Setup and config advice please
My main VPS concerns are a) server security and b) the learning curve
I run LAMP on my Mac and so have some experience with Unix and Apache configuration. I'm also handy with PHP and grew up with MS-DOS so I can handle scripting OK.
I'm writing to ask for any pointers on what I need to know the moment I get my login from Chris and any gotchas that could catch a noob out.
Links to how-to sites or relevant tomes on Amazon would be great.
My number one question is: Do I need to do anything to secure my server from the get go? Say I don't touch it for a week after being granted access, can anything go wrong?
Other than that I'm looking to build a web server initially with
* Ubuntu
Webmin
Apache
PHP
MySQL
email (suggestions welcome) Any pointers on this config would be appreciated.
When I'm up and running and feel brave enough I'll add lighttpd and maybe Ruby on Rails.
6 Replies
@autoreverse:
My number one question is: Do I need to do anything to secure my server from the get go? Say I don't touch it for a week after being granted access, can anything go wrong?
No, because your Linode won't be running. You'll need to set it up first, most likely with the Distro Wizard. You'll notice you won't yet have been asked even for a root password; that's because you set it up when you set up the distro, unlike dedicated servers, where you assign it at sign-up.
As for server security when you start… I don't know much about that, because each distro choice has different software pre-installed. I personally use Debian which starts off pretty minimal, but there are other distros where lots of things are installed off the bat. However, I do trust caker to not create the initial disk images in such a way that they're insecure from the get-go. He knows what he's doing.
I'm sorry this doesn't answer all of your questions, but I figured I'd get that out of the way first.
The Atlanta datacentre filters quite a number of ports, Dallas filters a few and Fremont doesn't filter any. Linode filters at layers 2 and 3 (data link and network) but beyond that, keeping the bad guys out is down to you.
If you don't want someone to connect to a service, don't run it. If you need it (MySQL for example) bind it to localhost.
It's a public server because you want the public to connect (web for example).
@kangaby:
I've never really understood the point of running a firewall on a public server. Your home / company network yes, but a pubilc server no.
For me, it's a peace-of-mind thing. You set your firewall config to allow connections to the ports you need (22, 25, 80, 443, etc.). Then, in the future, if you make a bonehead move and accidentally allow network access to mysql, you're protected. Along with this, you can do nice things like only allow ssh access to your box from a set list of IP addresses.
Another very nice advantage is for auditing purposes. If you don't run iptables, there's really no way of detecting and dealing with remote hosts that are misbehaving. Detect a portscan from a host? Just DROP 'em and you don't need to worry about it.
@kangaby:
I've never really understood the point of running a firewall on a public server. Your home / company network yes, but a pubilc server no.
If you don't want someone to connect to a service, don't run it. If you need it (MySQL for example) bind it to localhost.
It's a public server because you want the public to connect (web for example).
Most public servers are owned by either companies or those who have the IT experience and the need to run a public server. IMO, as a security consultant with a HUGE ISP that offers managed security services, EVERY public server either needs a firewall or is put inline with a firewall. From my understanding, not every colo that Linode does business with has a firewall inline with the UML servers.
Many people here on these forums actually serve web pages or FTP or even shell space. Some (I'd like to say most) HAVE to serve to the public. To have a public server deployed without host-based protection is opening up yourself to future compromise, IMO.
Any service that is offered to the public (Apache, for example) presents certain challenges in blocking malicious activity. That shouldn't mean that every bad guy should get into your box just because the term 'public' has different meaning for different people. I certainly firewall anything, even if the service is off. There is such a thing as enumeration and reconnaissance that is usually the initial step toward 'owning' a machine.