Linux Dash is a lightweight web-based monitoring dashboard for Linux servers. It provides real-time system metrics through a simple web interface. As a monitoring tool with access to system information, Linux Dash requires proper security configuration to prevent unauthorized access and information disclosure. This guide covers security measures for production Linux Dash deployments.
Linux Dash architecture includes these security-sensitive components:
Key security concerns include web interface exposure, command execution security, system information disclosure, and module security.
Configure firewall rules for Linux Dash:
# Linux Dash web interface (default port 80/443)
ufw allow from 10.0.0.0/8 to any port 80 proto tcp
ufw allow from 10.0.0.0/8 to any port 443 proto tcp
# Block external access
ufw deny from any to any port 80 proto tcp
ufw deny from any to any port 443 proto tcp
# SSH tunnel for Linux Dash access
ssh -L 8080:localhost:80 admin@linux-dash-server
# Then access http://localhost:8080
Configure web server binding:
# /etc/apache2/sites-available/linux-dash.conf
<VirtualHost 10.0.1.100:443>
ServerName linuxdash.company.com
DocumentRoot /var/www/html/linux-dash
SSLEngine on
SSLCertificateFile /etc/ssl/certs/linuxdash.crt
SSLCertificateKeyFile /etc/ssl/private/linuxdash.key
<Directory /var/www/html/linux-dash>
Require ip 10.0.0.0/8 192.168.0.0/16
Options -Indexes
AllowOverride None
</Directory>
</VirtualHost>
Configure reverse proxy:
# /etc/nginx/sites-available/linux-dash
server {
listen 80;
server_name linuxdash.company.com;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl http2;
server_name linuxdash.company.com;
ssl_certificate /etc/nginx/certs/linuxdash.crt;
ssl_certificate_key /etc/nginx/certs/linuxdash.key;
location / {
proxy_pass http://127.0.0.1:8080;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
Configure HTTP authentication:
# /etc/apache2/sites-available/linux-dash.conf
<Directory /var/www/html/linux-dash>
AuthType Basic
AuthName "Linux Dash Access"
AuthUserFile /etc/linux-dash/.htpasswd
Require valid-user
Require ip 10.0.0.0/8
</Directory>
Manage users:
# Create admin user
htpasswd -c /etc/linux-dash/.htpasswd admin
# Add additional users
htpasswd /etc/linux-dash/.htpasswd username
If using Node.js version with built-in auth:
// config.js
module.exports = {
auth: {
enabled: true,
username: 'admin',
password: '${HASHED_PASSWORD}'
},
session: {
timeout: 3600,
secure: true
}
};
Configure user roles (if supported):
Role Permissions:
- admin: Full access including configuration
- operator: Can view all metrics
- viewer: Read-only access to dashboards
Secure API endpoints:
# Nginx configuration
location /server/ {
auth_basic "API Access";
auth_basic_user_file /etc/nginx/.htpasswd;
proxy_pass http://localhost:8080;
}
location /modules/ {
auth_basic "Module Access";
auth_basic_user_file /etc/nginx/.htpasswd;
proxy_pass http://localhost:8080;
}
Configure HTTPS:
# /etc/apache2/sites-available/linux-dash-ssl.conf
<VirtualHost *:443>
ServerName linuxdash.company.com
DocumentRoot /var/www/html/linux-dash
SSLEngine on
SSLCertificateFile /etc/ssl/certs/linuxdash.crt
SSLCertificateKeyFile /etc/ssl/private/linuxdash.key
SSLCertificateChainFile /etc/ssl/certs/ca-bundle.crt
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256
SSLHonorCipherOrder on
# Security headers
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
Header always set X-Frame-Options "SAMEORIGIN"
Header always set X-Content-Type-Options "nosniff"
Header always set X-XSS-Protection "1; mode=block"
<Directory /var/www/html/linux-dash>
Options -Indexes
AllowOverride None
Require all granted
</Directory>
</VirtualHost>
Generate and manage certificates:
# Generate self-signed certificate
openssl req -new -x509 -days 365 -nodes \
-out /etc/ssl/certs/linuxdash.crt \
-keyout /etc/ssl/private/linuxdash.key \
-subj "/CN=linuxdash.company.com/O=Company"
# Or use Let's Encrypt
certbot --apache -d linuxdash.company.com
Secure PHP application:
# /etc/php/8.1/apache2/php.ini
expose_php = Off
display_errors = Off
log_errors = On
error_log = /var/log/php/error.log
session.cookie_secure = 1
session.cookie_httponly = 1
session.cookie_samesite = Strict
# Disable dangerous functions
disable_functions = exec,passthru,shell_exec,system,proc_open,popen
Secure shell command execution:
// modules/system/details.php
// Bad - Never execute unsanitized input
// exec($_GET['command']);
// Good - Use predefined commands only
$allowed_commands = [
'uptime' => 'uptime',
'memory' => 'free -m',
'disk' => 'df -h',
];
if (isset($allowed_commands[$action])) {
exec($allowed_commands[$action], $output);
}
Secure module loading:
// index.php
// Whitelist allowed modules
$allowed_modules = [
'system',
'memory',
'cpu',
'network',
'disk',
];
if (isset($_GET['module']) && in_array($_GET['module'], $allowed_modules)) {
include "modules/{$_GET['module']}/index.php";
}
Limit exposed system information:
// config.php
// Disable sensitive modules
$disabled_modules = [
'users', // User information
'processes', // Process details
'logs', // System logs
];
// Limit output detail
$max_output_lines = 100;
Protect Linux Dash configuration:
# Set restrictive permissions
chown root:www-data /var/www/html/linux-dash/config.php
chmod 640 /var/www/html/linux-dash/config.php
# Encrypt sensitive configuration
gpg -c /var/www/html/linux-dash/config.php
Secure sensitive credentials:
// config.php
// Bad - Never store plaintext credentials
// $api_key = 'SecretKey123';
// Good - Use environment variables
$api_key = getenv('LINUX_DASH_API_KEY');
// Or use external secrets file
if (file_exists('/etc/linux-dash/secrets.php')) {
include '/etc/linux-dash/secrets.php';
}
Protect secrets file:
# Set restrictive permissions
chown root:www-data /etc/linux-dash/secrets.php
chmod 640 /etc/linux-dash/secrets.php
Secure log files:
# Set restrictive permissions
chown www-data:adm /var/log/linux-dash
chmod 750 /var/log/linux-dash
# Configure log rotation
cat > /etc/logrotate.d/linux-dash << EOF
/var/log/linux-dash/*.log {
weekly
rotate 4
compress
delaycompress
missingok
notifempty
create 640 www-data adm
}
EOF
Restrict file access:
# Deny access to sensitive files
<FilesMatch "^\.">
Require all denied
</FilesMatch>
<FilesMatch "\.(php|inc|sql|log|conf|sh)$">
Require all denied
</FilesMatch>
<Directory /var/www/html/linux-dash>
Options -Indexes
</Directory>
Enable logging:
// config.php
$log_enabled = true;
$log_file = '/var/log/linux-dash/linux-dash.log';
$log_level = 'INFO';
// Audit logging
$audit_enabled = true;
$audit_file = '/var/log/linux-dash/audit.log';
Configure web server access logging:
# /etc/apache2/sites-available/linux-dash.conf
CustomLog /var/log/apache2/linux-dash_access.log combined
ErrorLog /var/log/apache2/linux-dash_error.log
Monitor for security events:
#!/bin/bash
# /usr/local/bin/check-linuxdash-security.sh
# Check for failed authentication
FAILED_AUTH=$(grep -c "401" /var/log/apache2/linux-dash_access.log 2>/dev/null || echo 0)
if [ "$FAILED_AUTH" -gt 10 ]; then
echo "CRITICAL: Multiple authentication failures"
exit 2
fi
# Check for command injection attempts
INJECTION=$(grep -cE "(\.\.\/|;|\||\$)" /var/log/apache2/linux-dash_access.log 2>/dev/null || echo 0)
if [ "$INJECTION" -gt 5 ]; then
echo "CRITICAL: Possible command injection attempts"
exit 2
fi
Forward logs to SIEM:
# /etc/rsyslog.d/linux-dash.conf
/var/log/apache2/linux-dash_access.log @siem.company.com:514
/var/log/apache2/linux-dash_error.log @siem.company.com:514