LAMP Security and Backup Suggestions / Comments??

Some incomplete thoughts…

@kpm:

The webserver will have cron run scp or rsync (suggestions?) to dump specific files into the Linode backup directory.

rsync with the -a flag is very much your friend for backups. It'll get you precise replication of metadata, and if you've got a good sized data set, it can be substantially faster even at LAN speeds (saves disk I/O if nothing else).

@kpm:

With regards to security, if the web server is a bare bones Ubuntu LAMP, with only one user, and it (and its applications) are kept up to date, what further steps should I take to secure it? Do I need to learn about IPTables?? Are there any security tools I should have installed? I have noticed in the access logs some scanners / bots looking for vulnerabilities.

Make sure you're not running any daemons you're not using, of course.

Some people move SSH to a port other than 22. If you've got a good password, you probably don't have much to fear, but it'll at least keep down the logspam from the random cracking attempts.

Whether you move SSH or not, fail2ban (google it) is a good idea. It can block IP addresses using iptables after they hit whatever limits on authentication attempts you specify. (It's actually incredibly flexible and can theoretically work with any kind of log from any kind of application, but most people only really need a basic configuration for ssh.)

Make sure the user(s) that Apache and the webapps run as aren't in the wheel group and don't have any sudo privileges.

A basic iptables is always a good idea. Something like this is a good start:

iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -m state --state NEW -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p icmp -j ACCEPT
iptables -A INPUT -j DROP

This is a basic but fairly strict stateful firewall. Any packets that are related to an already-established connection are allowed in. New connections are only allowed on TCP ports 80 (http) and 22 (ssh). ICMP packets are always accepted[1]. Everything else is silently dropped.

Note that, as-written, this ruleset has no effect on connections you try to make FROM the system. If you're "really" secure, that's not a problem, but it'd be unfortunate if someone managed to get in as a non-root user and start trying to scan/crack other people's systems. Ideally you'd setup some rules on the OUTPUT chain as well, to minimize the risk as best you can.

[1] Note that some poorly-configured (or poorly-designed) firewalls have been known to drop all ICMP packets – this is BAD! The internet depends on ICMP for proper operation. You can filter ICMP somewhat, but you should know what you're doing, first, and there's a very rapid drop-off in bang-for-your-buck on the time spent doing so.

Ubuntu's ufw is a very simple way to set up a firewall.

Fail2ban is nice, but I don't know if it plays well with ufw. You can use denyhosts instead to protect ssh. You should examine the configuration options to set up things appropriate to your situation–it can be easy to lock yourself out! (The Linode web console is handy to save you when this happens.) Also make sure you have "PermitRootLogin no" (or "PermitRootLogin without-password") in your sshd_config.

Another note - you want to make sure your two Linodes are communicating via their private IP addresses so the traffic doesn't count against your bandwidth limit.

I'll crack the manuals for rsync and iptables.