Linode Forum
Linode Community Forums
 FAQFAQ    SearchSearch    MembersMembers      Register Register 
 LoginLogin [ Anonymous ] 
Post new topic  Reply to topic
Author Message
PostPosted: Wed Feb 15, 2012 10:39 am 
Offline
Senior Newbie

Joined: Wed Mar 30, 2011 3:26 pm
Posts: 10
I want to know if the distribution in the rebuild page secured enough for production websites. I'm a linux noob and i dont know how to set up a secure production web server.. please help me, i'm reading hardening linux by james turnbull but i don't understand most of it because my basics in linux security is not yet well established.

if you know a tutorial that can detail me how to secure my production server, how to create users, groups in a secure way,how to create a proper sudoer file. please tell me

im also very confused in applications that must have its own user. for example why does nginx server must be installed in the nginx user and group?

do i need to remove unnecessary packages in the ubuntu distro for a secure server?


Top
   
 Post subject:
PostPosted: Wed Feb 15, 2012 10:54 am 
Offline
Senior Member

Joined: Fri May 02, 2008 8:44 pm
Posts: 1121
rymngh wrote:
hardening linux by james turnbull

That book is 7 years out of date, isn't it?

A lot of things differ between Linux distributions, so you should take any tutorial/book that isn't specific to your distribution with a grain of salt. For example, in Ubuntu, nginx is installed with "www-data" user and group by default. You don't need to do anything extra to assign it to its own user and group, because Ubuntu has already done it for you. Similarly, you just need to install the "sudo" package, and a recommended version of the sudoers file will be automatically installed. (Why else do you think people like Ubuntu so much? It makes life easier for sysadmins.)

The Linode Library contains many articles that are tailored for Ubuntu. These will usually work much better than anything generic that you find on Google. For example, here is the nginx guide for Ubuntu 11.10. Skip the section about compiling from source, since it is optional.

Also, OS templates from Linode usually don't include unnecessary packages.


Top
   
 Post subject:
PostPosted: Wed Feb 15, 2012 12:19 pm 
Offline
Senior Newbie

Joined: Wed Mar 30, 2011 3:26 pm
Posts: 10
hybinet wrote:
rymngh wrote:
hardening linux by james turnbull

That book is 7 years out of date, isn't it?

A lot of things differ between Linux distributions, so you should take any tutorial/book that isn't specific to your distribution with a grain of salt. For example, in Ubuntu, nginx is installed with "www-data" user and group by default. You don't need to do anything extra to assign it to its own user and group, because Ubuntu has already done it for you. Similarly, you just need to install the "sudo" package, and a recommended version of the sudoers file will be automatically installed. (Why else do you think people like Ubuntu so much? It makes life easier for sysadmins.)

The Linode Library contains many articles that are tailored for Ubuntu. These will usually work much better than anything generic that you find on Google. For example, here is the nginx guide for Ubuntu 11.10. Skip the section about compiling from source, since it is optional.

Also, OS templates from Linode usually don't include unnecessary packages.


yes. it is indeed out of date. however i can't find any linux security book out there with more than 4 stars in amazon therefore that was the one i bought.

thank you for your suggestion.


Top
   
 Post subject:
PostPosted: Wed Feb 15, 2012 1:17 pm 
Offline
Senior Member

Joined: Fri May 02, 2008 8:44 pm
Posts: 1121
Yeah, it's hard to find physical books on IT-related topics that are well-receive by the actual IT community. Besides, those things get outdated so quickly.

Here are the steps that I'd normally take, as far as users and permissions are concerned:

- Create a user that won't be used for any other purpose. (Don't use this user for day-to-day website management, only for server administration. Don't make it own any website files.)
- Change the user's shell to /bin/bash or some other powerful shell, because the default shell sucks.
- Give the user a long and complicated password.
- Create a public-private key pair for the user. Make sure that the passphrase to the private key is different from the user's own password.
- Test to confirm that you can SSH into the machine with the newly generated keys, without having to enter the password.
- Add this user to the sudoers file, just below root.
- Test to confirm that you can run sudo with this user. This time, you will need the user's password.
- Disable root login in /etc/ssh/sshd_config.
- Disable password authentication in /etc/ssh/sshd_config.
- Restart SSH. Test to confirm that your new user can perform all administrative tasks, such as installing and updating packages.
- Do the same for any other user that needs to log in for website management purposes, but don't add them to sudoers.

