LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 12-11-2006, 12:38 PM   #1
tuka
Member
 
Registered: Jul 2003
Location: Lisbon, Portugal
Distribution: Red Hat 9.0
Posts: 30

Rep: Reputation: 15
VPS securing tasks for admin ?


Hi all,

I am looking into gettin a VPS to run an online app in Ruby on rails (ROR).

I will be using beyond ROR,

MySQL
Apache
Possibly Mongrel - a Ruby on Rails optimized WebServer
And an pop, smtp server for e-mail

Since I do not have experience securing Linux machines and services, and I am looking into getting someone with mopre experience to do it for me, what tasks should I make sure are done to secure the VPS ? This is fo my follow up purposes.

My ultimate goal is to have an e-commerce app and with credit card payment capability (using Paypal or a gateway of sorts)- by the way I am not storing any CC numbers on my server or anything like that...

I know most people know little abour ROR but besides that, what would you make sure you secure on the server and for each service.

TIA,
Tuka
 
Old 12-11-2006, 05:35 PM   #2
hob
Senior Member
 
Registered: Mar 2004
Location: Wales, UK
Distribution: Debian, Ubuntu
Posts: 1,075

Rep: Reputation: 45
Perhaps the biggest weaknesses of a Web server are two things that you haven't listed: the SSH service and the Web application itself.

SSH permits remote admin access, so you need to apply as many security measures as you can - automated scanners *will* pick up your server within days and attempt to login with SSH using common usernames and passwords. My own personal Web server gets login attempts every couple of days. Use key-based authentication and disable remote root access at the very least. Configuring your SSH service to use a non-standard port also helps to defeat casual probes.

By definition, your application executes within the Web server, and has write access to the database, so you really need to have confidence in the code. I read a claim that 11% of Web applications are vulnerable to SQL injection attacks, and beleive it. Do read up on Web application security, and look at the RoR code that you run on the server.

After having worked with it, I don't recommend the use of MySQL. It has a number of issues in it's default configuration that affect the safety and integrity of your data. PostgreSQL has a much better reputation, although I haven't used it enough to have an opinion yet myself.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
2K admin now RHEL4 admin (I have some questions) wilsryan Red Hat 5 01-30-2006 12:18 PM
Where can I download UML VPS or Xen VPS to make a virtual private server? abefroman Linux - Software 3 12-09-2005 10:00 AM
Commonly AIX System Admin Tasks DriveMeCrazy AIX 2 12-07-2005 07:57 PM
No assigned admin roles and tasks in iManager bship SUSE / openSUSE 3 10-14-2005 07:57 AM
User admin and N/w admin on Gnome hangs ssrini *BSD 2 07-28-2005 07:55 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 04:41 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration