Secure Apache2, PHP, MySQL

Build defenses for Apache2, PHP, MySQL

Hide information about the operating system, the version of apache, php on pages 404, 403, 500, etc.

ServerSignature Off
ServerTokens Off (responsible for displaying information about the server in the http headers)
ServerTokens Prod
Redaktirem the file php.ini:
expose_php = Off (responsible for showing the version of php interpreter. Values can be Off/On. It too clean out of sight)

Protection through the restriction of some functions in PHP.
In the configuration file/etc/php5/apache2/php.ini and edit the following variables:
safe_mode_exec_dir =/home/http-allow launching programs from special catalogue.
disable_functions = system-disable unix functions (killall, chown, rm, etc.)
safe_mode on-disable run commands on the server using php, but we will still be able to view and edit the shell files to which we have access. And we have access to all files that Apache has access. In Ubuntu and Debian Apache runs as user www-data and the www-data group … so that we have read access to all files with 644 permissions, even if they belong to other users and full access to files and directories owned by www-data.

Protection through the restriction of some functions in the Apache.
Haho┼żu configuration file for the virtual host, and inside VirtualHost directives add permission handling PHP scripts php_admin_flag engine on. Left to specify the values of the variables PHP open_basedir machines, include_path, upload_tmp_dir, safe_mode_include_dir to limit the scope of the work with the files in my home directory.
php_admin_flag engine on
php_admin_value open_basedir/srv/~
php_admin_value include_path.:/ SRV/~
php_admin_value upload_tmp_dir/srv/~/www/tmp
php_admin_value safe_mode_include_dir/srv/~/www/tmp

Running virtual hosts from different accounts
You must distinguish between the apache level access. In fact, you need to run the Apache for each user under his logino, what does it do? Situation: we have a server where many different hosts, and you want to separate the access.

Install apache2-mpm-itk can remove apache2 and apache2-mpm-prefork

$ sudo apt-get install apache2-mpm-itk

Next, set to each virtual host as follows:

< IfModule mpm_itk_module >

Create a new group:
groupadd $sudo friend

Create a user group, John friend
$sudo useradd-s/bin/false-d/home/vasya-m-g friend John

Next, you must install the file ownership of the virtual hosts:
$sudo: MYUSER MYGROUP/var/www/my-virtualhost/chown-R

Activate the plugin through the a2enmod is not necessary.

Restart Apache2:
$ sudo/etc/init.d/apache2 reload
That’s all! At least from the fool we defended =)