-content\/uploads\/2017\/08\/How-to-secure-LAMP-server-150x75.jpg 150w, https:\/\/www.rosehosting.com\/blog\/wp-content\/uploads\/2017\/08\/How-to-secure-LAMP-server-300x150.jpg 300w, https:\/\/www.rosehosting.com\/blog\/wp-content\/uploads\/2017\/08\/How-to-secure-LAMP-server-768x384.jpg 768w, https:\/\/www.rosehosting.com\/blog\/wp-content\/uploads\/2017\/08\/How-to-secure-LAMP-server-1024x512.jpg 1024w, https:\/\/www.rosehosting.com\/blog\/wp-content\/uploads\/2017\/08\/How-to-secure-LAMP-server-860x430.jpg 860w, https:\/\/www.rosehosting.com\/blog\/wp-content\/uploads\/2017\/08\/How-to-secure-LAMP-server-680x340.jpg 680w, https:\/\/www.rosehosting.com\/blog\/wp-content\/uploads\/2017\/08\/How-to-secure-LAMP-server-500x250.jpg 500w, https:\/\/www.rosehosting.com\/blog\/wp-content\/uploads\/2017\/08\/How-to-secure-LAMP-server-400x200.jpg 400w, https:\/\/www.rosehosting.com\/blog\/wp-content\/uploads\/2017\/08\/How-to-secure-LAMP-server-200x100.jpg 200w, https:\/\/www.rosehosting.com\/blog\/wp-content\/uploads\/2017\/08\/How-to-secure-LAMP-server-50x25.jpg 50w\" sizes=\"(max-width: 1200px) 100vw, 1200px\" \/><\/p>\n<p>We&#8217;ll show you, How to secure LAMP server. The LAMP stack which stands for Linux, Apache, MySQL\/MariaDB and PHP\/Python\/Perl is a very popular combination of free and open-source software used to run millions of websites today. Although many opt for the much efficient LEMP stack based on Nginx instead of Apache, there are still a significant number of users that choose LAMP for their projects. In fact, more than 30% of the active websites today run on top of LAMP. The stack is considered as reliable and very suitable for running high-performance high-availability web applications. Securing\u00a0LAMP server is not complicated but it is a long process and it should take 15-20 minutes to secure every aspect of the LAMP stack. Let&#8217;s dive in!<br \/>\n<!--more--><\/p>\n<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_65 counter-hierarchy ez-toc-counter ez-toc-transparent ez-toc-container-direction\">\n<p class=\"ez-toc-title\">Table of Contents<\/p>\n<label for=\"ez-toc-cssicon-toggle-item-662b7a0a384c3\" class=\"ez-toc-cssicon-toggle-label\"><span class=\"ez-toc-cssicon\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #999;color:#999\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #999;color:#999\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/label><input type=\"checkbox\"  id=\"ez-toc-cssicon-toggle-item-662b7a0a384c3\"  aria-label=\"Toggle\" \/><nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/www.rosehosting.com\/blog\/how-to-secure-your-lamp-server\/#1-Enable-automatic-updates\" title=\"1. Enable automatic updates\">1. Enable automatic updates<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/www.rosehosting.com\/blog\/how-to-secure-your-lamp-server\/#2-Configure-firewall\" title=\"2. Configure firewall\">2. Configure firewall<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/www.rosehosting.com\/blog\/how-to-secure-your-lamp-server\/#3-Disable-unused-services\" title=\"3. Disable unused services\">3. Disable unused services<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/www.rosehosting.com\/blog\/how-to-secure-your-lamp-server\/#4-Install-Fail2ban\" title=\"4. Install Fail2ban\">4. Install Fail2ban<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/www.rosehosting.com\/blog\/how-to-secure-your-lamp-server\/#5-Hide-Apache-sensitive-information\" title=\"5. Hide Apache sensitive information\">5. Hide Apache sensitive information<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/www.rosehosting.com\/blog\/how-to-secure-your-lamp-server\/#6-Install-and-enable-mod-security\" title=\"6. Install and enable mod_security\">6. Install and enable mod_security<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-7\" href=\"https:\/\/www.rosehosting.com\/blog\/how-to-secure-your-lamp-server\/#7-Install-and-enable-mod-evasive\" title=\"7. Install and enable mod_evasive\">7. Install and enable mod_evasive<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-8\" href=\"https:\/\/www.rosehosting.com\/blog\/how-to-secure-your-lamp-server\/#8-Secure-the-MySQL-server-deployment\" title=\"8. Secure the MySQL server deployment\">8. Secure the MySQL server deployment<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-9\" href=\"https:\/\/www.rosehosting.com\/blog\/how-to-secure-your-lamp-server\/#9-Disable-remote-MySQL-access\" title=\"9. Disable