Looking for general web site security advice
I recently hosted a VPS web site on another provider, who shall remain nameless (OK, it was Startlogic :->). I had a phishing site break-in, so I began using longer passwords, and SSH for all my file transfers. But the break-ins continued. Startlogic wasn't able to track down the problem, which is one of the reasons why I switched to Linode.
I installed mod-security on my Apache2 server. What else should I do to improve security? The Linode Wiki lists several security tips at
Specifically, I'm looking for advice about phishing sites, email security, and blog security – and on how best to optimize mod-security.
Thanks for any suggestions!
- Chris M.
3 Replies
Create seperate user accounts for almost everything (ref rule 1)
Limit those user accounts, strictly.
Use pubkey auth for all ssh logins, disallow root, (ref rule 3), allow logins only from a small range of IP (try to get a static from your ISP), only allow your user to login via ssh from your IP address.
Limit your external servers, learn /etc/hosts.allow and /etc/hosts.deny
Learn IPtables, or setup an easy bash interface.
Install one of the hundred brute-force/dictionary attack blockers (fail2ban, denyhosts, etc)
Seperate your mysql users and only give them rights enough on their own databases to do just they things they need to do.
Use good and well tested software, bleeding edge isn't always the best choice.
Anything else to add?
- Chris M.
So far so good then.