These recommendations are off of the top of my head and not intended to be comprehensive.
Check out Bastille, it's a series of scripts that implements best practices in Linux.
Don't send authentication data over plaintext protocols. For example, disable FTP. If you send authentication data via Apache, use SSL.
Disable and remove any unnecessary software including the GUI interface.
Audit any files with the SUID bit set and remove. (This will severely limit non-root abilities. Understand the implications for each individual change.)
Audit public writable directories and remove the writable bit. (Leave /tmp alone.)
Avoid running any daemon as root.
Research all multi-user software that listens on sockets in detail for security best practices.
Avoiding adding users to the system is one of the best approaches. Multi-user systems require greater attention to detail.
Enforce password standards. For example: minimum 10 characters, non-alphanumeric characters, using letters and numbers. This is to make brute forcing more difficult in case of password file compromise. Enforce this via the system.
Lock out users after 5 failed authentication attempts with a minimum of 10 minute lockout. Maintain a password history so users can't use the past 5 passwords.
If you have a larger environment, using network segregation with multiple subnets to isolate risk is an absolute requirement. If a smaller environment, running a firewall on the local system to limit exposure is recommended. For example, only allowing SSH to your IP. tcpwrappers can be used too for an extra layer. (/etc/hosts.allow, /etc/hosts.deny)
And, of course, keeping all software up to date. Especially public facing daemons.
With SSH:
- Disable SSH protocol 1
- Only allow root authentication
without-password
(only keypair)
With Apache:
- Disable any modules that are not needed
- Disable .htaccess and public directories
- Disable FollowSymlink and any unnecessary options
- Do not install PHP if you don't need it.
With MySQL:
- Disable default users.
- Don't use wildcard hosts.
- Be sure to set unique host for every user.
- Don't listen on tcp unless necessary. (Unusually unavoidable.)
- Limit application user privileges as much as possible. (SELECT,INSERT,UPDATE,DELETE ideal for write and SELECT for read)
I'd recommend researching php.ini tuning for security specifically. It's riskier software by default.
Bastille
You're already running PHP with FastCGI, so I'm not sure what else you can do to slim this down. You're kind of at a crossroad here..
A couple of options:
- Tune everything down to the smallest possible dataset. Replace Apache with nginx (if you can), tune MySQL so that it's not buffering more data than needed and so on
- Throw more RAM at the box
- Separate your tiers into dedicated VM's. One database server, one application server and one front-end. This will make it alot easier to scale.
Edit: You're saying that you have installed lots of caching stuff. Cache = eat more RAM so that the next request(s) will go faster. If you're very low on RAM - caching might not be the best thing in the world..
Best Answer
You can use chattr +i against the deface part but it wont fix the php bugs. The typical php security features will help, in the worst case scenario chroot also possible.
http://php.net/manual/en/security.php
http://www.hardened-php.net/