remote MySQL access\">9. Disable remote MySQL access<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-10\" href=\"https:\/\/www.rosehosting.com\/blog\/how-to-secure-your-lamp-server\/#10-Create-separate-MySQL-users\" title=\"10. Create separate MySQL users\">10. Create separate MySQL users<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-11\" href=\"https:\/\/www.rosehosting.com\/blog\/how-to-secure-your-lamp-server\/#11-Disable-LOCAL-INFILE\" title=\"11. Disable LOCAL INFILE\">11. Disable LOCAL INFILE<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-12\" href=\"https:\/\/www.rosehosting.com\/blog\/how-to-secure-your-lamp-server\/#12-Secure-PHP\" title=\"12. Secure PHP\">12. Secure PHP<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-13\" href=\"https:\/\/www.rosehosting.com\/blog\/how-to-secure-your-lamp-server\/#13-Hide-PHP-basic-information\" title=\"13. Hide PHP basic information\">13. Hide PHP basic information<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-14\" href=\"https:\/\/www.rosehosting.com\/blog\/how-to-secure-your-lamp-server\/#14-Disable-dangerous-PHP-functions\" title=\"14. Disable dangerous PHP functions\">14. Disable dangerous PHP functions<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-15\" href=\"https:\/\/www.rosehosting.com\/blog\/how-to-secure-your-lamp-server\/#15-Restrict-file-uploads\" title=\"15. Restrict file uploads\">15. Restrict file uploads<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-16\" href=\"https:\/\/www.rosehosting.com\/blog\/how-to-secure-your-lamp-server\/#16-Set-maximum-execution-time\" title=\"16. Set maximum execution time\">16. Set maximum execution time<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-17\" href=\"https:\/\/www.rosehosting.com\/blog\/how-to-secure-your-lamp-server\/#17-Enable-open-basedir\" title=\"17. Enable open_basedir\">17. Enable open_basedir<\/a><\/li><\/ul><\/nav><\/div>\n<h2><span class=\"ez-toc-section\" id=\"1-Enable-automatic-updates\"><\/span>1. Enable automatic updates<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Having in mind that the LAMP stack is based on Linux and the whole open-source community works on improvements, it is considered as secure too. On an <a href=\"https:\/\/www.rosehosting.com\/ubuntu-hosting.html\" target=\"_blank\" rel=\"noopener noreferrer\">Ubuntu VPS<\/a>, all security updates and patches are available as an automatic unattended install as soon as they become available in the Ubuntu repos, and therefore, make sure you configure your system to <a href=\"https:\/\/www.rosehosting.com\/blog\/how-to-enable-automatic-updates-on-a-linux-vps\/\" target=\"_blank\" rel=\"noopener noreferrer\">automatically install the security updates<\/a> if you are concerned about the security. In case this feature is not enabled on your server and you are not installing the latest upgrades and patches manually, you are putting your server at risk of being exploited.<\/p>\n<p>To enable automatic unattended upgrades you should install the <em>unattended-upgrades<\/em> package.<\/p>\n<pre>sudo apt-get install unattended-upgrades<\/pre>\n<p>To configure which category of packages to be automatically upgraded you should edit the <em>\/etc\/apt\/apt.conf.d\/50unattended-upgrades<\/em> file.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"2-Configure-firewall\"><\/span>2. Configure firewall<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Having a properly configured firewall is another thing that is very important for the overall security. <em>ufw<\/em> is the default firewall configuration tool for Ubuntu and it is initially disabled. To enable <em>ufw<\/em> you can use:<\/p>\n<pre>sudo ufw enable<\/pre>\n<p>Enable access to the basic services like <a href=\"https:\/\/www.rosehosting.com\/blog\/change-default-ssh-port-on-linux\/\" target=\"_blank\" rel=\"noopener noreferrer\">OpenSSH<\/a> and Apache:<\/p>\n<pre>sudo ufw allow 22\r\nsudo ufw allow 80\r\nsudo ufw allow 443<\/pre>\n<p>Enabling access to other services is pretty easy. Just replace the port number in the examples above with the port number of the service which you want to enable access to and that&#8217;s it. The firewall rules will be active even after system reboot.