{"id":21522,"date":"2017-03-01T07:39:37","date_gmt":"2017-03-01T13:39:37","guid":{"rendered":"https:\/\/www.rosehosting.com\/blog\/?p=21522"},"modified":"2022-06-03T03:42:17","modified_gmt":"2022-06-03T08:42:17","slug":"how-to-secure-your-lemp-stack","status":"publish","type":"post","link":"https:\/\/www.rosehosting.com\/blog\/how-to-secure-your-lemp-stack\/","title":{"rendered":"How to secure LEMP stack"},"content":{"rendered":"<div id=\"bsf_rt_marker\"><\/div><p><img decoding=\"async\" class=\"alignnone size-full wp-image-24821\" src=\"https:\/\/www.rosehosting.com\/blog\/wp-content\/uploads\/2017\/03\/How-to-secure-LEMP-stack.jpg\" alt=\"How to secure LEMP stack\" width=\"1200\" height=\"600\" srcset=\"https:\/\/www.rosehosting.com\/blog\/wp-content\/uploads\/2017\/03\/How-to-secure-LEMP-stack.jpg 1200w, https:\/\/www.rosehosting.com\/blog\/wp-content\/uploads\/2017\/03\/How-to-secure-LEMP-stack-150x75.jpg 150w, https:\/\/www.rosehosting.com\/blog\/wp-content\/uploads\/2017\/03\/How-to-secure-LEMP-stack-300x150.jpg 300w, https:\/\/www.rosehosting.com\/blog\/wp-content\/uploads\/2017\/03\/How-to-secure-LEMP-stack-768x384.jpg 768w, https:\/\/www.rosehosting.com\/blog\/wp-content\/uploads\/2017\/03\/How-to-secure-LEMP-stack-1024x512.jpg 1024w, https:\/\/www.rosehosting.com\/blog\/wp-content\/uploads\/2017\/03\/How-to-secure-LEMP-stack-860x430.jpg 860w, https:\/\/www.rosehosting.com\/blog\/wp-content\/uploads\/2017\/03\/How-to-secure-LEMP-stack-680x340.jpg 680w, https:\/\/www.rosehosting.com\/blog\/wp-content\/uploads\/2017\/03\/How-to-secure-LEMP-stack-500x250.jpg 500w, https:\/\/www.rosehosting.com\/blog\/wp-content\/uploads\/2017\/03\/How-to-secure-LEMP-stack-400x200.jpg 400w, https:\/\/www.rosehosting.com\/blog\/wp-content\/uploads\/2017\/03\/How-to-secure-LEMP-stack-200x100.jpg 200w, https:\/\/www.rosehosting.com\/blog\/wp-content\/uploads\/2017\/03\/How-to-secure-LEMP-stack-50x25.jpg 50w\" sizes=\"(max-width: 1200px) 100vw, 1200px\" \/><\/p>\n<p>We&#8217;ll show you, how to secure LEMP stack. LEMP, it stands for Linux, <a href=\"https:\/\/www.rosehosting.com\/nginx-hosting.html\">(EngineX) NGINX<\/a>, <a href=\"https:\/\/www.rosehosting.com\/mariadb-hosting.html\">MariaDB<\/a> (or <a href=\"https:\/\/www.rosehosting.com\/mysql-hosting.html\">MySQL<\/a>) and <a href=\"https:\/\/www.rosehosting.com\/php-hosting.html\">PHP<\/a>. Due to its flexibility and simplicity,\u00a0NGINX slowly takes over the Internet. In this tutorial, we will attempt, through examples of bad and good practices, to go\u00a0through the steps of properly securing your Linux web server. So what is the term Security?\u00a0Often you can hear the IT Engineers saying\u00a0<em>&#8220;Our network is secure&#8221; <\/em>or <em>&#8220;Our servers are secure&#8221; <\/em>however, those sentences although widely used are\u00a0technically not correct, as in many books and publications you can find that\u00a0<em>Security<\/em> as a term is not a static value, but rather a degree.\u00a0<a href=\"https:\/\/en.wikipedia.org\/wiki\/Security\">From Wikipedia<\/a> the definition is:<br \/>\n<em>&#8220;Security is the degree of resistance to, or protection from harm. It applies to any vulnerable and\/or valuable asset, such as a person, dwelling, community, item, nation, or organization.&#8221;<br \/>\n<\/em>In terms of servers or applications,\u00a0one should always be aware that the more secure their server or application is, the less accessible it becomes (it is harder to be accessed).<\/p>\n<p>Of course, the best\u00a0example for this is the proverb:<br \/>\n<em> &#8220;The most secure server is the one that is switched off.&#8221;<\/em>.<\/p>\n<p>As ridiculous as it may sound, this is occasionally practiced by some organizations today, where their\u00a0most\u00a0secure servers are kept offline and\/or in totally closed networks and are powered on only when they need to be.<!--more--><\/p>\n<h3><strong>Intended audience<br \/>\n<\/strong><\/h3>\n<p>Before going any further we must point out that this guide is aimed at\u00a0intermediate users with some knowledge of installing and configuring the LEMP stack. We will assume that you (the reader) already have the relevant\u00a0knowledge for handling a Linux operating system. This guide is not for beginners. Many other related topics are connected to this guide and things\u00a0like <a href=\"https:\/\/www.rosehosting.com\/blog\/how-to-install-lemp-linux-nginx-mariadb-php-fpm-on-a-centos-7-vps\/\">installing the LEMP stack<\/a>, <a href=\"https:\/\/www.rosehosting.com\/blog\/how-to-install-nginx-and-set-up-ssl-certificate-on-an-ubuntu-14-04-vps\/\">installing SSL certificates<\/a>, configuring <a href=\"https:\/\/www.rosehosting.com\/blog\/ssh-login-without-password-using-ssh-keys\/\">public key authentication<\/a> and many other are out of the scope of this tutorial. However, you can <a href=\"https:\/\/www.rosehosting.com\/managed-vps-hosting.html\">get a VPS from us<\/a> and we&#8217;ll do all of this (and more!) for you, for free. So you don&#8217;t really need any Linux administrating skills if you get a Managed VPS from us.<\/p>\n<h3><strong>Prerequisites<\/strong><\/h3>\n<ul>\n<li>We will use one of our <a href=\"https:\/\/www.rosehosting.com\/centos-hosting.html\">CentOS 7 VPS<\/a>, but the instructions are similar for other distros too, like <a href=\"https:\/\/www.rosehosting.com\/ubuntu-hosting.html\">Ubuntu<\/a>;<\/li>\n<li>Intermediate knowledge for administering Linux operating systems;<\/li>\n<li>Basic networking knowledge. TCP\/IP, Protocols, Ports;<\/li>\n<li>Knowledge for creating basic NGINX configurations;<\/li>\n<li>MySQL databases know-how;<\/li>\n<li>PHP know-how;<\/li>\n<\/ul>\n<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_65 counter-hierarchy ez-toc-counter ez-toc-transparent ez-toc-container-direction\">\n<p class=\"ez-toc-title\">Table of Contents<\/p>\n<label for=\"ez-toc-cssicon-toggle-item-662c6b06ce8ef\" class=\"ez-toc-cssicon-toggle-label\"><span class=\"ez-toc-cssicon\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #999;color:#999\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #999;color:#999\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/label><input type=\"checkbox\"  id=\"ez-toc-cssicon-toggle-item-662c6b06ce8ef\"  aria-label=\"Toggle\" \/><nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/www.rosehosting.com\/blog\/how-to-secure-your-lemp-stack\/#Securing-Linux-itself\" title=\"Securing Linux itself\">Securing Linux itself<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/www.rosehosting.com\/blog\/how-to-secure-your-lemp-stack\/#Securing-NGINX\" title=\"Securing NGINX\">Securing NGINX<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/www.rosehosting.com\/blog\/how-to-secure-your-lemp-stack\/#Securing-MySQL-MariaDB\" title=\"Securing MySQL \/ MariaDB\">Securing MySQL \/ MariaDB<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/www.rosehosting.com\/blog\/how-to-secure-your-lemp-stack\/#Securing-PHP\" title=\"Securing PHP\">Securing PHP<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/www.rosehosting.com\/blog\/how-to-secure-your-lemp-stack\/#Types-of-PHP-Attacks\" title=\"Types of PHP Attacks\">Types of PHP Attacks<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/www.rosehosting.com\/blog\/how-to-secure-your-lemp-stack\/#PHPINI-Tweaks\" title=\"PHP.INI Tweaks\">PHP.INI Tweaks<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-7\" href=\"https:\/\/www.rosehosting.com\/blog\/how-to-secure-your-lemp-stack\/#Conclusion\" title=\"Conclusion\">Conclusion<\/a><\/li><\/ul><\/nav><\/div>\n<h2><span class=\"ez-toc-section\" id=\"Securing-Linux-itself\"><\/span><strong>Securing Linux itself<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>The Linux by nature is a very secure operating system. The viruses, for example, can not, or rather can rarely harm the OS.<\/p>\n<p>Despite this, there are a number\u00a0precautions that should be considered that will help for one to have an even more secure system.<\/p>\n<h3>Always have the latest software and security updates<\/h3>\n<p>This already assumed, however, we believe it has to be mentioned for the sake of completeness of this guide. No matter what you do, if your system is not up to date, the present and old vulnerabilities will be exploited and your server will eventually be compromised, not by people, but by automated bots that scan for these vulnerabilities. The hacker will not even realize that your server got hacked, his script will do that for him. You should always <a href=\"https:\/\/www.rosehosting.com\/blog\/update-the-software-on-linux\/\">keep your system updated<\/a>. This stands for any software and application that is on your server, and any website (CMS) running on it. If you have WordPress running as a website it must be updated as soon as a new version is released.<\/p>\n<h3>Securing the remote login<\/h3>\n<ol>\n<li>The obvious &#8211; The <a href=\"https:\/\/www.rosehosting.com\/blog\/generate-password-linux-command-line\/\">root password should be a very long and strong combination of letters, numbers, and symbols<\/a>.<\/li>\n<li><a href=\"https:\/\/www.rosehosting.com\/blog\/change-default-ssh-port-on-linux\/\">Change the default SSH port (22) to a random port<\/a>.<\/li>\n<li>Remote root logins should be disallowed.<\/li>\n<li>A public key authentication mechanism instead of password logins should be used.<\/li>\n<li>While doing the above standard Linux user accounts should be used. These users should be given the ability to escalate root privileges.<\/li>\n<\/ol>\n<p>For example:<\/p>\n<p>We will set our root password to something like `BvP7mW#zX9rwK!PSA^jk`<\/p>\n<p>If it is a basic Linux (CentOS) installation install sudo first.<\/p>\n<pre># yum install sudo<\/pre>\n<p>Create a standard user:<\/p>\n<pre># useradd -d \/home\/adminjohn adminjohn\r\n# passwd adminjohn\r\n&lt;enter-adminjohn's-very-strong-password-twice&gt;<\/pre>\n<p>Grant admin john the ability to escalate root privileges:<\/p>\n<pre># visudo<\/pre>\n<p>At the end of the file find the part where it says:<\/p>\n<pre>## Allows people in group wheel to run all commands\r\n%wheel \u00a0ALL=(ALL) \u00a0 ALL\r\n<\/pre>\n<p>And make sure that the line is uncommented.<\/p>\n<p>Now add our adminjohn as a member of the group wheel.<\/p>\n<pre># usermod -a -G wheel adminjohn\r\n<\/pre>\n<p>Edit the <code>\/etc\/ssh\/sshd_config<\/code> and set the following:<\/p>\n<p><strong>Note:<\/strong> While doing this be very careful as you may easily lock yourself out of your server. Always make sure that you have console access or two or more root sessions open so that you can test and revert back the changes.<\/p>\n<pre># vim \/etc\/ssh\/sshd_config\r\n\r\nPort 29862\r\nPermitRootLogin no\r\n<\/pre>\n<p>With these settings in place, remote root logins are forbidden, however, our user <code>adminjohn<\/code> will be able to log in via ssh and then he can switch to root using the commands <code>sudo su -<\/code>\u00a0 if necessary.<\/p>\n<p>This system can be further improved by implementing a public key authentication. This, however, is more complex and it is out of the scope of the guide.