CentOS: How can I create a secure user account to host a web-site?

Question

On a fresh CentOS application;

1. How can I create a separate user other than root, to store the website hosting files?

2. How can I lock this user down to prevent malicious or bad things from happening?

3. How can I further protect the php file containing the DB connection strings?

4. What other security measures shall I take to protect a such server which is only used to server a web-app? (or two)

5. What other ways shall I employ for sand-boxing the web-app?

I am running Centos on a VPS and want to use Apache or Lighttpd as the web server.

Thank you.

Answer 1

One best practice is always to only run services you actually need on a box facing the internet. So if you only need apache and a database, run only apache and the database on that machine. Long, random passwords for maintenance user, do not allow direct root login.

Regarding the user: add a user with useradd and block shell access for that user (usermod -s, set login shell to /sbin/nologin). Usually a service account for running the web server is created after installing the web server. If you restrict permissions for that account to the web server home and logging directories, you should be fine.

Regarding protecting the database: you can create a db user account that doesn't have drop or create privileges, but as your application needs access to the database, someone acting with the privileges of your web server or application will have access to the data in the database as well.