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"3-Disable-unused-services\"><\/span>3. Disable unused services<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>If you have active services which you are not using, you can simply disable them. For example, if you have service like Dovecot up and running on your server and you are not using it at all, stop and disable the service using the following commands:<\/p>\n<pre>sudo systemctl stop dovecot.service\r\nsudo systemctl disable dovecot.service<\/pre>\n<h2><span class=\"ez-toc-section\" id=\"4-Install-Fail2ban\"><\/span>4. Install Fail2ban<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Fail2ban is a service which scans the log files for too many login failures and blocks the IP address which is showing malicious signs. This service is very useful if you are not using two factor or public\/private authentication mechanisms on services like OpenSSH. To <a href=\"https:\/\/www.rosehosting.com\/blog\/install-fail2ban-on-an-ubuntu-14-04\/\" target=\"_blank\" rel=\"noopener noreferrer\">install Fail2ban<\/a>, run this command:<\/p>\n<pre>sudo apt-get install fail2ban<\/pre>\n<p>Create a copy of the default configuration file so you can safely make changes without them being overwritten by system upgrades:<\/p>\n<pre>sudo cp \/etc\/fail2ban\/jail.conf \/etc\/fail2ban\/jail.local<\/pre>\n<p>Edit the <em>jail.local<\/em> file:<\/p>\n<pre>sudo nano \/etc\/fail2ban\/jail.local<\/pre>\n<p>The <strong>[sshd]<\/strong> block should look like the following one:<\/p>\n<pre>[sshd]\r\n\r\nenabled  = true\r\nport     = ssh\r\nfilter   = sshd\r\nlogpath  = \/var\/log\/auth.log\r\nmaxretry = 5\r\nbantime = 600\r\n<\/pre>\n<p>Save the file and restart Fail2ban for the changes to take effect:<\/p>\n<pre>sudo systemctl restart fail2ban.service<\/pre>\n<p>Enable Fail2ban on system boot:<\/p>\n<pre>sudo systemctl enable fail2ban.service<\/pre>\n<h2><span class=\"ez-toc-section\" id=\"5-Hide-Apache-sensitive-information\"><\/span>5. Hide Apache sensitive information<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>The default <a href=\"https:\/\/www.rosehosting.com\/apache-hosting.html\" target=\"_blank\" rel=\"noopener noreferrer\">Apache<\/a> configuration provides much sensitive information which can be used against the service. Making this information hidden is crucial so go ahead and create a configuration file for your new settings:<\/p>\n<pre>sudo nano \/etc\/apache2\/conf-available\/custom.conf<\/pre>\n<p>Paste the following content:<\/p>\n<pre>ServerTokens Prod\r\nServerSignature Off\r\nTraceEnable Off\r\nOptions all -Indexes\r\nHeader unset ETag\r\nHeader always unset X-Powered-By\r\nFileETag None<\/pre>\n<p>Enable the headers Apache module if it is not already enabled:<\/p>\n<pre>sudo a2enmod headers<\/pre>\n<p>Enable the configuration:<\/p>\n<pre>sudo a2enconf custom.conf<\/pre>\n<p>Restart Apache for the changes to take effect:<\/p>\n<pre>sudo systemctl restart apache2.service<\/pre>\n<h2><span class=\"ez-toc-section\" id=\"6-Install-and-enable-mod-security\"><\/span>6. Install and enable mod_security<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Mod_security is a web application firewall (WAF) which can be installed as an additional module for Apache. It can be used to protect the web server from numerous attacks like SQL injections, session hijacking, cross site scripting, bad user agents and many others. To install and enable mod_security run the commands below:<\/p>\n<pre>sudo apt-get install libapache2-modsecurity2\r\nsudo a2enmod security2<\/pre>\n<p>Once it is installed you should configure the module and enable the OWASP ModSecurity Core Rule Set (CRS).<\/p>\n<pre>sudo mv \/etc\/modsecurity\/modsecurity.conf-recommended \/etc\/modsecurity\/modsecurity.conf<\/pre>\n<p>Then, open the <em>\/etc\/modsecurity\/modsecurity.conf<\/em> file and edit\/add the following settings:<\/p>\n<pre>SecRuleEngine On\r\nSecResponseBodyAccess Off\r\nSecRequestBodyLimit 8388608\r\nSecRequestBodyNoFilesLimit 131072\r\nSecRequestBodyInMemoryLimit 262144\r\n<\/pre>\n<p>Save and close the file. Remove the current CRS and download the OWASP CRS by using the following commands:<\/p>\n<pre>sudo rm -rf \/usr\/share\/modsecurity-crs\r\nsudo git clone https:\/\/github.com\/SpiderLabs\/owasp-modsecurity-crs.git \/usr\/share\/modsecurity-crs\r\ncd \/usr\/share\/modsecurity-crs\r\nsudo mv crs-setup.conf.example crs-setup.conf\r\n<\/pre>\n<p>Edit the <em>\/etc\/apache2\/mods-enabled\/security2.conf<\/em> file. It should look like the one below:<\/p>\n<pre>&lt;IfModule security2_module&gt;\r\n\tSecDataDir \/var\/cache\/modsecurity\r\n\tIncludeOptional \/etc\/modsecurity\/*.conf\r\n\tIncludeOptional \"\/usr\/share\/modsecurity-crs\/*.conf\"\r\n\tIncludeOptional \"\/usr\/share\/modsecurity-crs\/rules\/*.conf\r\n&lt;\/IfModule&gt;\r\n<\/pre>\n<p>Finally, restart Apache for the changes to take effect:<\/p>\n<pre>sudo systemctl restart apache2.service<\/pre>\n<h2><span class=\"ez-toc-section\" id=\"7-Install-and-enable-mod-evasive\"><\/span>7. Install and enable mod_evasive<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Mod_evasive is an Apache module which can be used to protect the web server from DoS (Denial of Service), DDoS (Distributed Denial of Service) and brute-force attacks. To install mod_evasive on your server, run this command:<\/p>\n<pre>sudo apt-get install libapache2-mod-evasive<\/pre>\n<p>Open the default configuration file <em>\/etc\/apache2\/mods-enabled\/evasive.conf<\/em> and edit the settings to look like those below:<\/p>\n<pre>&lt;IfModule mod_evasive20.c&gt;\r\n\tDOSPageCount        5\r\n\tDOSSiteCount        50\r\n\tDOSPageInterval     1\r\n\tDOSSiteInterval     1\r\n\tDOSBlockingPeriod   600\r\n\tDOSLogDir           \"\/var\/log\/mod_evasive\"\r\n&lt;\/IfModule&gt;\r\n<\/pre>\n<p>Save and close the file. Create a directory for the log files:<\/p>\n<pre>sudo mkdir \/var\/log\/mod_evasive\r\nsudo chown -R www-data: \/var\/log\/mod_evasive<\/pre>\n<p>Restart Apache:<\/p>\n<pre>sudo systemctl restart apache2.service<\/pre>\n<h2><span class=\"ez-toc-section\" id=\"8-Secure-the-MySQL-server-deployment\"><\/span>8. Secure the MySQL server deployment<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>The first thing you need to do to secure the MySQL service is to run the <em>mysql_secure_installation<\/em> script.<\/p>\n<pre>sudo mysql_secure_installation<\/pre>\n<p>The script will help you to perform important security tasks like setting up root password, disable remote root login, remove anonymous users etc.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"9-Disable-remote-MySQL-access\"><\/span>9. Disable remote MySQL access<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>If you don&#8217;t perform remote operations over your <a href=\"https:\/\/www.rosehosting.com\/mysql-hosting.html\" target=\"_blank\" rel=\"noopener noreferrer\">MySQL server<\/a> then disabling the remote access to the service is a very important thing to do. You can do this by editing the <em>\/etc\/mysql\/mysql.conf.d\/mysqld.cnf<\/em> file and changing the <em>bind-address<\/em> to 127.0.0.1.<\/p>\n<pre>bind-address = 127.0.0.1<\/pre>\n<p>Restart the service for the changes to take effect.<\/p>\n<pre>sudo systemctl restart mysql.service<\/pre>\n<h2><span class=\"ez-toc-section\" id=\"10-Create-separate-MySQL-users\"><\/span>10. Create separate MySQL users<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Another thing you need to consider is creating separate MySQL users for each database and application.<\/p>\n<p>Log in to MySQL as root:<\/p>\n<pre>mysql -u root -p<\/pre>\n<p>You can create MySQL database and grant all privileges to a new user using the following commands:<\/p>\n<pre>mysql&gt; CREATE DATABASE new_db;\r\nmysql&gt; GRANT ALL PRIVILEGES on new_db.* to 'new_user'@'localhost' identified by 'PaSsW0rD';\r\nmysql&gt; FLUSH PRIVILEGES;\r\nmysql&gt; EXIT\r\n<\/pre>\n<p>Then, you can use the newly created database and user for your application.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"11-Disable-LOCAL-INFILE\"><\/span>11. Disable LOCAL INFILE<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>If you explicitly don&#8217;t use LOCAL INFILE then it is good to disable it. Again, edit the MySQL configuration file and add the following line under the <strong>[mysqld]<\/strong> block:<\/p>\n<pre>local-infile=0<\/pre>\n<p>Restart the MySQL service for the changes to take effect.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"12-Secure-PHP\"><\/span>12. Secure PHP<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>If you performed the steps above, your server should be already secure. The last part of securing the <a href=\"https:\/\/www.rosehosting.com\/lamp-hosting.html\" target=\"_blank\" rel=\"noopener noreferrer\">LAMP server<\/a> is securing PHP, which is a pretty straightforward process. Find the location of your PHP ini file:<\/p>\n<pre>php --ini | grep \"Loaded Configuration File\"<\/pre>\n<p>All changes we will be making into this file.