<\/p>\n<h3><strong>Linux firewall<\/strong><\/h3>\n<p>Most Linux systems today make use of either <a href=\"https:\/\/www.rosehosting.com\/blog\/blocking-abusive-ip-addresses-using-iptables-firewall-in-debianubuntu\/\">IPTables<\/a> or <a href=\"https:\/\/www.rosehosting.com\/blog\/set-up-and-configure-a-firewall-with-firewalld-on-centos-7\/\">Firewalld<\/a> as their firewall. The key concept here to understand is that as a rule of thumb, if we want our firewall to be effective then we must implement a so-called <em>deny all with exceptions policy<\/em>.<\/p>\n<p>For example: If your server serves only a WordPress website, then any firewall in place should allow only access to ports 80 (HTTP), 443 (HTTPS) and 22 (SSH) or whatever other port you decide to be. In our example, we should allow access to 80, 443 and 29862. We can, however, further extend our use and also open up the port 25 if we want to send emails from our site. If we are not sure, we can always make use of the command <code>netstat -tulnp<\/code> in order to check all of the active ports on our server and decide what should and shouldn&#8217;t be used.<\/p>\n<h3>Disabling unused services<\/h3>\n<p>To go one\u00a0step further, on any Linux server one must always disable any unused services\/applications as this will greatly limit the attack surface of the server. The more services you add, the more you increase the attack surface of the server, and the more susceptible to attack it becomes. Modern Linux implementations like CentOS 7 and Ubuntu 16\u00a0use systemd as their init daemon. Services that need access to the network can easily be identified with the <code>netstat -tulnp<\/code> command.<\/p>\n<p>In the example below, we can see that our system (CentOS 7) runs dovecot, postfix (master), sshd, vsftpd and nginx.<\/p>\n<pre># netstat -tulnp\r\nActive Internet connections (only servers)\r\nProto Recv-Q Send-Q Local Address Foreign Address State PID\/Program name\r\ntcp 0 0 0.0.0.0:993 0.0.0.0:* LISTEN 444\/dovecot\r\ntcp 0 0 0.0.0.0:995 0.0.0.0:* LISTEN 444\/dovecot\r\ntcp 0 0 0.0.0.0:587 0.0.0.0:* LISTEN 442\/master\r\ntcp 0 0 0.0.0.0:29862\u00a00.0.0.0:* LISTEN 30430\/sshd\r\ntcp 0 0 0.0.0.0:110 0.0.0.0:* LISTEN 444\/dovecot\r\ntcp 0 0 0.0.0.0:143 0.0.0.0:* LISTEN 444\/dovecot\r\ntcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 241\/nginx: master p\r\ntcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN 119\/vsftpd\r\ntcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN 442\/master\r\n<\/pre>\n<p>If we decide that we don&#8217;t need dovecot it can be disabled using:<\/p>\n<pre>## Be carefull not to disable anything essential\r\nsystemctl stop dovecot\r\nsystemctl disable dovecot\r\n<\/pre>\n<p>The latter disables dovecot from starting the next time our system is rebooted.<\/p>\n<p><strong>Note:<\/strong> Older systems\u00a0use older init daemons, thus on these systems the service management commands are different. Ubuntu 14, for example, uses upstart, and CentOS 6 uses sysvinit. If you wish to learn how you can disable\/enable services on these systems, you should consult their documentation.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Securing-NGINX\"><\/span><strong>Securing NGINX<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<h3>NGINX should run as a non-root user<\/h3>\n<p>The default NGINX installation sets its process to be run by either nginx or www-data as its user. If by any chance the server runs as root then it can be changed by setting the appropriate directive in the <code>\/etc\/nginx\/nginx.conf<\/code> file.<\/p>\n<pre>user nginx;\r\n<\/pre>\n<p>Keep in mind that if the user is set as root and you change it, that might break your website, as it may require to further adjust the web root permission.<\/p>\n<p>Normal web root permissions are 755 for the directories and 644 for the files.<\/p>\n<h3>Hide Nginx version number<\/h3>\n<p>Version numbers are often used by the hackers to exploit already present vulnerabilities.<\/p>\n<p>Put this in the http block in <code>\/etc\/nginx\/nginx.conf<\/code>:<\/p>\n<pre># vim \/etc\/nginx\/nginx.conf\r\nserver_tokens off;\r\n<\/pre>\n<h3>Force using HTTPS<\/h3>\n<p>If you are aiming for a highly secure site you should always standardize URL names and force your users to use HTTPS.\u00a0Usually the developers will put headers in their WordPress site, however, the right way to do that is from the NGNIX itself.<\/p>\n<p>In the example below, we have two server blocks. The first one&#8217;s only purpose is to capture standard HTTP requests and redirects them to HTTPS requests.<\/p>\n<pre><span class=\"k\">server<\/span> <span class=\"p\">{\r\n<\/span>    listen 80;\r\n    <span class=\"kn\">server_name<\/span> yoursite.com <span class=\"s\">www.yoursite.com<\/span><span class=\"p\">;<\/span>\r\n    <span class=\"kn\">return<\/span> <span class=\"mi\">301<\/span> https<span class=\"nv\">:\/\/yoursite.com$request_uri<\/span><span class=\"p\">;<\/span>\r\n<span class=\"p\">}<\/span><\/pre>\n<pre><span class=\"k\">server<\/span> <span class=\"p\">{\r\n<\/span>    listen 443;\r\n    <span class=\"kn\">server_name<\/span> yoursite.com <span class=\"s\">www.yoursite.com<\/span><span class=\"p\">;\r\n<\/span>    ssl_protocols TLSv1.1 TLSv1.2;\r\n    # [...]\r\n}<\/pre>\n<p>&nbsp;<\/p>\n<h3>Restrict HTTPS to TLSv1.1 and TLSv1.2<\/h3>\n<p>Refer to the example above. In the SSL server block, the <code>ssl_protocls<\/code> directive clearly defines the protocols that should be allowed. A more liberal approach would be to include the TLSv1 as well:<\/p>\n<pre>ssl_protocols TLSv1 TLSv1.1 TLSv1.2;\r\n<\/pre>\n<h3>Forwarding\u00a0uncontrolled requests to PHP<\/h3>\n<p>Many online guides about setting up NGINX with PHP contain sections like this:<\/p>\n<pre>location ~* \\.php$ {\r\n    fastcgi_pass backend;\r\n    # [...]