I want to know if the distribution in the rebuild page secured enough for production websites. I'm a linux noob and i dont know how to set up a secure production web server.. please help me, i'm reading hardening linux by james turnbull but i don't understand most of it because my basics in linux security is not yet well established.

if you know a tutorial that can detail me how to secure my production server, how to create users, groups in a secure way,how to create a proper sudoer file. please tell me

im also very confused in applications that must have its own user. for example why does nginx server must be installed in the nginx user and group?

do i need to remove unnecessary packages in the ubuntu distro for a secure server?

That book is 7 years out of date, isn't it?

A lot of things differ between Linux distributions, so you should take any tutorial/book that isn't specific to your distribution with a grain of salt. For example, in Ubuntu, nginx is installed with "www-data" user and group by default. You don't need to do anything extra to assign it to its own user and group, because Ubuntu has already done it for you. Similarly, you just need to install the "sudo" package, and a recommended version of the sudoers file will be automatically installed. (Why else do you think people like Ubuntu so much? It makes life easier for sysadmins.)

The Linode Library contains many articles that are tailored for Ubuntu. These will usually work much better than anything generic that you find on Google. For example, here is the nginx guide for Ubuntu 11.10. Skip the section about compiling from source, since it is optional.

Also, OS templates from Linode usually don't include unnecessary packages.

yes. it is indeed out of date. however i can't find any linux security book out there with more than 4 stars in amazon therefore that was the one i bought.

thank you for your suggestion.

Yeah, it's hard to find physical books on IT-related topics that are well-receive by the actual IT community. Besides, those things get outdated so quickly.

Here are the steps that I'd normally take, as far as users and permissions are concerned:

- Create a user that won't be used for any other purpose. (Don't use this user for day-to-day website management, only for server administration. Don't make it own any website files.)
- Change the user's shell to /bin/bash or some other powerful shell, because the default shell sucks.
- Give the user a long and complicated password.
- Create a public-private key pair for the user. Make sure that the passphrase to the private key is different from the user's own password.
- Test to confirm that you can SSH into the machine with the newly generated keys, without having to enter the password.
- Add this user to the sudoers file, just below root.
- Test to confirm that you can run sudo with this user. This time, you will need the user's password.
- Disable root login in /etc/ssh/sshd_config.
- Disable password authentication in /etc/ssh/sshd_config.
- Restart SSH. Test to confirm that your new user can perform all administrative tasks, such as installing and updating packages.
- Do the same for any other user that needs to log in for website management purposes, but don't add them to sudoers.

A few more things:

- Don't install phpmyadmin.
- Don't install FTP. Use SSH/SFTP for uploading files.
- Make your mail server send-only. See Linode Library for howto.
- Reduce Apache MaxClients to 15. (Not security-related, but good to do.)
- Keep your web apps (e.g. Drupal, WordPress) up to date. Don't forget to update all the plugins, too.

thank you for your suggestion.

may i ask another question? why not install phpmyadmin? the ubuntu server is for nginx + wordpress install setup. im not going to use it for sending mails. should i bother setting up the mail server for send-only?

It's a security risk, both in terms of unauthorised access to your databases and potential compromise of your system, unless you take careful precautions. Some of our servers run it, but it's only accessible to a few IP addresses and only over SSL/TLS or via a VPN.

_________________
/ Peter

For most clients I stick munin/monit/phpmyadmin behind a SSH tunnel, it's dead easy to set up and secure since you need SSH access to access them.

The most important point I'd say beyond the basics of restricting ssh logins etc is keep your software up to date! Especially wordpress.

_________________
Paid support
How to ask for help
1. Give details of your problem
2. Post any errors
3. Post relevant logs.
4. Don't hide details i.e. your domain, it just makes things harder
5. Be polite or you'll be eaten by a grue

All fine advice, but you forgot the most important security advice there is - Backup, Backup, Backup - then backup your backups.

Security is an ongoing process, not a one shot config. As such, as a noob, it's not unexpected that your site will be compromised. Or just as likely, fubar'd by your own inexperience.

The only thing that will minimize the damage and time required to get back on line is full, complete, and tested backups.

Securing a public facing web site isn't rocket science, but the devil is in the details, and no book will teach you those.

Yes. Your server likes to be able to e-mail you with the output of cron jobs, etc.

Once you get your system hostname set up properly (and have rebooted), then simply:

'apt-get install mailutils'

and bam, it'll be there

_________________

/* TODO: need to add signature to posts */

Also, you may want your WordPress site (or any other app) to be able to send registration confirmation and password reminder e-mails.

As for the hostname that hoopycat mentioned, Linode configures the hostname and reverse DNS properly by default. If you didn't change the hostname and reverse DNS, e-mail will probably work fine. If you changed either, now you're in for a lot of headache.

thanks for the heads up. i wont change my hostname.