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"13-Hide-PHP-basic-information\"><\/span>13. Hide PHP basic information<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>The first step is to hide the information provided by <a href=\"https:\/\/www.rosehosting.com\/php-hosting.html\" target=\"_blank\" rel=\"noopener noreferrer\">PHP<\/a> which some attackers may find useful. Open the <em>php.ini<\/em> file and change the settings to match the following:<\/p>\n<pre>expose_php = Off\r\ndisplay_errors = Off\r\nmail.add_x_header = Off\r\n<\/pre>\n<p>Save the file and restart Apahce:<\/p>\n<pre>sudo systemctl restart apache2.service<\/pre>\n<h2><span class=\"ez-toc-section\" id=\"14-Disable-dangerous-PHP-functions\"><\/span>14. Disable dangerous PHP functions<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>The <em>disable_functions<\/em> directive allows you to disable some functions that could be harmful to your system. Edit the directive in your <em>php.ini<\/em> file to match the following:<\/p>\n<pre>disable_functions = show_source,system,shell_exec,passthru,exec,phpinfo,popen,proc_open,allow_url_fopen,curl_exec,curl_multi_exec<\/pre>\n<p>While you are here, disable the remote PHP code execution by using the following settings:<\/p>\n<pre>allow_url_fopen=Off\r\nallow_url_include=Off<\/pre>\n<h2><span class=\"ez-toc-section\" id=\"15-Restrict-file-uploads\"><\/span>15. Restrict file uploads<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>If you don&#8217;t use file uploading features it is totally safe to restrict the file uploads in PHP. Open the <em>php.ini<\/em> file and set the following setting:<\/p>\n<pre>file_uploads=Off<\/pre>\n<p>In case you are using file uploading features you can set the following:<\/p>\n<pre>file_uploads=On\r\nupload_max_filesize=1M\r\n<\/pre>\n<p>where <em>upload_max_filesize<\/em> is the upload size limit.<\/p>\n<p>Restart Apache after making these changes.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"16-Set-maximum-execution-time\"><\/span>16. Set maximum execution time<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Again, edit the <em>php.ini<\/em> file and change the following settings:<\/p>\n<pre>max_execution_time = 30\r\nmax_input_time = 30\r\nmemory_limit = 40M\r\n<\/pre>\n<p>This sets the maximum time in seconds a script is allowed to run or parse data as well as will set the maximum amount of memory that a script is allowed to allocate.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"17-Enable-open-basedir\"><\/span>17. Enable open_basedir<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>The open_basedir directive allows you to set the location from which PHP is allowed to access files. Edit the <em>php.ini<\/em> file and set the correct location to match your current configuration:<\/p>\n<pre>open_basedir=\"\/path\/to\/the\/directory\/\"<\/pre>\n<p>Don&#8217;t forget to restart Apache so the changes can take effect.<\/p>\n<p>Of course, if you are one of our <a href=\"https:\/\/www.rosehosting.com\/lamp-hosting.html\">LAMP Hosting<\/a> customers, you don\u2019t have to secure your LAMP server, simply ask our admins, sit back and relax. Our admins will <strong>secure your LAMP server<\/strong> for you immediately.<\/p>\n<p><strong><span style=\"color: #ff0000;\">PS<\/span>.<\/strong> If you liked this post, on how to\u00a0secure your LAMP server,\u00a0 please share it with your friends on the social networks using the buttons below or simply leave a comment in the comments section. Thanks.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>We&#8217;ll show you, How to secure LAMP server. The LAMP stack which stands for Linux, Apache, MySQL\/MariaDB and PHP\/Python\/Perl is &#8230; <\/p>\n<p class=\"read-more-container\"><a title=\"How To Secure LAMP Server\" class=\"read-more button\" href=\"https:\/\/www.rosehosting.com\/blog\/how-to-secure-your-lamp-server\/#more-22919\" aria-label=\"Read more about How To Secure LAMP Server\">Read More<\/a><\/p>\n","protected":false},"author":4,"featured_media":25108,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1236,2071,1703,13,1707],"tags":[1582,177,1583],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v22.5 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>How to Secure LAMP Server | RoseHosting<\/title>\n<meta name=\"description\" content=\"Learn how to secure your LAMP (Linux, Apache, MySQL, and PHP) server. Never store sensitive data unless your LAMP server is secure.