\r\n}\r\n<\/pre>\n<p>In the above example, every request ending in <code class=\"docutils literal\"><span class=\"pre\">.php<\/span><\/code> will be passed to the FastCGI backend. The default PHP configuration tries to guess which file you want to execute if the specified location\u00a0does not lead to an actual php file.<\/p>\n<p>For instance, if a request is made for <code>\/yoursite.com\/wp-content\/uploads\/1232.jpg\/file.php<\/code> which does not exist but if <code>\/yoursite.com\/wp-content\/uploads\/1232.jpg<\/code>\u00a0does, the PHP interpreter will process <code>\/\/yoursite.com\/wp-content\/uploads\/1232.jpg<\/code>\u00a0instead. If this contains embedded PHP code, this code will be executed accordingly. Do you know what this means? If you have a WordPress site that allows a user to upload images, an attacker could easily upload a malicious file disguised as an image and compromise your site.<\/p>\n<p>There are a couple of solutions for this both in the NGINX configuration and in the PHP itself (See below at Securing PHP).<\/p>\n<p>One approach is to ensure that you give NGINX specific files for execution. This is the most secure method but it will also limit the files allowed to be executed and may give you problems later on.<\/p>\n<p>In the example below our server will process only the files named <code>index.php<\/code>, <code>site.php<\/code> and <code>cms.php<\/code>.<\/p>\n<pre><span class=\"k\">location<\/span> <span class=\"p\">~<\/span><span class=\"sr\">*<\/span> <span class=\"s\">(index.php|site.php|cms.php)\\.php<\/span>$ <span class=\"p\">{<\/span>\r\n    <span class=\"kn\">fastcgi_pass<\/span> <span class=\"s\">backend<\/span><span class=\"p\">;<\/span>\r\n    <span class=\"c1\"># [...]<\/span>\r\n<span class=\"p\">}\r\n<\/span><\/pre>\n<p>Another approach is to use the <code>try_files<\/code> directive. In the below example, if the provided file does not exist, NGINX will throw a 404 error.<\/p>\n<pre><span class=\"k\">location<\/span> <span class=\"p\">~<\/span><span class=\"sr\">*<\/span> <span class=\"s\">\\.php<\/span>$ <span class=\"p\">{<\/span>\r\n    <span class=\"kn\">try_files<\/span> <span class=\"nv\">$uri<\/span> <span class=\"p\">=<\/span><span class=\"mi\">404<\/span><span class=\"p\">;<\/span>\r\n    <span class=\"kn\">fastcgi_pass<\/span> <span class=\"s\">backend<\/span><span class=\"p\">;<\/span>\r\n    <span class=\"c1\"># [...]<\/span>\r\n<span class=\"p\">}<\/span><\/pre>\n<p>Last but not least, disable script processing for any folders not meant for such\u00a0purpose. To be more precise such folders are usually folders containing uploads of any kind.<\/p>\n<pre><span class=\"k\">location<\/span> <span class=\"s\">\/uploads<\/span> <span class=\"p\">{<\/span>\r\n    <span class=\"kn\">location<\/span> <span class=\"p\">~<\/span> <span class=\"sr\">\\.php$<\/span> <span class=\"p\">{<\/span><span class=\"kn\">return<\/span> <span class=\"mi\">403<\/span><span class=\"p\">;}<\/span>\r\n    <span class=\"c1\"># [...]<\/span>\r\n<span class=\"p\">}<\/span><\/pre>\n<p>[ecko_alert color=&#8221;blue&#8221;]Stuck somewhere? <a href=\"https:\/\/www.rosehosting.com\/managed-vps-hosting.html\">Get a fully managed VPS<\/a> from us and we&#8217;ll completely and properly secure your server.[\/ecko_alert]<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Securing-MySQL-MariaDB\"><\/span><strong>Securing MySQL \/ MariaDB<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>There is not much on the topic of securing your MySQL database and in fact, the best way to secure it is to make sure that it is not accessible from anywhere except the host itself. After installing MySQL, the package comes with a great deployment script which can be invoked using <code>mysql_secure_installation<\/code> on your server. The script is great because it will make sure that there are no loose ends. It will prompt you to setup a MySQL root password as well as it will disable the remote logins and will remove the test database.<\/p>\n<p>For those of you that already have functioning servers and do not wish to start the script, the best place to check is <code>\/etc\/my.cnf<\/code> and make sure that you have the <code>bind-address = 127.0.0.1<\/code> value set and it is not commented out.<\/p>\n<p>Another also highly secure mechanism is to use one (read at least one) user\/database per site. A lot of websites out there make use of the root mysql user for connecting the website with the database. The root user by default has access to every other database. This means any discovered vulnerability on one site, can potentially be exploited for an attacker to gain access to all of your databases.<\/p>\n<p>Bottom line is, if you have three websites on your server, then there should be at least three database users accessing their own database.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Securing-PHP\"><\/span><strong>Securing PHP<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>PHP itself provides a relatively large attack surface, especially because most PHP implementations by default have fairly liberal configurations so that the developers can write their code without too much hassle. The subtopics mentioned here, are\u00a0general considerations for sysadmins. These, however, have to be additionally tweaked as per the developer&#8217;s needs. Securing the PHP interpreter is always a place\u00a0of argument and debate between the sysadmins and the developers, and can only be done properly if they all work together.