How to properly organize the security for a web server on CentOS 7?

0 like 0 dislike
5 views
Given: VPS, CentOS, Nginx, PHP7 (FPM), MariaDB.
There is a project /var/www/theproject.
If you move away from all sorts of specializations, is there a time-tested safe settings for this configuration?
I mean the following:
1. How should be distributed the user and group nginx, php-fpm, of the project? (i.e., from whom the process runs, and who is in which group included)
2. Where to correctly place the project folder, under whose rights and what should be the permissions for files and folders?
3. Should I disable SELinux?
4. Or I do everything wrong and need to use docker?
by | 5 views

2 Answers

0 like 0 dislike
1. How should be distributed the user and group nginx, php-fpm, of the project? (i.e., from whom the process runs, and who is in which group included)
Already properly distributed.

2. Where to correctly place the project folder, under whose rights and what should be the permissions for files and folders?
Preferably a separate dedicated section, so you can pankrotti in all sorts of mount options nosuid, nodev. Although that would be fine. User nginx or who else is there.

3. Should I disable SELinux?
Not necessary. If you know how to cook it, then everything else is not necessary.

4. Or I do everything wrong and need to use docker?
The isolation that docker provides, not its main function.
by
0 like 0 dislike
3. Do I need to disable SELinux

In General ill-posed question. It never needs to be switched off if there is no specific prerequisites. In your case, you're using widely known software, it is good to SELinux. To understand the configuration of SELinux, you may have. But to understand and "need to turn off" different things.

4. Or I do everything wrong and need to use docker?

Again - you need to. So you can get to that "need to use Debian and not CentOS". Above correctly said that docker is designed not for security configuration.

Minimum security VPS you need to:
1) access by key, not by password;
2) a firewall that allows only what you need (ssh, http, https).

And googling about secure nginx, something like that.

I.e. it is necessary to protect, starting from the points to which others have access. And this open ports to the services you can other close.
by

Related questions

0 like 0 dislike
2 answers
0 like 0 dislike
2 answers
110,608 questions
257,186 answers
0 comments
28,709 users