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.rosehosting.com\/blog\/how-to-secure-your-lamp-server\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"How to Secure LAMP Server | RoseHosting\" \/>\n<meta property=\"og:description\" content=\"Learn how to secure your LAMP (Linux, Apache, MySQL, and PHP) server. Never store sensitive data unless your LAMP server is secure.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.rosehosting.com\/blog\/how-to-secure-your-lamp-server\/\" \/>\n<meta property=\"og:site_name\" content=\"RoseHosting\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/RoseHosting\" \/>\n<meta property=\"article:author\" content=\"https:\/\/www.facebook.com\/rosehosting.helpdesk\" \/>\n<meta property=\"article:published_time\" content=\"2017-08-15T14:23:11+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2023-04-05T10:47:52+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.rosehosting.com\/blog\/wp-content\/uploads\/2017\/08\/How-to-secure-LAMP-server.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1200\" \/>\n\t<meta property=\"og:image:height\" content=\"600\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Jeff Wilson\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@rosehosting\" \/>\n<meta name=\"twitter:site\" content=\"@rosehosting\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Jeff Wilson\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"8 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.rosehosting.com\/blog\/how-to-secure-your-lamp-server\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.rosehosting.com\/blog\/how-to-secure-your-lamp-server\/\"},\"author\":{\"name\":\"Jeff Wilson\",\"@id\":\"https:\/\/www.rosehosting.com\/blog\/#\/schema\/person\/7ce77a842fa6a9a7f8efa186f2353713\"},\"headline\":\"How To Secure LAMP Server\",\"datePublished\":\"2017-08-15T14:23:11+00:00\",\"dateModified\":\"2023-04-05T10:47:52+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.rosehosting.com\/blog\/how-to-secure-your-lamp-server\/\"},\"wordCount\":1362,\"commentCount\":11,\"publisher\":{\"@id\":\"https:\/\/www.rosehosting.com\/blog\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.rosehosting.com\/blog\/how-to-secure-your-lamp-server\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.rosehosting.com\/blog\/wp-content\/uploads\/2017\/08\/How-to-secure-LAMP-server.jpg\",\"keywords\":[\"lamp server\",\"linux vps\",\"secure lamp\"],\"articleSection\":[\"Guides\",\"Linux\",\"Security\",\"Tutorials\",\"Web Servers\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/www.rosehosting.com\/blog\/how-to-secure-your-lamp-server\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.rosehosting.com\/blog\/how-to-secure-your-lamp-server\/\",\"url\":\"https:\/\/www.rosehosting.com\/blog\/how-to-secure-your-lamp-server\/\",\"name\":\"How to Secure LAMP Server | RoseHosting\",\"isPartOf\":{\"@id\":\"https:\/\/www.rosehosting.com\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.rosehosting.com\/blog\/how-to-secure-your-lamp-server\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.rosehosting.com\/blog\/how-to-secure-your-lamp-server\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.rosehosting.com\/blog\/wp-content\/uploads\/2017\/08\/How-to-secure-LAMP-server.jpg\",\"datePublished\":\"2017-08-15T14:23:11+00:00\",\"dateModified\":\"2023-04-05T10:47:52+00:00\",\"description\":\"Learn how to secure your LAMP (Linux, Apache, MySQL, and PHP) server. Never store sensitive data unless your LAMP server is secure.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.rosehosting.com\/blog\/how-to-secure-your-lamp-server\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.rosehosting.com\/blog\/how-to-secure-your-lamp-server\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.rosehosting.com\/blog\/how-to-secure-your-lamp-server\/#primaryimage\",\"url\":\"https:\/\/www.rosehosting.com\/blog\/wp-content\/uploads\/2017\/08\/How-to-secure-LAMP-server.jpg\",\"contentUrl\":\"https:\/\/www.rosehosting.com\/blog\/wp-content\/uploads\/2017\/08\/How-to-secure-LAMP-server.jpg\",\"width\":1200,\"height\":600,\"caption\":\"How to secure LAMP server\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.rosehosting.com\/blog\/how-to-secure-your-lamp-server\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.rosehosting.com\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"How To Secure LAMP Server\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.rosehosting.com\/blog\/#website\",\"url\":\"https:\/\/www.rosehosting.com\/blog\/\",\"name\":\"RoseHosting\",\"description\":\"Premium