Update the system

yum update

Remove unneeded software

Minimize the number of software that could possibly be exploited:

yum remove cups cups-libs irda-utils

Disable unnecessary services

This could be done by typing:

for service in \
atd \
anacron \
auditd \
cpuspeed \
kudzu \
mcstrans \
pcscd \
portmap; \
do chkconfig --level 0123456 $service off; done;

As an alternative, you can use the setup tool.

Install LAMP

Use this guide to install Apache, PHP, MySQL and phpMyAdmin

Disable unneded stuff

If you want you can disable IPv6 protocol, by editing file /etc/sysconfig/network and set:

NETWORKING_IPV6=no

After that, add the below code to /etc/modprobe.conf to disable ipv6 kernel module loading:

alias ipv6 off
alias net-pf-10 off

Secure SSH

To secure SSH access to the server follow the guide Secure existing OpenSSH installation

Secure temporary folders

To prevent malicious scripts execution secure temporary folders

Install Firewall

Finally, install ConfigServer security and Firewall

Secure PHP

It is impossible to achieve a high level of security for PHP applications in a production environment. However, with some security tips, you can avoid common mistakes and protect yourself from the most frequent attacks.

When using PHP in a production environment, you should have the following settings in php.ini:

safe_mode = Off
register_globals = Off
expose_php = Off

allow_url_fopen = Off
allow_url_include = Off

log_errors = On
display_errors = Off
error_log = /var/log/phperror.log

memory_limit = 32M
post_max_size = 12M
upload_max_filesize = 8M
max_execution_time = 120
max_input_time = 60

enable_dl = Off
disable_functions="popen,exec,system,passthru,proc_open,shell_exec,show_source,phpinfo,eval"

session.use_only_cookies = 1

All PHP errors will be stored in file /var/log/phperror.log. The following lines creates it and set the permissions:

touch /var/log/phperror.log
chmod 666 /var/log/phperror.log

Below is a description of directives used to secure PHP:

safe_mode
It is primarily intended to provide file access limits to prevent users from accessing files that do no belong to them. This setting will be depreciated and should be avoided.

register_globals
Disables automatic variable creation. This means that all PHP script must use the $_REQUEST, $_GET, or $_POST arrays to retrieve user-provided data. This directive is responsible for many security issues in web applications because it allowed attackers to freely manipulate global variables.

expose_php
Hide PHP Version in Apache from remote users requests. Obviously there is no reason to let end users know about the server's PHP version.

allow_url_fopen
This directive allows to reference remote resources as if they are local files. It is recommended to leave it disabled unless your application requires it.

allow_url_include
This directive allows to include/require remote resources as if they are local files. As above directive, it is recommended to leave it disabled.

log_errors
When enabled, log_errors instructs PHP to log all errors to the file indicated by the error_log directive.

display_errors
PHP error messages display should be disabled on production servers to avoid information leaks about your system environment from badly written scripts.

error_log
All PHP errors will be stored in file /var/log/phperror.log. The two above lines creates that file

memory_limit
To prevent poorly written scripts from consuming all of the available memory, this directive can be used to indicate a maximum amount of memory consumed by a script.

post_max_size
Controls the size of HTTP form submissions. You may tweak the values to suit your needs.

upload_max_filesize
Maximum allowed size for uploaded files

max_execution_time
Maximum execution time of each script. You may tweak the values to suit your need.

max_input_time
Maximum amount of time each script may spend parsing request data.

enable_dl
This directive is used to enable or disable the dl() function that allows runtime loading of PHP extensions. It makes possible to bypass some restrictions, so it is recommended to be disabled unless your application requires it.

disable_functions
Directive allows to disable several security-sensitive functions. Previously, this necessitated hand-editing the C code from which PHP was made. For functions reference you can use this list

session.use_only_cookies
Reduce the risk of session fixation by only allowing session IDs to be passed as cookies. In other words enabling this setting prevents attacks involved passing session ids in URLs.

Basic operations

Inludes install, upgrade, and removal options.

Install

RPM based

rpm -ivh package-name.rpm
yum install package-name
zypper install package-name

DEB based

dpkg -i package-name.deb
apt-get install package-name
aptitude install package-name

Gentoo based

emerge -av ebuild

FreeBSD based

cd /usr/ports/package-name && make install clean
pkg_add -r package-name

Update

RPM based

rpm -Uvh package-name.rpm
yum update package-name
zypper up package-name

DEB based

apt-get install package-name
aptitude install package-name

Gentoo based

emerge -uDv package-name

FreeBSD based

portmanager port-name -l -u -f

Remove

RPM based

rpm -e package-name.rpm
yum remove package-name
zypper remove package-name

DEB based

dpkg -r package-name.deb
apt-get remove package-name
aptitude remove package-name

Gentoo based

emerge -Cav ebuild

FreeBSD based

pkg_delete package-name-version

Search for a package

RPM based

yum search keyword
zypper se keyword

DEB based

apt-cache search keyword
dpkg -C

Gentoo based

emerge -s keyword
emerge -S keyword

FreeBSD based

whereis package-name
cd /usr/ports; make search name=package-name
find /usr/ports -name package-name
pkg_info -W package-name