<\/p>\n<p>Always a place\u00a0of argument and debate between the sysadmins and the developers, thus can only be done properly if both work together.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Types-of-PHP-Attacks\"><\/span>Types of PHP Attacks<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<h3>SQL Injection<\/h3>\n<p>This is a vulnerability of the application itself, usually poorly coded PHP apps almost always have this vulnerability. The more popular CMS systems are always secured against this type of attack. There is not much to be said about this type of attack except that the best way to prevent it is with good\u00a0education for the developers.<\/p>\n<h3>XSS &#8211; Cross Site Scripting<\/h3>\n<p>These types of vulnerabilities are difficult to defend against. Again, the developers of the commonly used CMS platforms like WordPress, Joomla, Drupal etc. are very cautious and make sure that their code is properly written and regularly patched. Most of the security measures against these and any other types of attacks can be implemented via the main PHP configuration file. More on this later.<\/p>\n<h3>Cross-site request forgeries \u2013 CSRF<\/h3>\n<p>Type of attack which forces the end user to execute unwanted actions on the web application where he is currently authenticated. If the user is an administrator account, the entire website could be compromised.\u00a0Banking and e-commerce sites are particularly targeted with these types of attacks\u00a0especially because the attackers are interested in stealing their account information to gain access to their funds.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"PHPINI-Tweaks\"><\/span>PHP.INI Tweaks<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<h3>Stop PHP processing if the file is not found<\/h3>\n<p>Make sure that\u00a0cgi.fix_pathinfo=0 \u00a0is in fact set to 0 in php.ini. This causes the PHP interpreter to only try the literal path given and to stop processing if the file is not found. Do you recall the examples from <strong>Forwarding\u00a0uncontrolled requests to PHP<\/strong> of the Securing NGINX part? This is the final piece of the NGINX\/PHP-FPM puzzle.<\/p>\n<h3><strong>Disabling PHP Dangerous functions<\/strong><\/h3>\n<p>The flexibility of PHP includes many functions by default which can be used or misused depending on what one wishes to accomplish. For example, for more advanced configurations, PHP allows for remote file executions where the files can be remotely executed from another server. Although this may sound fun, it is also a security vulnerability where an attacker can open and execute any file on the remote server. This may allow them to also upload malicious files. Remote file execution should be disabled from the PHP configuration file.<\/p>\n<pre>disable_functions =exec,eval,phpinfo,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source<\/pre>\n<h3><strong>Restricting file uploads<\/strong><\/h3>\n<p>We&#8217;ve seen that through the NGINX configuration we can restrict the file uploads only to certain directories on our site. However, if your site doesn&#8217;t use file uploading features at all, they can and should be completely disabled.<\/p>\n<pre>file_uploads=Off<\/pre>\n<p>Of course, if your application is using the file uploads feature,\u00a0then it can be reasonably enabled by restricting the upload size limit. In the below example, one can upload files up to 1 megabyte.<\/p>\n<pre>file_uploads=On\r\nupload_max_filesize=1M<\/pre>\n<h3>Set the POST size to a reasonable value<\/h3>\n<p>The POST method is used whenever a user needs to send some data to your server\/web application, and as such can potentially be exploited for malicious use, like DoS attack for example. This also includes sending large files to your server. However this method is also an integral part of any web application, so the best way to protect yourself is to limit its value and set it to something more reasonable. If you don&#8217;t use file uploads, then its value can be set to something like 4 KB or less.<\/p>\n<pre>post_max_size=1K<\/pre>\n<p>If you do use the uploading files feature, then it should be set to a value that is larger than the\u00a0<code>upload_max_filesize<\/code> value on your server.<\/p>\n<h3>Restrict PHP Information Leakage<\/h3>\n<p>By setting the \u00a0<code>expose_php = Off<\/code>, one can simply hide the information that PHP is installed on the server. This will, in fact, hide the signature that PHP is leaving on the Web server header. The PHP documentation states that leaving this value to ON is not a vulnerability. However, no one can deny the fact\u00a0that the less information you present to the external world, the more secure your server will be.<\/p>\n<h3>Restricting the PHP script maximum execution time<\/h3>\n<p>Set the following values in your <code>php.ini<\/code> file. They can later be tailored according to a more specific needs.<\/p>\n<pre># set in seconds\r\nmax_execution_time = 30\r\nmax_input_time = 30\r\nmemory_limit = 40M\r\n<\/pre>\n<p>Not only that setting these limits are a great DoS attack prevention, but they can also protect your server by careless programming and infinite loop cycles. What this basically does, is the following:<\/p>\n<ol>\n<li>Sets the maximum time to 30 seconds that a script is allowed to run before it is terminated by the parser (PHP).<\/li>\n<li>Sets the maximum time to 30 seconds that a script is allowed to parse input data, like POST and GET.<\/li>\n<li>Sets the maximum amount of memory to 40 MB, a value that a script is allowed to allocate.