How to Secure Your Development Server
# How to Secure Your Development Server
This article provides a comprehensive guide to securing your MediaWiki development server. A secure development environment is crucial for testing changes and preventing accidental exposure of sensitive information. This guide assumes you have a basic understanding of server administration and are running a standard Linux distribution.
1. Initial Server Hardening
Before installing MediaWiki, several basic server hardening steps should be taken. These steps minimize the attack surface and reduce the risk of compromise.
1.1 Update System Packages
Always start by ensuring your operating system and all installed packages are up-to-date. This includes security patches. Use your distribution's package manager.
1.2 Disable Unnecessary Services
Disable any services you do not need. Common services to consider disabling include:
| Service | Description | Recommendation |
|---|---|---|
| `telnet` | Unencrypted remote access. | Disable. Use SSH instead. |
| `rsh` / `rcmd` | Older, insecure remote shell protocols. | Disable. Use SSH instead. |
| `ftp` | Insecure file transfer protocol. | Disable. Use SFTP or SCP instead. |
| `tftp` | Trivial File Transfer Protocol. | Disable unless absolutely required. |
1.3 Configure a Firewall
A firewall is essential for controlling network access to your server. `ufw` (Uncomplicated Firewall) is a popular choice for Ubuntu/Debian, while `firewalld` is common on CentOS/RHEL. Configure the firewall to only allow necessary traffic, such as SSH (port 22), HTTP (port 80), and HTTPS (port 443). Consider restricting SSH access to specific IP addresses. See Firewall Configuration for more details.
2. MediaWiki Specific Security Considerations
Once MediaWiki is installed, additional security measures are required.
2.1 Secure `LocalSettings.php`
The `LocalSettings.php` file contains sensitive configuration information, including your database credentials.
- **Permissions:** Set restrictive permissions on `LocalSettings.php` (e.g., `chmod 600 LocalSettings.php`). This ensures only the web server user can read and write to the file.
- **Database Credentials:** Use strong, unique passwords for your database user. Avoid using the root user for the MediaWiki database.
- **`$wgSecretKey`:** A strong, randomly generated secret key is crucial for cookie encryption and session management. Update this key regularly. See Setting up LocalSettings.php for details.
- **`$wgUploadDirectory`:** Restrict access to the upload directory to prevent unauthorized file uploads.
- **User Privileges:** Grant the MediaWiki database user only the necessary privileges. Typically, this includes `SELECT`, `INSERT`, `UPDATE`, and `DELETE`. Avoid granting `CREATE` or `DROP` privileges.
- **Remote Access:** Restrict database access to the server running MediaWiki. Avoid allowing remote connections to the database from untrusted networks. See Database Configuration for further information.
- **Strong Passwords:** Enforce strong password policies for all user accounts. Consider using a password complexity extension.
- **Regular Audits:** Regularly review user accounts and permissions. Remove any inactive or unnecessary accounts.
- **Admin Accounts:** Limit the number of administrator accounts. Protect these accounts with two-factor authentication if possible. See User Management for more details.
- **Disable Directory Listing:** Prevent web servers from listing the contents of directories.
- **Hide Server Version:** Hide the web server version number from HTTP response headers.
- **SSL/TLS:** Use HTTPS (SSL/TLS) to encrypt all communication between the server and clients. Obtain a valid SSL certificate from a trusted Certificate Authority. See SSL Configuration for instructions.
- **`.htaccess` (Apache):** If using Apache, carefully review and restrict the use of `.htaccess` files. They can introduce security vulnerabilities if not configured correctly.
- **`php.ini`:** Configure `php.ini` to disable potentially dangerous functions (e.g., `exec`, `system`, `shell_exec`).
- **Error Reporting:** Disable detailed error reporting in production environments. Detailed error messages can reveal sensitive information.
- **File Uploads:** Limit the maximum file upload size and restrict the allowed file types. Scan uploaded files for malware.
- **Session Management:** Configure secure session management settings. Use strong session IDs and set appropriate session timeout values. See PHP Configuration for specifics.
- **Log Analysis:** Regularly review server logs (e.g., Apache/Nginx access and error logs, PHP error logs, system logs) for suspicious activity.