A few more things:

- Don't install phpmyadmin.
- Don't install FTP. Use SSH/SFTP for uploading files.
- Make your mail server send-only. See Linode Library for howto.
- Reduce Apache MaxClients to 15. (Not security-related, but good to do.)
- Keep your web apps (e.g. Drupal, WordPress) up to date. Don't forget to update all the plugins, too.


Top
   
 Post subject:
PostPosted: Wed Feb 15, 2012 2:36 pm 
Offline
Senior Newbie

Joined: Wed Mar 30, 2011 3:26 pm
Posts: 10
thank you for your suggestion.

may i ask another question? why not install phpmyadmin? the ubuntu server is for nginx + wordpress install setup. im not going to use it for sending mails. should i bother setting up the mail server for send-only?


Top
   
 Post subject:
PostPosted: Wed Feb 15, 2012 3:06 pm 
Offline
Senior Member
User avatar

Joined: Fri Oct 24, 2003 3:51 pm
Posts: 965
Location: Netherlands
rymngh wrote:
… why not install phpmyadmin?

It's a security risk, both in terms of unauthorised access to your databases and potential compromise of your system, unless you take careful precautions. Some of our servers run it, but it's only accessible to a few IP addresses and only over SSL/TLS or via a VPN.

_________________
/ Peter


Top
   
 Post subject:
PostPosted: Wed Feb 15, 2012 3:17 pm 
Offline
Senior Member

Joined: Sun Mar 07, 2010 7:47 pm
Posts: 1970
Website: http://www.rwky.net
Location: Earth
For most clients I stick munin/monit/phpmyadmin behind a SSH tunnel, it's dead easy to set up and secure since you need SSH access to access them.

The most important point I'd say beyond the basics of restricting ssh logins etc is keep your software up to date! Especially wordpress.

_________________
Paid support
How to ask for help
1. Give details of your problem
2. Post any errors
3. Post relevant logs.
4. Don't hide details i.e. your domain, it just makes things harder
5. Be polite or you'll be eaten by a grue


Top
   
 Post subject:
PostPosted: Wed Feb 15, 2012 4:45 pm 
Offline
Senior Member
User avatar

Joined: Sun Dec 27, 2009 11:12 pm
Posts: 1038
Location: Colorado, USA
All fine advice, but you forgot the most important security advice there is - Backup, Backup, Backup - then backup your backups.

Security is an ongoing process, not a one shot config. As such, as a noob, it's not unexpected that your site will be compromised. Or just as likely, fubar'd by your own inexperience.

The only thing that will minimize the damage and time required to get back on line is full, complete, and tested backups.

Securing a public facing web site isn't rocket science, but the devil is in the details, and no book will teach you those.


Top
   
 Post subject:
PostPosted: Wed Feb 15, 2012 5:24 pm 
Offline
Senior Member
User avatar

Joined: Sat Aug 30, 2008 1:55 pm
Posts: 1739
Location: Rochester, New York
rymngh wrote:
should i bother setting up the mail server for send-only?


Yes. Your server likes to be able to e-mail you with the output of cron jobs, etc.

Once you get your system hostname set up properly (and have rebooted), then simply:

'apt-get install mailutils'

and bam, it'll be there

_________________
Code:
/* TODO: need to add signature to posts */


Top
   
 Post subject:
PostPosted: Wed Feb 15, 2012 5:44 pm 
Offline
Senior Member

Joined: Fri May 02, 2008 8:44 pm
Posts: 1121
rymngh wrote:
should i bother setting up the mail server for send-only?

Also, you may want your WordPress site (or any other app) to be able to send registration confirmation and password reminder e-mails.

As for the hostname that hoopycat mentioned, Linode configures the hostname and reverse DNS properly by default. If you didn't change the hostname and reverse DNS, e-mail will probably work fine. If you changed either, now you're in for a lot of headache.


Top
   
 Post subject:
PostPosted: Thu Feb 16, 2012 5:04 am 
Offline
Senior Newbie

Joined: Wed Mar 30, 2011 3:26 pm
Posts: 10
hybinet wrote:
rymngh wrote:
should i bother setting up the mail server for send-only?

Also, you may want your WordPress site (or any other app) to be able to send registration confirmation and password reminder e-mails.

As for the hostname that hoopycat mentioned, Linode configures the hostname and reverse DNS properly by default. If you didn't change the hostname and reverse DNS, e-mail will probably work fine. If you changed either, now you're in for a lot of headache.


thanks for the heads up. i wont change my hostname.


Top
   
Display posts from previous:  Sort by  
Post new topic  Reply to topic


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum

Search for:
Jump to:  
RSS

Powered by phpBB® Forum Software © phpBB Group