<\/li>\n<\/ol>\n<p>In many PHP configurations, the\u00a0memory_limit value is set to -1, which is fine in development, but otherwise a bad choice.<\/p>\n<h3>Disable unused PHP modules<\/h3>\n<p>PHP modules are great since they allow and enable certain functionalities to your web application. The most common example for this is the PHP pdo_mysql module which allows PHP to access MySQL databases. All of these modules, however, can potentially bring their own flaws and vulnerabilities with them and if they are not used, they can be disabled or removed. By using the command <code>php -m<\/code> one can see all of the installed PHP modules. Disabling unused modules lowers the PHP attack surface. Ideally, PHP should be reinstalled and recompiled using only the needed modules. However, if you feel that redoing all of that is too much, then you can simply disable these by just uncommenting their line in php.ini or renaming their configuration file in <code>\/etc\/php.d\/module_name.ini<\/code> to something like\u00a0<code>\/etc\/php.d\/module_name.ini.disabled<\/code>.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Conclusion\"><\/span><strong>Conclusion<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>The Linux server itself is by nature a very secure operating system. This does not count for any negligence, so standard security measures should always be practiced. Direct root logins are never recommended, and public key authentication is always advised.<\/p>\n<p>Proper LEMP stack implementation is essential for any secure web server setup. However one should always keep in mind that this is just one part of the security. Securing your servers and web applications should be in fact a joined effort between the developers and the system administrators. That is the other part is in the application code itself.\u00a0For example, even if all of the above is carefully planned and implemented, but the developers do not secure the MySQL queries properly, your application will be vulnerable to the MySQL Injection attack which will lead to data leakage.<\/p>\n<p>Finally, regularly installing the application upgrades and the security patches are always one of the best ways to protect against any known vulnerabilities. Your server and application if left unattended will eventually get compromised.<\/p>\n<hr \/>\n<p>Of course, you don\u2019t have to\u00a0secure LEMP stack, if you use one of our <a href=\"https:\/\/www.rosehosting.com\/managed-vps-hosting.html\">Linux SSD VPS solutions<\/a>, in which case you can simply ask their expert Linux admins to secure youtr LEMP Stack or anything else on your Linux server. They are available 24&#215;7 and will take care of your request immediately.<\/p>\n<p><strong><span style=\"color: #ff0000;\">PS<\/span><\/strong>. If you liked this post on how to secure LEMP stack, please share it with your friends on the social networks using the buttons below or simply leave a reply. Thanks.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>We&#8217;ll show you, how to secure LEMP stack. LEMP, it stands for Linux, (EngineX) NGINX, MariaDB (or MySQL) and PHP. &#8230; <\/p>\n<p class=\"read-more-container\"><a title=\"How to secure LEMP stack\" class=\"read-more button\" href=\"https:\/\/www.rosehosting.com\/blog\/how-to-secure-your-lemp-stack\/#more-21522\" aria-label=\"Read more about How to secure LEMP stack\">Read More<\/a><\/p>\n","protected":false},"author":4,"featured_media":24821,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1702,13,1712,1707],"tags":[310,296,39,49,50,65],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v22.5 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>How to secure LEMP stack - RoseHosting<\/title>\n<meta name=\"description\" content=\"How to secure LEMP stack - RoseHosting\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.rosehosting.com\/blog\/how-to-secure-your-lemp-stack\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"How to secure LEMP stack - RoseHosting\" \/>\n<meta property=\"og:description\" content=\"How to secure LEMP stack - RoseHosting\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.rosehosting.com\/blog\/how-to-secure-your-lemp-stack\/\" \/>\n<meta property=\"og:site_name\" content=\"RoseHosting\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/RoseHosting\" \/>\n<meta property=\"article:author\" content=\"https:\/\/www.facebook.com\/rosehosting.helpdesk\" \/>\n<meta property=\"article:published_time\" content=\"2017-03-01T13:39:37+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2022-06-03T08:42:17+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.rosehosting.com\/blog\/wp-content\/uploads\/2017\/03\/How-to-secure-LEMP-stack.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1200\" \/>\n\t<meta property=\"og:image:height\" content=\"600\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Jeff Wilson\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@rosehosting\" \/>\n<meta name=\"twitter:site\" content=\"@rosehosting\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Jeff Wilson\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"17 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.rosehosting.com\/blog\/how-to-secure-your-lemp-stack\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.rosehosting.com\/blog\/how-to-secure-your-lemp-stack\/\"},\"author\":{\"name\":\"Jeff Wilson\",\"@id\":\"https:\/\/www.rosehosting.com\/blog\/#\/schema\/person\/7ce77a842fa6a9a7f8efa186f2353713\"},\"headline\":\"How to secure LEMP