- **Intrusion Detection System (IDS):** Consider installing an IDS to detect and alert you to potential attacks.
- **Regular Backups:** Create regular backups of your entire server, including the database and MediaWiki files. Store backups in a secure location. See Backup and Restore for details.
- **Security Audits:** Periodically conduct security audits to identify and address vulnerabilities.
- MediaWiki Security Recommendations
- Configuring Apache with MediaWiki
- Configuring Nginx with MediaWiki
- Database Server Configuration
- User Rights Management
- Extension Security
- Error Handling
- Telegram: @powervps Servers at a discounted price
2.2 Database Security
2.3 User Account Security
3. Server Software Configuration
The underlying web server and PHP environment also require careful configuration.
3.1 Web Server Configuration (Apache/Nginx)
3.2 PHP Configuration
3.3 PHP Version
Always use a supported PHP version. Older versions often have known security vulnerabilities. Regularly update PHP to the latest stable release.
| PHP Version | Status | Security Support |
|---|---|---|
| 8.1 | Active | Supported until November 26, 2024. |
| 8.2 | Active | Supported until November 26, 2025. |
| 8.3 | Active | Supported until November 26, 2026. |
4. Monitoring and Logging
Regular monitoring and logging are crucial for detecting and responding to security incidents.
5. Useful Links
Category:Server Configurations
Intel-Based Server Configurations
| Configuration | Specifications | Benchmark |
|---|---|---|
| Core i7-6700K/7700 Server | 64 GB DDR4, NVMe SSD 2 x 512 GB | CPU Benchmark: 8046 |
| Core i7-8700 Server | 64 GB DDR4, NVMe SSD 2x1 TB | CPU Benchmark: 13124 |
| Core i9-9900K Server | 128 GB DDR4, NVMe SSD 2 x 1 TB | CPU Benchmark: 49969 |
| Core i9-13900 Server (64GB) | 64 GB RAM, 2x2 TB NVMe SSD | |
| Core i9-13900 Server (128GB) | 128 GB RAM, 2x2 TB NVMe SSD | |
| Core i5-13500 Server (64GB) | 64 GB RAM, 2x500 GB NVMe SSD | |
| Core i5-13500 Server (128GB) | 128 GB RAM, 2x500 GB NVMe SSD | |
| Core i5-13500 Workstation | 64 GB DDR5 RAM, 2 NVMe SSD, NVIDIA RTX 4000 |
AMD-Based Server Configurations
| Configuration | Specifications | Benchmark |
|---|---|---|
| Ryzen 5 3600 Server | 64 GB RAM, 2x480 GB NVMe | CPU Benchmark: 17849 |
| Ryzen 7 7700 Server | 64 GB DDR5 RAM, 2x1 TB NVMe | CPU Benchmark: 35224 |
| Ryzen 9 5950X Server | 128 GB RAM, 2x4 TB NVMe | CPU Benchmark: 46045 |
| Ryzen 9 7950X Server | 128 GB DDR5 ECC, 2x2 TB NVMe | CPU Benchmark: 63561 |
| EPYC 7502P Server (128GB/1TB) | 128 GB RAM, 1 TB NVMe | CPU Benchmark: 48021 |
| EPYC 7502P Server (128GB/2TB) | 128 GB RAM, 2 TB NVMe | CPU Benchmark: 48021 |
| EPYC 7502P Server (128GB/4TB) | 128 GB RAM, 2x2 TB NVMe | CPU Benchmark: 48021 |
| EPYC 7502P Server (256GB/1TB) | 256 GB RAM, 1 TB NVMe | CPU Benchmark: 48021 |
| EPYC 7502P Server (256GB/4TB) | 256 GB RAM, 2x2 TB NVMe | CPU Benchmark: 48021 |
| EPYC 9454P Server | 256 GB RAM, 2x2 TB NVMe |
Order Your Dedicated Server
Configure and order your ideal server configurationNeed Assistance?
⚠️ *Note: All benchmark scores are approximate and may vary based on configuration. Server availability subject to stock.* ⚠️