Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I am looking into gettin a VPS to run an online app in Ruby on rails (ROR).
I will be using beyond ROR,
MySQL
Apache
Possibly Mongrel - a Ruby on Rails optimized WebServer
And an pop, smtp server for e-mail
Since I do not have experience securing Linux machines and services, and I am looking into getting someone with mopre experience to do it for me, what tasks should I make sure are done to secure the VPS ? This is fo my follow up purposes.
My ultimate goal is to have an e-commerce app and with credit card payment capability (using Paypal or a gateway of sorts)- by the way I am not storing any CC numbers on my server or anything like that...
I know most people know little abour ROR but besides that, what would you make sure you secure on the server and for each service.
Perhaps the biggest weaknesses of a Web server are two things that you haven't listed: the SSH service and the Web application itself.
SSH permits remote admin access, so you need to apply as many security measures as you can - automated scanners *will* pick up your server within days and attempt to login with SSH using common usernames and passwords. My own personal Web server gets login attempts every couple of days. Use key-based authentication and disable remote root access at the very least. Configuring your SSH service to use a non-standard port also helps to defeat casual probes.
By definition, your application executes within the Web server, and has write access to the database, so you really need to have confidence in the code. I read a claim that 11% of Web applications are vulnerable to SQL injection attacks, and beleive it. Do read up on Web application security, and look at the RoR code that you run on the server.
After having worked with it, I don't recommend the use of MySQL. It has a number of issues in it's default configuration that affect the safety and integrity of your data. PostgreSQL has a much better reputation, although I haven't used it enough to have an opinion yet myself.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
