Capstone Project: LAMP Server Secure Design
Georgian College Computer Studies offers several courses that require students to use a hosted LAMP server (Linux, Apache, MySQL, PHP) for their assignments and projects. This hosted LAMP server is located at Computer Studies' own data center and may be deployed as a single VM Administrated and managed by the Computer Studies Academic Technicians.
End-user Requirements
- End-users (students and instructors) will be working with PHP and web applications, each requiring their own hosted site
- End-users will require FTP access to manage files for their site
- End-users require access to their own MySQL database tables. This access is used to create and deploy PHP applications on end-user sites or may be accessed through a client software (such as MySQLWorkbench)
Administrative Requirements
- The LAMP server is administrated by Computer Studies Academic Technicians
- Administrators are required to manage end-user accounts. Each semester instructors provide the list of students that need access. Typical numbers are around 450 end-users including students and instructors.
- Administrators are given the following information in the list:
- First and Last name, Student ID, Email
- Administrators are given the following information in the list:
- The LAMP server needs to be compliant with CIS Benchmarks
- Server is in an environment where logs and CIS compliance are monitored using the Wazuh Server
Environment and Network Architecture
You are required to deploy the LAMP server in an existing network architecture. The following interfaces and networks are available to your server:
- Public IP address via One-to-one NAT (Public Interface to the Internet)
- An Internal Network for logging, monitoring, and private access to the server via VPN
- The Wazuh server is located on this network. Logging, monitoring, and auditing are done through this network
Please Note: The scope of your responsibilities only includes the secure design of the LAMP server itself, as you do not have access or control over the existing architecture. However, you are welcome to provide recommendations and suggestions to accommodate or further harden the security of your proposed deployment.
Deliverables
Your Responsibilities for This Project
- Design and Implement LAMP Proof of Concept (PoC) server fit for use and utility as per the requirements
- Ubuntu Server (LTS version) + Apache, PHP, and MySQL, and an FTP(s) Server
- Test your LAMP server in a VM with two network adapters, and Wazuh to ensure CIS compliance and and for testing and validating your design
- Environment is similar to the configuration of our lab system, representing the internet connection and the internal network
- Balance Security and Usability
- Consider the end-users' point of view, and how will they access the server and use it. Assume users do not have any knowledge of Linux servers (most web developers do not and use hosted services).
- Consider administration
- Ensures that the server remains compliant and maintains consistent configuration for the lifetime of the server (many semesters for several years)
Your Submission
Provide a written document explaining your proposals and your secure design. Additionally, provide information or instructions on how end-users and administrators are expected to use and operate the system.
Your written report can include the following:
- Specific security features and designs
- Controls and mitigations for perceived and real risks
- Residual Risks (You may include a Risk Assessment Report for your proposed design in your Appendix)
- Server Administration, Management, and Maintenance, explaining how the system is designed to be used. For example:
- Provide procedures, guidelines or policies for the system administrators
- Include instructions on how to manage end-user accounts and access (how end-user accounts are added or removed, and how credentials are created and managed)
- How account credentials are distributed (for example how usernames and passwords are distributed to end users)
- End-user access to service (how your server is designed to be used)
- How students and teachers are expected to access services provided on this server (provide instructions that can be given to end-users)
- Explanations for any failed CIS benchmark recommendations, and any residual risks
- You may include any configuration snippets, screenshots, or sample scripts in your Appendix
- Your report must demonstrate that all system and user requirements are met and your PoC server is fit for purpose and utility as described.
Submission to Blackboard
- One written proposal and appendix in PDF Format
- Wazuh Report of the CIS Compliance from your proof of concept VM, exported in CSV format
Grading Scheme
Secure Design Features: (/20)
Risk Assessment Results/Residual Risks: (/20)
- Either provide one, or provide enough information so I can do one myself
- Highest risks are addressed or mitigated, Residual Risks are low
Ease of use and instructions:
- Administration (/20)
- Student/Users (/20)
Other issues/problems (Potential Negative Score):
CIS Benchmarks:
- Full CIS Benchmark report is provided in CSV (/10)
- List of Exclusions and failed items explained (/10)