Create Linux user account to secure web applications.
Scripts and programs to support a typical Linux web server using apache, mysql and php can be set
to run as a Linux user with appropriate file permission. It is important that you should set up a
user account with limited system-wide access for this purpose. In other words, a program or script
initiating by apache or php will inherit the parent's environment which is confined to this special
Linux user. In case of a breach of security, this compromised Linux user cannot access any important
system directories. The damages if any are confined to the files and directories of this Linux user
and can easily be detected and restored. In other words, never allow apache, mysql, php, or any
components of your web server to run with root authority.
Stop all unused services
To see what services are running and the current firewall setting, use the following command.
[firstname.lastname@example.org brucelee]# service --status-all
If your current shell cannot find where the command service is, use the following command to get
the appropriate path name to add to the PATH
[email@example.com brucelee]# which service
If the result scrolls off the screen of your current shell, the command more or grep can be useful
to filter out what you want to see. For example, the following command shows only the processes
that are running.
[firstname.lastname@example.org brucelee]# service --status-all | grep running
[email@example.com brucelee]# service --status-all | more
If you need to start or stop a service manually, use the following syntax
. For example,
[firstname.lastname@example.org brucelee]# service httpd start
[email@example.com brucelee]# service httpd stop
[firstname.lastname@example.org brucelee]# service httpd restart
You might want to automate as much as possible to avoid unnecessary typing and errors. If a service
needs to be started or disabled immediately each time after a system reboot, you can add this required
operation into the configuration file /etc/rc.local so that a server reboot will do it automatically.
Running unnecessary services wastes processor cycles and exposes your server to potential intruders.
The following commands help to make the administration of your
dedicated server simpler.
When a command is entered, it is executed as a foreground process by default. The user must wait
for one foreground process to complete before running another one. Contrary to a foreground process,
the shell does not have to wait for a background process to end before it can run more processes.
Within the limit of the available memory, you can enter many background commands one after another.
To run a command as a background process, type the command and add a space and an ampersand to the
end of the command. For example:
[email@example.com ~]% cmd1 &
Immediately after entering the above command, the shell will execute the command. While that is
running in the background, the shell prompt (%) returns and does not wait for the command to complete.
At this point, you can enter another command for either foreground or background process. Background
jobs are run at a lower priority to the foreground jobs. A message is displayed on the screen when a
background process is finished running to indicate whether it is successful or if there are errors.
The message may get appended to the last character of the command that you are currently typing but
does not intefere with it in any way.
To see the priority of the current processes
and what processes keep your server busy, use the
following command. The display is updated periodically.
[firstname.lastname@example.org ~]% top
top - 04:50:18 up 1 day, 4:54, 1 user, load average: 0.00, 0.00, 0.00
Tasks: 85 total, 1 running, 83 sleeping, 1 stopped, 0 zombie
Cpu(s): 0.2%us, 0.0%sy, 0.0%ni, 99.8%id, 0.0%wa, 0.0%hi, 0.0%si, 0.0%st
Mem: 1026668k total, 159172k used, 867496k free, 9184k buffers
Swap: 2031608k total, 0k used, 2031608k free, 110024k cached
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
1 root 20 0 1948 740 532 S 0.0 0.1 0:00.87 init
2 root 15 -5 0 0 0 S 0.0 0.0 0:00.00 kthreadd
3 root RT -5 0 0 0 S 0.0 0.0 0:00.00 migration/0
4 root 15 -5 0 0 0 S 0.0 0.0 0:00.03 ksoftirqd/0