Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

Tuning LAMP for different resources
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
AlexanderKh
n00b
n00b


Joined: 21 Nov 2014
Posts: 23
Location: Ukraine
PostPosted: Sun Feb 28, 2016 2:43 am    Post subject: Tuning LAMP for different resources Reply with quote
I am learning tuning of LAMP (Apache - MySQL - PHP) for different types of websites (please do not recommend another components, they are not applicable for me).

I am interested in 3 types of websites:
1. blog
2. forum
3. online store

Imagine that each of these websites has dedicated server with the same configuration, what would be general tips on tuning LAMP for each of them?

For example, forum requires more tuning of MySQL, while store needs PHP optimized, etc.). Any suggestions?
Back to top
View user's profile Send private message
Jzomer
n00b
n00b


Joined: 14 Mar 2016
Posts: 11
PostPosted: Mon Mar 14, 2016 3:00 pm    Post subject: Reply with quote
To have a webserver secure you would have to have everything secure.
It's not only your LAMP stack that has to be secure but also your box.

A few tips are:
- Keep your kernel up to date
- Use hardened gentoo/SELinux/grsec for optimalizing security.
- Configure iptables or any other firewall according to your preference (a nice tool for creating an iptables config is http://www.mista.nu/iptables/)


Configuring sysctl is also a good security practice, here I have an example sysctl.conf:

Quote:
# Avoid a smurf attack
net.ipv4.icmp_echo_ignore_broadcasts = 1

# Turn on protection for bad icmp error messages
net.ipv4.icmp_ignore_bogus_error_responses = 1

# Turn on syncookies for SYN flood attack protection
net.ipv4.tcp_syncookies = 1

# Turn on and log spoofed, source routed, and redirect packets
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1

# No source routed packets here
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0

# Turn on reverse path filtering
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1

# Make sure no one can alter the routing tables
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0

# Don't act as a router
net.ipv4.ip_forward = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0


# Turn on execshild
kernel.exec-shield = 1
kernel.randomize_va_space = 1

# Tuen IPv6
net.ipv6.conf.default.router_solicitations = 0
net.ipv6.conf.default.accept_ra_rtr_pref = 0
net.ipv6.conf.default.accept_ra_pinfo = 0
net.ipv6.conf.default.accept_ra_defrtr = 0
net.ipv6.conf.default.autoconf = 0
net.ipv6.conf.default.dad_transmits = 0
net.ipv6.conf.default.max_addresses = 1

# Optimization for port usefor LBs
# Increase system file descriptor limit
fs.file-max = 65535

# Allow for more PIDs (to reduce rollover problems); may break some programs 32768
kernel.pid_max = 65536

# Increase system IP port limits
net.ipv4.ip_local_port_range = 2000 65000

# Increase TCP max buffer size setable using setsockopt()
net.ipv4.tcp_rmem = 4096 87380 8388608
net.ipv4.tcp_wmem = 4096 87380 8388608

# Increase Linux auto tuning TCP buffer limits
# min, default, and max number of bytes to use
# set max to at least 4MB, or higher if you use very high BDP paths
# Tcp Windows etc
net.core.rmem_max = 8388608
net.core.wmem_max = 8388608
net.core.netdev_max_backlog = 5000
net.ipv4.tcp_window_scaling = 1


When writing those websites you should be carefull with sanitizing input, make sure to use input validation at all times.

A great post on securing mysql databases is:
https://www.digitalocean.com/community/tutorials/how-to-secure-mysql-and-mariadb-databases-in-a-linux-vps

Also you should definetly read this:
https://www.owasp.org/index.php/PHP_Security_Cheat_Sheet

Do not hesitate to contact me for any further questions.

Kind Regards,

Jordy
_________________
You can always PM me if you're stuck with anything linux/security related ;)
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2024 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy