Security aspects of a CentOS 6.5 running a website

HI Experts

We have configured a VPS (CentOS 6.5) with a public IP, we setup a web server and we have opened 80 port to test it but we are concerned about security aspects, could you bring a checklist about what we should take care of?

Thanks.
dimensionavAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Jan SpringerCommented:
Restrict sensitive areas by IP address and authentication using either .htaccess or in the httpd.conf.

Install modsecurity and modevasive.

Restrict (where possible), POST and PUT commands.

Disable any status information.

Disable directory listing.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
dimensionavAuthor Commented:
Jan, a couple of questions:

when you say "Restrict (where possible), POST and PUT commands" are you meaning that we shoud do this from PHP application? and what means "Disable any status information" ?

Thank you very much!
gheistCommented:
You can read some security guidance here:
https://benchmarks.cisecurity.org/downloads/show-single/?file=apache.330
CentOS:
You did well keeping firewall
Normally you leave selinux at full power and check violations (audit2allow/audit2why/setsebool etc)
Apache:
And log apache error log to remote syslog server
Adding small piece at a time to default config will keep you safe from internet and own mistakes.
You need to upgrade to 6.6 NOW, and invent practice of not skipping security patches for future.
Did somebody say backup?
Jan SpringerCommented:
Either:
  #Extended status on (commented out it's off by default)
  Extended status off

And within each web root:

   <Limit PUT OPTIONS>
       Order deny,allow
       Deny from all
   </Limit>

If you don't have an app that needs to POST, include that, as well.

Also, remove any modules that you will not need and especially remove the any proxy modules.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux Security

From novice to tech pro — start learning today.