stack\",\"datePublished\":\"2017-03-01T13:39:37+00:00\",\"dateModified\":\"2022-06-03T08:42:17+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.rosehosting.com\/blog\/how-to-secure-your-lemp-stack\/\"},\"wordCount\":3167,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/www.rosehosting.com\/blog\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.rosehosting.com\/blog\/how-to-secure-your-lemp-stack\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.rosehosting.com\/blog\/wp-content\/uploads\/2017\/03\/How-to-secure-LEMP-stack.jpg\",\"keywords\":[\"lemp\",\"mariadb\",\"mysql\",\"nginx\",\"php\",\"security\"],\"articleSection\":[\"Databases\",\"Tutorials\",\"Web Frameworks\",\"Web Servers\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/www.rosehosting.com\/blog\/how-to-secure-your-lemp-stack\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.rosehosting.com\/blog\/how-to-secure-your-lemp-stack\/\",\"url\":\"https:\/\/www.rosehosting.com\/blog\/how-to-secure-your-lemp-stack\/\",\"name\":\"How to secure LEMP stack - RoseHosting\",\"isPartOf\":{\"@id\":\"https:\/\/www.rosehosting.com\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.rosehosting.com\/blog\/how-to-secure-your-lemp-stack\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.rosehosting.com\/blog\/how-to-secure-your-lemp-stack\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.rosehosting.com\/blog\/wp-content\/uploads\/2017\/03\/How-to-secure-LEMP-stack.jpg\",\"datePublished\":\"2017-03-01T13:39:37+00:00\",\"dateModified\":\"2022-06-03T08:42:17+00:00\",\"description\":\"How to secure LEMP stack - RoseHosting\",\"breadcrumb\":{\"@id\":\"https:\/\/www.rosehosting.com\/blog\/how-to-secure-your-lemp-stack\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.rosehosting.com\/blog\/how-to-secure-your-lemp-stack\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.rosehosting.com\/blog\/how-to-secure-your-lemp-stack\/#primaryimage\",\"url\":\"https:\/\/www.rosehosting.com\/blog\/wp-content\/uploads\/2017\/03\/How-to-secure-LEMP-stack.jpg\",\"contentUrl\":\"https:\/\/www.rosehosting.com\/blog\/wp-content\/uploads\/2017\/03\/How-to-secure-LEMP-stack.jpg\",\"width\":1200,\"height\":600,\"caption\":\"How to secure LEMP stack\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.rosehosting.com\/blog\/how-to-secure-your-lemp-stack\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.rosehosting.com\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"How to secure LEMP stack\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.rosehosting.com\/blog\/#website\",\"url\":\"https:\/\/www.rosehosting.com\/blog\/\",\"name\":\"RoseHosting\",\"description\":\"Premium Linux Tutorials Since 2001\",\"publisher\":{\"@id\":\"https:\/\/www.rosehosting.com\/blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.rosehosting.com\/blog\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.rosehosting.com\/blog\/#organization\",\"name\":\"RoseHosting\",\"url\":\"https:\/\/www.rosehosting.com\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.rosehosting.com\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.rosehosting.com\/blog\/wp-content\/uploads\/2022\/03\/android-chrome-192x192-1.png\",\"contentUrl\":\"https:\/\/www.rosehosting.com\/blog\/wp-content\/uploads\/2022\/03\/android-chrome-192x192-1.png\",\"width\":192,\"height\":192,\"caption\":\"RoseHosting\"},\"image\":{\"@id\":\"https:\/\/www.rosehosting.com\/blog\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/RoseHosting\",\"https:\/\/x.com\/rosehosting\",\"https:\/\/www.linkedin.com\/in\/rosehosting\/\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.rosehosting.com\/blog\/#\/schema\/person\/7ce77a842fa6a9a7f8efa186f2353713\",\"name\":\"Jeff Wilson\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.rosehosting.com\/blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/09271207587f897ab46faaed9b355252?s=96&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/09271207587f897ab46faaed9b355252?s=96&r=g\",\"caption\":\"Jeff Wilson\"},\"description\":\"An experienced Linux veteran with many years of experience. Helping other Linux admins with frequent Linux and business-related blog posts on the RoseHosting blog. Techie by choice. Loving nature and travel. Happily married and father of two lovely children.\",\"sameAs\":[\"https:\/\/www.rosehosting.com\",\"https:\/\/www.facebook.com\/rosehosting.helpdesk\"],\"url\":\"https:\/\/www.rosehosting.com\/blog\/author\/jwilson\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"How to secure LEMP stack - RoseHosting","description":"How to secure LEMP stack - RoseHosting","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.rosehosting.com\/blog\/how-to-secure-your-lemp-stack\/","og_locale":"en_US","og_type":"article","og_title":"How to secure LEMP stack - RoseHosting","og_description":"How to secure LEMP stack - RoseHosting","og_url":"https:\/\/www.rosehosting.com\/blog\/how-to-secure-your-lemp-stack\/","og_site_name":"RoseHosting","article_publisher":"https:\/\/www.facebook.com\/RoseHosting","article_author":"https:\/\/www.facebook.com\/rosehosting.helpdesk","article_published_time":"2017-03-01T13:39:37+00:00","article_modified_time":"2022-06-03T08:42:17+00:00","og_image":[{"width":1200,"height":600,"url":"https:\/\/www.rosehosting.com\/blog\/wp-content\/uploads\/2017\/03\/How-to-secure-LEMP-stack.jpg","type":"image\/jpeg"}],"author":"Jeff Wilson","twitter_card":"summary_large_image","twitter_creator":"@rosehosting","twitter_site":"@rosehosting","twitter_misc":{"Written by":"Jeff Wilson","Est. reading time":"17 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.rosehosting.com\/blog\/how-to-secure-your-lemp-stack\/#article","isPartOf":{"@id":"https:\/\/www.rosehosting.com\/blog\/how-to-secure-your-lemp-stack\/"},"author":{"name":"Jeff