0

I'm a developer who is looking to put a new service on the Internet. I am new to administering systems and frankly I seem a little lost at where I should start with putting something on the web.

My application works fine on my machine, and I'm sure I can make it work fine on any box I put it on. But the security of that box is pretty important.

What are the things I'm going to need to know to prevent my service from getting hacked to shreds? Links to solid resources fine by me! I'm okay with a non-specific answer. I would love even just a starting point.

If I sign up for a standard hosting package (let's say from GoDaddy or something) can I simply tell them "make port 12345 open for communication" and let them handle the rest of the security details?

Thanks!

Zoredache
  • 128,755
  • 40
  • 271
  • 413
corsiKa
  • 363
  • 1
  • 6
  • 18
  • I'm actually okay with a non-specific answer. I would love even just a starting point. This is the type of thing I as a developer would used to say "well that's a Systems problem" and they just handle it, except that in a personal venture, there is no Systems team. – corsiKa Mar 15 '11 at 00:02
  • The problem with that is that this is a Q&A site, not a discussion site. In it's current form, this is entirely a discussion question. – MDMarra Mar 15 '11 at 00:35
  • @MarkM it's not a discussion at all. It's asking "Where can I find the basics?" From the FAQ: `If your motivation for asking the question is “I would like to participate in a discussion about ______”, then you should not be asking here. If your motivation is “I would like others to explain ______ to me”, then you are probably OK.` I'm not looking for someone to write a thousand page essay for me. I am looking for a place to start from. Perhaps there's someone who has been in the same boat as I have. – corsiKa Mar 15 '11 at 00:38
  • Zordache (a mod) has already asked you to narrow down your question. I was just offering some insight into why this type of question is typically poorly received. Everyone here has been in the same boat as you when they were starting out, that's why we know that it's not an issue that can be addressed in the way that you're expecting it to. – MDMarra Mar 15 '11 at 00:51
  • If your using a standard hosting package then you probably won't (i.e. I've never seen a webhost that does allow it) be able to run something on another port other than 80 or 443 if you have SSL enabled. Your options are a webhost that provides a VPS (virtual private server), dedicated hosting or a "cloud" service like Amazon's AWS or Rackspace. Security will mostly come down to your app which will be open to the net. A little Googling will go a long way in terms of maintaining your server environment and because your already a programmer, you'll probably pick it up quickly. – Registered User Mar 15 '11 at 01:37

1 Answers1

6

I am not sure what most vendors provide, personally I think it would be a good idea for you to verify everything, even if they do some of the work for you. Here is a general answer that you maybe able to use as a checklist. It covers most of the major topics of what you'll find in almost every standard security reference.

Also please remember that while securing the OS/platform is important the majority of security issues actually happen at the application level in the service that you will be exposing. This SANS article suggests that at least 60% of the incidents are the result of an Internet facing service being compromised. So it is very important for you to make sure your application is not the problem.

Security checklist

Change defaults

  • Change passwords
  • Change ports for any remote administration interfaces
  • Adjust any commonly known usernames on systems that support renaming.

Remove any uneeded services and packages

  • Find out what is running, and disable and/or remove anything you don't need.
    • Some servers will come with web-based admin interfaces enabled. Disable them, or at least make sure that they can only be accessed by you.

Enable a host-based firewall

  • You may be protected by a network firewall as well, but security should be done in layers. Setup a firewall on the host and limit access to only what is required.
  • Use a default-deny rule set. You firewall should block everything, and permit only the traffic that you explicitly know is good.

Setup any Intrusion detection and prevent tools

  • If your system is running SSH look at setting up something like denyhosts or fail2ban.
  • Setup rate-limiting in your firewall so dictionary/brute force attacks are not possible.

Setup a system to monitor your availability

  • You want to be notified when something breaks. Setup a remote monitor or subsribe to a service that will monitor for you.

Setup a system so any logs and errors get to you

  • Shipping any syslog or event log data to a remote site. Or at least setup something like logcheck so that unusal behavior results in a notification being sent.

Come up with a plan on how you will be updating the system

  • Security is not something that can be done and then forgotten about. You need to be updating things. You probably should have a dev/testing server (VM?) that duplicates your production enviroment so you can test updates and then plan on when/how you will be updating the production box.

Setup a backup system so you can restore when the worst happens

  • Failures and system compromizes will happen. Setting up a good backup is what you will use to both detect that you have been comprmized and repair the system if you have been.

Check with your ISP to see what will happen if you get hit by a DoS, and what they can do to help in the case the worst happens

  • Not all disruptive behavior results in your box being compromized. Your service can be brough offline remotely. Figure out if your ISP will be able to help you and how you will be able to get help when that happens.

Setup encryptions where appropriate

  • Configure SSL/TLS for transmission of any PII.
  • Make sure any applications store any PII securely.
Zoredache
  • 128,755
  • 40
  • 271
  • 413
  • @Zoredache: The poster stated "standard hosting package" from "let's say GoDaddy or something", so most of what you posted in your answer won't apply, aside from being standard boilerplate that any IT admin, engineer or consultant worth his or her salt would know or anyone else could just Google. I don't see how this helps the poster. – Registered User Mar 15 '11 at 01:19
  • +1 For covering a lot of [good] ground. This answer could be this question's savior. – jscott Mar 15 '11 at 01:40
  • @Zoredache: Yes the question is somewhat vague, but so is your answer. Telling someone who doesn't know about firewalls "Hey, just add some firewall rules" won't help them unless they know how. "Setup a system to monitor your availability", but no suggestions as to how. "Setup any Intrusion detection and prevent tools" but again a vague generality (snort maybe?). "Remove any uneeded services and packages", also vague. Any major server distro won't have unneeded services. I'm running out of space for further comments but this is just info that's easily available with a simple search on the web. – Registered User Mar 15 '11 at 01:56
  • @Zoredache: I won't down vote it because I feel downvoting is reserved for truly negative or completely wrong answers. I just feel that your answer centers on generalities. I know it's difficult to provide answers on such broad topics as server security, but I feel some specific references or links to articles/pages that explain these issues would have been more helpful to the poster, rather than overloading the poster with security generalities. While what you posted is correct in a broad sense, it won't help the uninitiated, which is the purpose of this site. – Registered User Mar 15 '11 at 02:30
  • @Deleted To *"help the uninitiated"* sounds a lot different, to me, than what the [FAQ](http://serverfault.com/faq) states: *"...people who manage or maintain computers in a professional capacity."* I hope SF participants, as professionals, are able to research and distill generalities into useful knowledge for their specific application. – jscott Mar 15 '11 at 17:26
  • @Deleted I actually did find unneeded services running on my CentOS5 box. This answer will be very beneficial to me. Yes it's broad, but what I'm doing is broad. I can use this as a sort of checklist. I'm uninformed, but not hopeless. I can tackle each one of these one at a time, and ask pointed, specific questions if and when they arise. – corsiKa Mar 16 '11 at 02:53
  • @Zoredache I thank you many thanks for your patience with my broad question, and for taking the time to answer something that (even as you admitted) seemed unanswerable. I'm not going to pretend that your 10-point list will cover every possible scenario that will come up, but I will say it is a massive help. Answers like this, in my mind, are what SO and friends are all about. – corsiKa Mar 16 '11 at 02:55