Total Linux n00bie – first time VPS setup (Linode.com).
I've spent a month researching and attempting setups. After a few dumps and reinstalls, I finally have a server up and functioning (been up for a few weeks now). I'd love some feedback on my security measures from the experts.
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Setup:
typical Ubuntu 10.04 LAMP environment
Console:
webmin (port 10000)
mail:
postfix (port 25)
security measures:
(following http://www.andrewault.net/2010/05/17/securing-an-ubuntu-server/ )
ssh via public/private keys (putty on a win7 machine)
PasswordAuthentication no PermintRootLogin no
UFW
- ufw default deny incoming
- ufw default allow outgoing
- ufw allow 80/tcp (http)
- ufw allow 443/tcp (ssl)
- ufw allow XXX/tcp (ssh custom port)
- ufw allow 25 (mail server)
- ufw allow 10000 (webmin)
- ufw deny 22 (ssh default)
- ufw deny 3306/tcp (mysql)
- ufw enable
install fail2ban – disallow bruteforce attacks
disallow source routing of incoming packets
sudo sysctl -w net.ipv4.conf.all.accept_source_route=0
sudo sysctl -w net.ipv4.conf.default.accept_source_route=0
install tiger – security scanner
install psad – intrusion detection
install nmap – port scanning
install chkrootkit – root kit presence
install logwatch
UPKEEP
regular (once or twice weekly)
apt-get update/upgrade
run psad, nmap, chkrootkit, logwatch, tiger
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Okay… so, as I said, I'm a complete newb with linux, but I've been involved in web technologies for many years (including many local WAMP / XAMPP installs and setups). Following Linode's basic cookbook entries, getting a server up and running wasn't too tough, but I did feel pretty over my head when it came to the security aspect of things (which is saying a lot, as I deal in complex tech commonly). Hell – if you are a pro with this stuff – props to you. It's hard.
After I got all the virtual server / dns entries ironed out, I was able to set up a few default site installs (drupal, wordpress), and they have been functioning as expected for several weeks now.
I can clearly see in the psad entries that UFW is doing its job – bouncing thousands of port scans, and I have yet to turn anything serious up with tiger. Tho – reading the tiger security report, there are many warnings about system configurations that I'm really not sure if I should take steps to rectify. So there is question #1. For example – I get warnings that my passwords aren't properly hashed. Is this a problem if I have password authentication turned off?
That all being said – How confident can I be in this server setup? Is there a system or service I can use to audit my settings, or to do an automatic system scan? (Something like how you can scan a site for malware with google's web tools.) I'd like to migrate all my sites from shared hosting to this server, but I don't want to do it prematurely…
Any feedback would be most appreciated. I completely realize this question is pretty common, but I feel I've done my due diligence – I'd just like some guidance from the pros on this before I commit.
Best Answer
It sounds like you're on the right track. If you end up getting compromised, it's most likely that it'll happen through vulnerabilities in your application software (you mentioned Wordpress and Drupal). To mitigate these risks, you need to keep abreast of any vulnerability announcements for those products (including any plugins/modules you have installed), and install patches as soon as possible.
Additionally, set up a bullet-proof backup system for the server and do test restores regularly. If you do get compromised, you're going to need to do a complete re-install of your server and data. If you have a good backup system, this process is much less painful.