List contents of package

RPM based

rpm -qvl package-name.rpm

DEB based

dpkg -c package-name.deb

Gentoo based

qlist package-name.deb

FreeBSD based

pkg_info -L package_name

List all installed packages

RPM based

rpm -qvia
yum list available

DEB based

dpkg -l

Gentoo based

qpkg -I

FreeBSD based

pkg_info
pkg_info -a

Print information about a package

RPM based

rpm -qpi package-name.rpm
zypper info package-name

DEB based

dpkg -I package-name.deb
dpkg -p package-name

Gentoo based

emerge -pv ebuild

FreeBSD based

pkg_info | grep package-name

Integrity check

RPM based

rpm -Va
rpm -Vp package-name.rpm

DEB based

debsums -a

Gentoo based

qcheck package_name

Determine to which package a file belongs

RPM based

rpm -qf /path/to/file

DEB based

dpkg -S /path/to/file

Gentoo based

qpkg -f /path/to/file
qfile /path/to/file

FreeBSD based

pkg_info -W /path/to/file

Update packages tree

RPM based

yum check-update

DEB based

apt-get update
aptitude update

Gentoo based

emerge --sync

FreeBSD based

cvsup ports-supfile
portsnap fetch extract

Update all installed packages and userland

RPM based

yum update

DEB based

apt-get update && apt-get upgrade

Gentoo based

emerge -eav world

FreeBSD based

portmaster -ai
portmanager -u
portupgrade -a
freebsd-update upgrade

List outdated packages

RPM based

yum list updates

DEB based

apt-get upgrade --just-print
apt-get upgrade -u
apt-show-versions -u

Gentoo based

emerge -eapv world

FreeBSD based

pkg_version -vIL=

Show package dependencies

RPM based

rpm -qpR package-name.rpm
yum deplist package-name

DEB based

apt-cache depends package-name
apt-rdepends -d package-name

Gentoo based

emerge -tp ebuild
equery depends ebuild

FreeBSD based

pkg_info -L package_name

Show all processes

ps aux

Show all processes including commandline arguments

ps -AFl

Show all processes with threads in tree mode

ps -AlFH

Show processes in a hierarchy

ps -e -o pid,args --forest

Show list of processes owned by a specific user

ps -U user -u user u

Show information for a particular process

ps -p pid
ps uax | grep process_name

Show all threads for a particular process by id

ps -p pid -L -o pid,tid,pcpu,state,comm

Get top 5 processes by CPU usage

ps -e -o pcpu,cpu,nice,state,cputime,args --sort pcpu | sed '/^ 0.0 /d'| tac |head -5
ps auxf | sort -nr -k 3 | head -5

Get top 5 processes by memory usage

ps -e -orss=,args= | sort -b -k1,1n | pr -TW$COLUMNS| tac | head -5
ps auxf | sort -nr -k 4 | head -5

Get security info

ps -eo euser,ruser,suser,fuser,f,comm,label

Use YUM to retrieve and install the Apache HTTP server and additional components. After that, start the web-server and put it on startup:

yum install httpd httpd-devel
service httpd start
chkconfig httpd on

Next step is securing Apache. Edit the config /etc/httpd/conf/httpd.conf and set:

ServerSignature Off
ServerTokens Prod
ErrorDocument 500 "Internal error"
ErrorDocument 404 "Not found"

First line tells Apache to not display the server version on generated pages. The second one makes the web-server to return only "Apache" in the header response.

Now you ready to Install the PHP module for Apache. The following lines download and install the common PHP with some modules:

yum install php-common php-gd php-mcrypt php-pear php-pecl-memcache php-mhash \
php-mysql php-xml

Next step is securing PHP. Open PHP config file /etc/php.ini and follow the guide Secure existing PHP installation
Restart webserver to load PHP module:

service httpd restart

At this point Apache is ready to serve. The PHP could be tested. Create a file named /var/www/html/1.php with the following contents:

<?php
phpinfo();
?>

Then point your browser to http://x.x.x.x/1.php and check the output.

Next, install MySQL with required packages, start it and put the database server to startup:

yum install mysql mysql-server mysql-devel
service mysqld start
chkconfig mysqld on

Once MySQL is installed, invoke it:

mysql

And change MySQL root password:

mysql> USE mysql;
mysql> UPDATE user SET Password=PASSWORD('pa$$w0rd') WHERE user='root';

Next, drop test database:

mysql> drop database test;
mysql> DELETE FROM user WHERE user = '';
mysql> FLUSH PRIVILEGES;

For security reasons it's often a good idea to have in section [mysqld] of MySQL config file /etc/my.cnf the values:

bind-address=127.0.0.1
local-infile=0
skip-bdb

The first line make MySQL to listen for TCP/IP connections only locally on the loop-back interface. Next line prevents against unauthorized reading from local files. The last line disables support for BerkeleyDB as its support will cease soon.

It is time to restart MySQL to make changes to work:

service mysqld restart

Once LAMP is functional, phpMyAdmin can be installed:

yum install phpmyadmin

If you get the error "No package phpmyadmin available" enable EPEL repository
Restart the Apache webserver to be able to acces phpMyAdmin:

service httpd restart

To test phpMyAdmin you should point your browser to http://x.x.x.x/phpmyadmin

Note: If you want to add a virtual host www.domain.tld to the Apache – follow the below steps.

First of all create directories and set correct permissions:

mkdir -p /home/domain.tld/{public_html,logs}
chown -R apache:apache /home/domain.tld

Open Apache config /etc/httpd/conf/httpd.conf and alter NameVirtualHost directive:

NameVirtualHost ip.address:80

After that add the following VirtualHost container and paste it at the end of the config file:

<VirtualHost ip.address:80>
        ServerAdmin webmaster@domain.tld
        ServerName www.domain.tld
        ServerAlias domain.tld

        DocumentRoot /home/domain.tld/public_html

        <Directory />
                Options -Indexes FollowSymLinks
                AllowOverride None

                Order allow,deny
                allow from all
        </Directory>

        ErrorLog /home/domain.tld/logs/domain.tld-error_log
        CustomLog /home/domain.tld/logs/domain.tld-access_log common
</VirtualHost>

Test if the config syntax is OK and restart Apache:

httpd -t
httpd -D DUMP_VHOSTS
service httpd restart