Hi there, I'm new here and I hope you gurus can help me out with some of my queries. I'm planning to run a 2-3 wordpress sites for myself and my friends with a 512mb node and I'd like some clarification on setting up the LAMP stack. Its a big jump coming from shared hosting. I'll be grateful if anyone can answer or provide relevant links that I can read up on regarding my queries.

1. Do I need the suphp module at all ? Since I will be managing all 3 sites, would suPHP still benefit from a security stand point?

2. With a standard LAMP setup and wordpress install under virtual domains, is there anything else that I should be doing to secure the sites? I did quite a bit of reading up all afternoon and I've read about sites that got hacked on a standard debian LAMP setup ( presumably running just Apache2 + php + mysql ) , which makes me wonder what other steps that are required to keep a simple blog running.

3. Does the Apache2 install enable mpm-prefork by default? If not, would it be better to use a vanilla Apache2 or Apache2+prefork or Apache2+worker+fastcgi. I looked up on mpm-prefork and its not clear why I should use it at all considering all the efficiency issues that people are talking about.

4. With regards to the /tmp folder, if the permission is set to 777, how exactly does an attacker write files to the folder without getting ssh access ?

Many thanks in advance !

1. Running each site under separate privileges may help prevent someone who hacks one site from hacking all the other sites. But I would much rather run one FastCGI process per site (hint: worker+suexec) than go to all the suPHP hassle.

2. Wordpress has had a rather bad track record when it comes to security. Those PHP scripts contain tons of holes through which an attacker could hijack your site. You can try to minimize damages, though, by separating privileges and tightening some php.ini settings (open_basedir, safe_mode, allow_url_fopen, display_errors, etc.)

And don't forget to secure SSH.

3. The php5 package in Debian pulls in prefork by default. If you want FastCGI, you should install php5-cgi instead.

4. PHP has numerous filesystem-related functions as well as a generic exec() tool. So if one of your PHP scripts gets hijacked by a cracker, the script can do pretty much anything a logged-in user would be able to do.

Example PHP code:

file_get_contents('/etc/passwd');
exec('/nasty/command');

Thanks hybinet ! That was really informative !

I read up on setting up Apache + mpm worker + fastcgi + suexec and it seemed pretty complicated, so I installed lighttpd + fastcgi instead as the install process and configuring modules made a lot more sense. Seems to be working fine with virtual hosts, though I'm not sure if this setup is as secure as using suexec with Apache.

Checked my logs today and there are already hundreds of failed login attempts via ssh, so I changed the port and the attacks died down somewhat. Will read up on the php.ini configuration next, as neither php or mysql has been optimized yet. Thanks again for the insight !

To learn about some of the possibilities, Mutillidae is a pretty neat illustration of vulnerabilities implemented in PHP. It should go without saying (but I'll do it anyway) that you should not install it on your Linode. :)

Wow thats a mighty fine link, gotta love exploits by example. There goes another week of my reading time