Hi, I recently purchased the following Server from ValueWeb:


AMD Duron 1300
512MB RAM
60 GB IDE Hard Drive
500 GB Data Transfer
Red Hat Linux 7.3
Webppliance Basic

I'm about to launch a Music Loops Website. I am not a web designer. Therefore, I have hired a web designer to set up my corporation's site correctly. I have learned the hard way, that webdesigners do not necessarily know proper security measures. Therefore I would appreciate it if anyone can give me steps to take to tell my web designer to do in order to secure my website's maximum protection from hackers. How do I set up the server to close the necessary ports? What is the best firewall/router setup? These are the kinds of things I need to know. I'm sorry if any of this is covered elsewhere. Thanks in advance to everyone who can help me. You can either post a response here, pm me or e-mail me if it's a long message.

Thanks!

Jon

For starters, I would install a new OS. RH 7.3 is rather old and the applications supplied with it have been patched many times since that version came out. Also, Red Hat will no longer be supplying security updates for the Red Hat Linux products, unless you buy a commercial license (probably around $1,500 for what you want to do). One option would be to install Fedora Linux on it, which you can find from the Red Hat site. It's the unofficial RH 10.0, although it's not maintained by RH.

You could also install any number of other Linux distributions, perhaps by buying the "Power Pack" or "Pro" version of distros like Mandrake, or SuSE (they are much cheaper than a license for RH ES/AS). Just make sure that whatever you pick will let you download security updates from them. I know Mandrake does include security updates if you buy it (about $70 US for the Power Pack edition last time I bought it).

Once you have a new OS installed, make sure you download and install any available security updates. There have probably been a few more since the release version was burned to CD.

Next, check out this very informative resource for hundreds of links to security HOW-TOs, FAQs, etc... You'll most likely want to check out the *NIX security checklists and also the netfilter/iptables HOW-TOs.

chort, thanks for the tips and for that invaluable link. I've got a ton of reading to do. But, thanks for pointing me in the right direction.

Jon

You bought an hosted server? (500 Gb transfer...)
If it is the case, do you have access to the OS directly?

Your programmer must know the best practices of programming securely. You can't really get that from an how-to. There are many books, on amazon, though.

Oh yeah, ugob makes a good point about it being hosted... Since it lists "webappliance" as a feature your hosting provider may treat it as an appliance device and not give you access to the OS. In that case, make sure you get a full report from them on what steps they have taken to secure the OS and update the services, and a full list of what the current version is of every major software package (Apache, PHP/mod_php, OpenSSL/mod_ssl, OpenSSH, etc...)

Otherwise if you own the server and have access to the OS, proceed as described in my first post.

Sorry, I forgot to mention that it is a dedicated server. But, it is hosted/owned by ValueWeb. I should have access to the OS, I think...I hope.

I went on the valueweb website and they're advertising redhat linux 9 installed. I tried chattin with them, but all their reps were busy. I would be terribly surprised if you have root accces on their servers. However, don't consider that a bad thing, because they'll secure it for you. I think it is a lot better like that. They probably know security a whole lot more than you and they have specialists to do it.

What you will probably be able to do is have a regular shell account, a control panel, a ftp accesss, etc. You should have enough option to be able to do what you want.