LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   VPS securing tasks for admin ? (https://www.linuxquestions.org/questions/linux-security-4/vps-securing-tasks-for-admin-509436/)

tuka 12-11-2006 12:38 PM
VPS securing tasks for admin ?
 
Hi all,

I am looking into gettin a VPS to run an online app in Ruby on rails (ROR).

I will be using beyond ROR,

MySQL
Apache
Possibly Mongrel - a Ruby on Rails optimized WebServer
And an pop, smtp server for e-mail

Since I do not have experience securing Linux machines and services, and I am looking into getting someone with mopre experience to do it for me, what tasks should I make sure are done to secure the VPS ? This is fo my follow up purposes.

My ultimate goal is to have an e-commerce app and with credit card payment capability (using Paypal or a gateway of sorts)- by the way I am not storing any CC numbers on my server or anything like that...

I know most people know little abour ROR but besides that, what would you make sure you secure on the server and for each service.

TIA,
Tuka

hob 12-11-2006 05:35 PM
Perhaps the biggest weaknesses of a Web server are two things that you haven't listed: the SSH service and the Web application itself.

SSH permits remote admin access, so you need to apply as many security measures as you can - automated scanners *will* pick up your server within days and attempt to login with SSH using common usernames and passwords. My own personal Web server gets login attempts every couple of days. Use key-based authentication and disable remote root access at the very least. Configuring your SSH service to use a non-standard port also helps to defeat casual probes.

By definition, your application executes within the Web server, and has write access to the database, so you really need to have confidence in the code. I read a claim that 11% of Web applications are vulnerable to SQL injection attacks, and beleive it. Do read up on Web application security, and look at the RoR code that you run on the server.

After having worked with it, I don't recommend the use of MySQL. It has a number of issues in it's default configuration that affect the safety and integrity of your data. PostgreSQL has a much better reputation, although I haven't used it enough to have an opinion yet myself.


All times are GMT -5. The time now is 05:34 PM.