Wilson","@id":"https:\/\/www.rosehosting.com\/blog\/#\/schema\/person\/7ce77a842fa6a9a7f8efa186f2353713"},"headline":"How to secure LEMP stack","datePublished":"2017-03-01T13:39:37+00:00","dateModified":"2022-06-03T08:42:17+00:00","mainEntityOfPage":{"@id":"https:\/\/www.rosehosting.com\/blog\/how-to-secure-your-lemp-stack\/"},"wordCount":3167,"commentCount":0,"publisher":{"@id":"https:\/\/www.rosehosting.com\/blog\/#organization"},"image":{"@id":"https:\/\/www.rosehosting.com\/blog\/how-to-secure-your-lemp-stack\/#primaryimage"},"thumbnailUrl":"https:\/\/www.rosehosting.com\/blog\/wp-content\/uploads\/2017\/03\/How-to-secure-LEMP-stack.jpg","keywords":["lemp","mariadb","mysql","nginx","php","security"],"articleSection":["Databases","Tutorials","Web Frameworks","Web Servers"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.rosehosting.com\/blog\/how-to-secure-your-lemp-stack\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.rosehosting.com\/blog\/how-to-secure-your-lemp-stack\/","url":"https:\/\/www.rosehosting.com\/blog\/how-to-secure-your-lemp-stack\/","name":"How to secure LEMP stack - RoseHosting","isPartOf":{"@id":"https:\/\/www.rosehosting.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.rosehosting.com\/blog\/how-to-secure-your-lemp-stack\/#primaryimage"},"image":{"@id":"https:\/\/www.rosehosting.com\/blog\/how-to-secure-your-lemp-stack\/#primaryimage"},"thumbnailUrl":"https:\/\/www.rosehosting.com\/blog\/wp-content\/uploads\/2017\/03\/How-to-secure-LEMP-stack.jpg","datePublished":"2017-03-01T13:39:37+00:00","dateModified":"2022-06-03T08:42:17+00:00","description":"How to secure LEMP stack - RoseHosting","breadcrumb":{"@id":"https:\/\/www.rosehosting.com\/blog\/how-to-secure-your-lemp-stack\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.rosehosting.com\/blog\/how-to-secure-your-lemp-stack\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.rosehosting.com\/blog\/how-to-secure-your-lemp-stack\/#primaryimage","url":"https:\/\/www.rosehosting.com\/blog\/wp-content\/uploads\/2017\/03\/How-to-secure-LEMP-stack.jpg","contentUrl":"https:\/\/www.rosehosting.com\/blog\/wp-content\/uploads\/2017\/03\/How-to-secure-LEMP-stack.jpg","width":1200,"height":600,"caption":"How to secure LEMP stack"},{"@type":"BreadcrumbList","@id":"https:\/\/www.rosehosting.com\/blog\/how-to-secure-your-lemp-stack\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.rosehosting.com\/blog\/"},{"@type":"ListItem","position":2,"name":"How to secure LEMP stack"}]},{"@type":"WebSite","@id":"https:\/\/www.rosehosting.com\/blog\/#website","url":"https:\/\/www.rosehosting.com\/blog\/","name":"RoseHosting","description":"Premium Linux Tutorials Since 2001","publisher":{"@id":"https:\/\/www.rosehosting.com\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.rosehosting.com\/blog\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.rosehosting.com\/blog\/#organization","name":"RoseHosting","url":"https:\/\/www.rosehosting.com\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.rosehosting.com\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.rosehosting.com\/blog\/wp-content\/uploads\/2022\/03\/android-chrome-192x192-1.png","contentUrl":"https:\/\/www.rosehosting.com\/blog\/wp-content\/uploads\/2022\/03\/android-chrome-192x192-1.png","width":192,"height":192,"caption":"RoseHosting"},"image":{"@id":"https:\/\/www.rosehosting.com\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/RoseHosting","https:\/\/x.com\/rosehosting","https:\/\/www.linkedin.com\/in\/rosehosting\/"]},{"@type":"Person","@id":"https:\/\/www.rosehosting.com\/blog\/#\/schema\/person\/7ce77a842fa6a9a7f8efa186f2353713","name":"Jeff Wilson","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.rosehosting.com\/blog\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/09271207587f897ab46faaed9b355252?s=96&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/09271207587f897ab46faaed9b355252?s=96&r=g","caption":"Jeff Wilson"},"description":"An experienced Linux veteran with many years of experience. Helping other Linux admins with frequent Linux and business-related blog posts on the RoseHosting blog. Techie by choice. Loving nature and travel. Happily married and father of two lovely children.","sameAs":["https:\/\/www.rosehosting.com","https:\/\/www.facebook.com\/rosehosting.helpdesk"],"url":"https:\/\/www.rosehosting.com\/blog\/author\/jwilson\/"}]}},"_links":{"self":[{"href":"https:\/\/www.rosehosting.com\/blog\/wp-json\/wp\/v2\/posts\/21522"}],"collection":[{"href":"https:\/\/www.rosehosting.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.rosehosting.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.rosehosting.com\/blog\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.rosehosting.com\/blog\/wp-json\/wp\/v2\/comments?post=21522"}],"version-history":[{"count":1,"href":"https:\/\/www.rosehosting.com\/blog\/wp-json\/wp\/v2\/posts\/21522\/revisions"}],"predecessor-version":[{"id":41891,"href":"https:\/\/www.rosehosting.com\/blog\/wp-json\/wp\/v2\/posts\/21522\/revisions\/41891"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.rosehosting.com\/blog\/wp-json\/wp\/v2\/media\/24821"}],"wp:attachment":[{"href":"https:\/\/www.rosehosting.com\/blog\/wp-json\/wp\/v2\/media?parent=21522"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.rosehosting.com\/blog\/wp-json\/wp\/v2\/categories?post=21522"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.rosehosting.com\/blog\/wp-json\/wp\/v2\/tags?post=21522"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}