Securitizing a Linux

As a general rule, WordPress is usually installed and operated on Linux, and in this operating system you may have installed and worked many different services. This, therefore, gives rise to think that this Linux machine has to be kept safe.

One of the most common info is to send the information on which web server we use. To do this, for example, in Apache HTTPD we can change some configurations.

ServerTokens Prod
ServerSignature Off
TraceEnable Off

Another common place for information leaks is PHP. In this case, in the php.ini we can make some changes to protect possible data leaks.

expose_php = Off
display_errors = Off
track_errors = Off
html_errors = Off

But not only in these services, also in others such as the SSH can give us certain information. For example, in Debian and Ubuntu we could lock the data in the ./etc/ssh/sshd_config

DebianBanner no

It can also arise in mail services such as Postfix, where the information is displayed and can be changed to another in the ./etc/postfix/main.cf

smtpd_banner = 0

It could even be checked also in the BIND DNS server, within the configuration named.conffile.

options {
  version "ninguna";
}

There are many other options to review, but the focus is to check that all the services that are installed on the machine and that are accessible from the outside explicitly hide all information of their versions to make an attack more difficult.


About this document

This document is regulated by the EUPL v1.2 license, published in WP SysAdmin and created by Javier Casares. Please, if you use this content in your website, your presentation or any material you distribute, remember to mention this site or its author, and having to put the material you create under EUPL license.