Linux Tutorials Since 2001\",\"publisher\":{\"@id\":\"https:\/\/www.rosehosting.com\/blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.rosehosting.com\/blog\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.rosehosting.com\/blog\/#organization\",\"name\":\"RoseHosting\",\"url\":\"https:\/\/www.rosehosting.com\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.rosehosting.com\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.rosehosting.com\/blog\/wp-content\/uploads\/2022\/03\/android-chrome-192x192-1.png\",\"contentUrl\":\"https:\/\/www.rosehosting.com\/blog\/wp-content\/uploads\/2022\/03\/android-chrome-192x192-1.png\",\"width\":192,\"height\":192,\"caption\":\"RoseHosting\"},\"image\":{\"@id\":\"https:\/\/www.rosehosting.com\/blog\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/RoseHosting\",\"https:\/\/x.com\/rosehosting\",\"https:\/\/www.linkedin.com\/in\/rosehosting\/\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.rosehosting.com\/blog\/#\/schema\/person\/7ce77a842fa6a9a7f8efa186f2353713\",\"name\":\"Jeff Wilson\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.rosehosting.com\/blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/09271207587f897ab46faaed9b355252?s=96&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/09271207587f897ab46faaed9b355252?s=96&r=g\",\"caption\":\"Jeff Wilson\"},\"description\":\"An experienced Linux veteran with many years of experience. Helping other Linux admins with frequent Linux and business-related blog posts on the RoseHosting blog. Techie by choice. Loving nature and travel. Happily married and father of two lovely children.\",\"sameAs\":[\"https:\/\/www.rosehosting.com\",\"https:\/\/www.facebook.com\/rosehosting.helpdesk\"],\"url\":\"https:\/\/www.rosehosting.com\/blog\/author\/jwilson\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"How to Secure LAMP Server | RoseHosting","description":"Learn how to secure your LAMP (Linux, Apache, MySQL, and PHP) server. Never store sensitive data unless your LAMP server is secure.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.rosehosting.com\/blog\/how-to-secure-your-lamp-server\/","og_locale":"en_US","og_type":"article","og_title":"How to Secure LAMP Server | RoseHosting","og_description":"Learn how to secure your LAMP (Linux, Apache, MySQL, and PHP) server. Never store sensitive data unless your LAMP server is secure.","og_url":"https:\/\/www.rosehosting.com\/blog\/how-to-secure-your-lamp-server\/","og_site_name":"RoseHosting","article_publisher":"https:\/\/www.facebook.com\/RoseHosting","article_author":"https:\/\/www.facebook.com\/rosehosting.helpdesk","article_published_time":"2017-08-15T14:23:11+00:00","article_modified_time":"2023-04-05T10:47:52+00:00","og_image":[{"width":1200,"height":600,"url":"https:\/\/www.rosehosting.com\/blog\/wp-content\/uploads\/2017\/08\/How-to-secure-LAMP-server.jpg","type":"image\/jpeg"}],"author":"Jeff Wilson","twitter_card":"summary_large_image","twitter_creator":"@rosehosting","twitter_site":"@rosehosting","twitter_misc":{"Written by":"Jeff Wilson","Est. reading time":"8 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.rosehosting.com\/blog\/how-to-secure-your-lamp-server\/#article","isPartOf":{"@id":"https:\/\/www.rosehosting.com\/blog\/how-to-secure-your-lamp-server\/"},"author":{"name":"Jeff Wilson","@id":"https:\/\/www.rosehosting.com\/blog\/#\/schema\/person\/7ce77a842fa6a9a7f8efa186f2353713"},"headline":"How To Secure LAMP Server","datePublished":"2017-08-15T14:23:11+00:00","dateModified":"2023-04-05T10:47:52+00:00","mainEntityOfPage":{"@id":"https:\/\/www.rosehosting.com\/blog\/how-to-secure-your-lamp-server\/"},"wordCount":1362,"commentCount":11,"publisher":{"@id":"https:\/\/www.rosehosting.com\/blog\/#organization"},"image":{"@id":"https:\/\/www.rosehosting.com\/blog\/how-to-secure-your-lamp-server\/#primaryimage"},"thumbnailUrl":"https:\/\/www.rosehosting.com\/blog\/wp-content\/uploads\/2017\/08\/How-to-secure-LAMP-server.jpg","keywords":["lamp server","linux vps","secure lamp"],"articleSection":["Guides","Linux","Security","Tutorials","Web Servers"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.rosehosting.com\/blog\/how-to-secure-your-lamp-server\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.rosehosting.com\/blog\/how-to-secure-your-lamp-server\/","url":"https:\/\/www.rosehosting.com\/blog\/how-to-secure-your-lamp-server\/","name":"How to Secure LAMP Server | RoseHosting","isPartOf":{"@id":"https:\/\/www.rosehosting.