LAMP Security and Backup Suggestions / Comments??
I have two Linodes, both Ubuntu 8.10, set up with minimal LAMP installations. I have only installed the applications required to run Drupal and Wordpress. The plan is that one Linode will be hosting Drupal and Wordpress sites, the other will be used primarily for backups. Both Linodes are in the same facility, so transferring data isn't an issue with regards to bandwidth. The primary Linode hosting the Drupal and Wordpress sites, the webserver, will have it's MySQL databases replicated onto the backup Linode, and the backup Linode will have cron run the 'automysqlbackup' backup script dump db backups into a backup directory. The webserver will have cron run scp or rsync (suggestions?) to dump specific files into the Linode backup directory.
I will then create an archive of the backup directory on the backup linode and scp or rsync that to a server in my home which i can then burn copies of on dvds.
With regards to security, if the web server is a bare bones Ubuntu LAMP, with only one user, and it (and its applications) are kept up to date, what further steps should I take to secure it? Do I need to learn about IPTables?? Are there any security tools I should have installed? I have noticed in the access logs some scanners / bots looking for vulnerabilities.
Thanks in advance.
3 Replies
@kpm:
The webserver will have cron run scp or rsync (suggestions?) to dump specific files into the Linode backup directory.
rsync with the -a flag is very much your friend for backups. It'll get you precise replication of metadata, and if you've got a good sized data set, it can be substantially faster even at LAN speeds (saves disk I/O if nothing else).
@kpm:
With regards to security, if the web server is a bare bones Ubuntu LAMP, with only one user, and it (and its applications) are kept up to date, what further steps should I take to secure it? Do I need to learn about IPTables?? Are there any security tools I should have installed? I have noticed in the access logs some scanners / bots looking for vulnerabilities.
Make sure you're not running any daemons you're not using, of course.
Some people move SSH to a port other than 22. If you've got a good password, you probably don't have much to fear, but it'll at least keep down the logspam from the random cracking attempts.
Whether you move SSH or not, fail2ban (google it) is a good idea. It can block IP addresses using iptables after they hit whatever limits on authentication attempts you specify. (It's actually incredibly flexible and can theoretically work with any kind of log from any kind of application, but most people only really need a basic configuration for ssh.)
Make sure the user(s) that Apache and the webapps run as aren't in the wheel group and don't have any sudo privileges.
A basic iptables is always a good idea. Something like this is a good start:
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -m state --state NEW -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p icmp -j ACCEPT
iptables -A INPUT -j DROP
This is a basic but fairly strict stateful firewall. Any packets that are related to an already-established connection are allowed in. New connections are only allowed on TCP ports 80 (http) and 22 (ssh). ICMP packets are always accepted[1]. Everything else is silently dropped.
Note that, as-written, this ruleset has no effect on connections you try to make FROM the system. If you're "really" secure, that's not a problem, but it'd be unfortunate if someone managed to get in as a non-root user and start trying to scan/crack other people's systems. Ideally you'd setup some rules on the OUTPUT chain as well, to minimize the risk as best you can.
[1] Note that some poorly-configured (or poorly-designed) firewalls have been known to drop all ICMP packets – this is BAD! The internet depends on ICMP for proper operation. You can filter ICMP somewhat, but you should know what you're doing, first, and there's a very rapid drop-off in bang-for-your-buck on the time spent doing so.
ufw
Fail2ban is nice, but I don't know if it plays well with ufw. You can use denyhosts instead to protect ssh. You should examine the configuration options
Another note - you want to make sure your two Linodes are communicating via their private IP addresses so the traffic doesn't count against your bandwidth limit.