Ubuntu – How to properly secure Unicorn/RoR server on ubuntu? Or, harden RoR application stack

apache-2.2apparmorruby-on-railsUbuntuunicorn

I have few Unicorn servers running on Ubuntu 12.04 and I am looking to secure them against exploits which give remote shell.

My main concern is, if it makes sense to deploy ModSecurity?

Another thing is, that I have seen Unicorn typically runs from port 8080, and it's forwarded to Apache/NginX server port 80 which serves as reverse-proxy.

I was thinking that I could employ the following:

ModSecurity on Apache
Apache as worker (threaded) with mod_qos, to prevent excessive no of requests from any host
Run unicorn server from designated user and isolate it thru AppArmor or SELinux if it's Redhat/Centos

I would like to know, if there is another hardening framework / patch for RoR like PHP Suhosin.

Best Answer

I would start with Ruby On Rails Security Guide.

I am looking to secure them against exploits which give remote shell.

Pay attention to the File Uploads section.

Make sure file uploads don't overwrite important files
Validate file name
Use plugins: attachment_fu or paperclip
Never to allow users to upload: .php, .cgi,...
Set apropriate Centent-Type HTTP header
Put file uploads outside of /public directory

You can also scan your Rails code for vulnerabilities using Brakeman:

gem list -d brakeman

*** LOCAL GEMS ***

brakeman (1.8.0)
    Author: Justin Collins
    Homepage: http://brakemanscanner.org
    Installed at: /usr/lib/ruby/gems/1.8

    Security vulnerability scanner for Ruby on Rails.

Best Answer

Related Solutions

Linux – Ubuntu Slow Server Response; Initial Load; RoR

Apache proxying to Unicorn server times out, how to avoid

Related Topic