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.rosehosting.com\/blog\/how-to-secure-your-lamp-server\/#primaryimage"},"image":{"@id":"https:\/\/www.rosehosting.com\/blog\/how-to-secure-your-lamp-server\/#primaryimage"},"thumbnailUrl":"https:\/\/www.rosehosting.com\/blog\/wp-content\/uploads\/2017\/08\/How-to-secure-LAMP-server.jpg","datePublished":"2017-08-15T14:23:11+00:00","dateModified":"2023-04-05T10:47:52+00:00","description":"Learn how to secure your LAMP (Linux, Apache, MySQL, and PHP) server. Never store sensitive data unless your LAMP server is secure.","breadcrumb":{"@id":"https:\/\/www.rosehosting.com\/blog\/how-to-secure-your-lamp-server\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.rosehosting.com\/blog\/how-to-secure-your-lamp-server\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.rosehosting.com\/blog\/how-to-secure-your-lamp-server\/#primaryimage","url":"https:\/\/www.rosehosting.com\/blog\/wp-content\/uploads\/2017\/08\/How-to-secure-LAMP-server.jpg","contentUrl":"https:\/\/www.rosehosting.com\/blog\/wp-content\/uploads\/2017\/08\/How-to-secure-LAMP-server.jpg","width":1200,"height":600,"caption":"How to secure LAMP server"},{"@type":"BreadcrumbList","@id":"https:\/\/www.rosehosting.com\/blog\/how-to-secure-your-lamp-server\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.rosehosting.com\/blog\/"},{"@type":"ListItem","position":2,"name":"How To Secure LAMP Server"}]},{"@type":"WebSite","@id":"https:\/\/www.rosehosting.com\/blog\/#website","url":"https:\/\/www.rosehosting.com\/blog\/","name":"RoseHosting","description":"Premium Linux Tutorials Since 2001","publisher":{"@id":"https:\/\/www.rosehosting.com\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.rosehosting.com\/blog\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.rosehosting.com\/blog\/#organization","name":"RoseHosting","url":"https:\/\/www.rosehosting.com\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.rosehosting.com\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.rosehosting.com\/blog\/wp-content\/uploads\/2022\/03\/android-chrome-192x192-1.png","contentUrl":"https:\/\/www.rosehosting.com\/blog\/wp-content\/uploads\/2022\/03\/android-chrome-192x192-1.png","width":192,"height":192,"caption":"RoseHosting"},"image":{"@id":"https:\/\/www.rosehosting.com\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/RoseHosting","https:\/\/x.com\/rosehosting","https:\/\/www.linkedin.com\/in\/rosehosting\/"]},{"@type":"Person","@id":"https:\/\/www.rosehosting.com\/blog\/#\/schema\/person\/7ce77a842fa6a9a7f8efa186f2353713","name":"Jeff Wilson","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.rosehosting.com\/blog\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/09271207587f897ab46faaed9b355252?s=96&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/09271207587f897ab46faaed9b355252?s=96&r=g","caption":"Jeff Wilson"},"description":"An experienced Linux veteran with many years of experience. Helping other Linux admins with frequent Linux and business-related blog posts on the RoseHosting blog. Techie by choice. Loving nature and travel. Happily married and father of two lovely children.","sameAs":["https:\/\/www.rosehosting.com","https:\/\/www.facebook.com\/rosehosting.helpdesk"],"url":"https:\/\/www.rosehosting.com\/blog\/author\/jwilson\/"}]}},"_links":{"self":[{"href":"https:\/\/www.rosehosting.com\/blog\/wp-json\/wp\/v2\/posts\/22919"}],"collection":[{"href":"https:\/\/www.rosehosting.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.rosehosting.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.rosehosting.com\/blog\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.rosehosting.com\/blog\/wp-json\/wp\/v2\/comments?post=22919"}],"version-history":[{"count":3,"href":"https:\/\/www.rosehosting.com\/blog\/wp-json\/wp\/v2\/posts\/22919\/revisions"}],"predecessor-version":[{"id":45303,"href":"https:\/\/www.rosehosting.com\/blog\/wp-json\/wp\/v2\/posts\/22919\/revisions\/45303"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.rosehosting.com\/blog\/wp-json\/wp\/v2\/media\/25108"}],"wp:attachment":[{"href":"https:\/\/www.rosehosting.com\/blog\/wp-json\/wp\/v2\/media?parent=22919"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.rosehosting.com\/blog\/wp-json\/wp\/v2\/categories?post=22919"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.rosehosting.com\/blog\/wp-json\/wp\/v2\/tags?post=22919"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}