1

I'm not much of a server administrator but I'm maintaining a virtual server with Ubuntu OS where my website is hosted. I often use ssh, ftp and MySQL. As my website gets popular, I want to make sure the data and source code are secure. What are the things I should do?

For example, recently I decided to switch to login using SSH keys only for every user except for the root account. Probably, I should also do something similar for my database. I'm looking for good, easy things to implement.

Bruno Rohée
  • 5,221
  • 28
  • 39
Max Koretskyi
  • 129
  • 4
  • 1
    http://hardenubuntu.com/ try this one. As i dont use the ubuntu/linux crap i cant tell how up to date it is. – Dirk Apr 22 '15 at 20:57
  • 2
    possible duplicate of [Hardening Linux Server](http://security.stackexchange.com/questions/993/hardening-linux-server) – schroeder Apr 22 '15 at 21:00
  • Do you need to make MySQL available remotely? That's a bit attack vector. If you can only access MySQL locally it will be more secure. – Neil Smithline Apr 22 '15 at 21:36
  • @NeilSmithline, yes I do connect to MySQL remotely through dbForge. I think I can restrict the range of IP addresses to allow remote connections from. Any other ideas? – Max Koretskyi Apr 23 '15 at 06:54
  • Your architecture doesn't use the standard [three tier architecture](https://en.wikipedia.org/wiki/Multitier_architecture#Three-tier_architecture). That architecture puts DB security in the logic layer so you have to work around that. Two-tier arch can make sense for smaller apps (presumably like yours). Restricting IPs seems a good idea. Changing to non-default port may help. Firewall rules. Strong DB passwords. Restricting DB admins to localhost only. Whatever you can think of. – Neil Smithline Apr 23 '15 at 14:21

1 Answers1

2

You could start by reading about some (Ubuntu specific) best practices. Like:

  1. Closing unnecessary ports.
  2. Removing unnecessary packages.
  3. Setting up some basic iptables rules.
  4. Setting up a Web Application Firewall like mod_security.
  5. Look into DNS solutions like CloudFlare to prevent heavy load on your VPS processes in case of DDoS-attacks.
  6. Working with SSH keys and/or setting up a two factor authentication method like Authy-SSH.
  7. Setting up downtime-monitoring like Pingdom or UptimeRobot.
  8. Do some software specific security hardening for example for Apache, PHP and MySQL.
  9. Get regularly tested by the use of Vulnerability scanners and/or penetration testers.

It's important to regularly update all software packages and the Ubuntu kernel and you can take a look into full disk encryption with LVM/LUKS.

Also I recommend to take a look at http://hardenubuntu.com/ like user PolymathMonkey suggested.

Bob Ortiz
  • 6,234
  • 8
  • 43
  • 90