How paranoid I should be regarding security on my linode?

I'm a proud new linode user and I'm very happy with it :P.

I'm (kind of old) linux user, but have been always in "local" machines, so this is the first time that I'm on a server environment and now I'm more concerned about security.

I don't want to go crazy trying to do everything to get my machine hardened, but I have no idea how paranoid should I be.

To give some context, the plan for my linode (Arch Linux) is going to host some websites, an email server and occasionally some rails or php apps.

I've read this post, do you think that's a good and secure start or it's too much?

To make a list, I believe the "checklist" should be (please feel free to add or remove stuff!):

  • disable root login

  • ssh access only through ssh keys on a non-default ssh port

  • use fail2ban

  • access to database (mysql until now) only through localhost

  • use vsftp to transfer files (I don't here if it's better/secure to use only "jailed sftp" accounts to give access for other people)

  • firewall (i believe the simpler approach is to deny from all, and give specific access to the ports I'm going to use; in this case, should I use iptables or ufw?)

  • how can I secure the access to phpmyadmin/webmin/postfixadmin? since I don't use them everyday; I imagined a simple approach to just give access when I need them. Maybe a mac address or ip address restricted access is more secure? (and less tedious I believe).

All that besides keeping the system up-to-date of course :P.

10 Replies

Nothing is 100% secure - tested backups are your only hope.

phpmyadmin/webmin/postfixadmin - avoid at all cost. Learn to manage your server the right way - via the CLI.

Outsource your email to Google Apps. Saves time, saves your Linode bandwidth, saves way more spam - saves major headaches.

C'mon, using PHPMyAdmin isn't that bad.

Drop vsftpd. Use SFTP jails instead.

If you really want PHPMyAdmin, make it only accessible from localhost. Learn to set up SSH tunnels so you can use these tools securely.

UFW, firehol, etc. are just front-ends to iptables. If you only need simple rules such as "deny all, allow SSH & HTTP", they work pretty well.

Most importantly, keep your web apps up to date. Port 80 is by far the most vulnerable port of a web server, due to outdated and/or poorly written web apps. Go over your PHP settings and make sure you don't have stupid things such as register_globals turned on.

Try mysql workbench instead of phpmyadmin it allows you to administer mysql over a ssh tunnel from your desktop.

Thanks to all of you for your comments =), I've never used mysql workbench so I'll give it a try.

I'll learn about ssh tunnels (I don't know what they are :P) and I'll use sftp jails instead of vsftp -anyway, reading the article from the linode library, doesn't look that terrible!- in fact, it looks even simpler than setup correctly a vsftpd account.

As I said about postfixadmin/webmin, I don't use them everyday; so I'm not going to have an example.com/postfixadmin ready to be hacked all the time, I believe I'm going to (de)activate it through some script only sometimes.

Thanks also for the advice about iptables, I was going to go crazy about it. I think I'll take a simpler approach with ufw; closing everything, and open only the needed ports.

Finally, what do you think about denyhosts and fail2ban? they show as recommended in the security section from the library.

Anything else you want to add, please be my guest! :D

@pablox:

Thanks also for the advice about iptables, I was going to go crazy about it. I think I'll take a simpler approach with ufw; closing everything, and open only the needed ports.
This is pretty much what I did on my first Linode. My initial ufw rules were basically deny everything except for a single full allow rule for my personal IP address. This let me feel comfortable that while I was setting things up/testing I wouldn't have random exposures, but at the same time not continuously getting in the way when I wanted to personally test any new service I was setting up. Then, as needed, I could add extra rules for specific services when ready for prime time. Of course, for this approach to be workable you have to trust your personal IP address (mine's a cable connection and has been essentially static for years).

I'll also throw a voice out for firehol as a possible next step up from ufw if things get more complicated. At least for me I found it simpler than the alternatives I checked out (like shorewall), and I like having a simple, readable single-file script for my firewall configuration, where I can use symbolic names for stuff rather than just IP addresses. Note that its site appears dated, but I think that's mostly because it works and is stable. And it is just a layer on top of iptables in the end, but much easier to maintain a configuration.

– David

ConfigServer Firewall has been a rather reliable firewall for me with its alerts and the like. You might want to check it out at: http://www.configserver.com/cp/csf.html.

* Drop FTP .

  • Use rssh for SFTP/SCP jails.

  • Don't run unnecessary services.

  • Bind whatever services you can (not your WWW/SSH server) to 127.0.0.1/::1.

  • Disable password logins (* in the 2nd field in their /etc/shadow entry) for non-jailed users at least and use some form of public key authentication instead.

  • If you keep using passwords for some users, enable forced password expiry (man shadow, man chage) for them.

  • Use TLS/SSL for all administrative services and also HTTP authentication (with different credentials) for security holes like PHP{MY,PG,LDAP}admin. Also, learn what TLS SNI is and use it for your administrative services.

  • Don't run all your websites under the same (www-data) UID/GID (this is the default Debian/Ubuntu setup, dunno about other distros), this includes the aforementioned php*admin stuff.

    If you're using Apache, apache2-mpm-itk can help here. If your distro doesn't have it, use FastCGI with manually started PHP/whatever listeners under different UIDs, or even better, get one that does. ;)

  • Use pwgen to generate long (24+ chars) random passwords for database connections or, even better, force them to use UNIX sockets and authenticate on UID - much web software doesn't support this though.

  • Every time you chmod 777 or 666, god kills a kitten.

  • Always use your distro's provided packages, unless your really can't.

  • Subscribe to security announcement mailing lists for your distro and whatever software you installed manually.

  • Rigorously apply security updates as they become available.


  • The list doesn't end really…

NSA has a good guide on securing Linux systems.

Lastly, replace all your snakeoil X.509 certificates with proper ones from www.startssl.com for free, you can thank me later.

Cheers,

Antonio

@pablox:

Thanks to all of you for your comments =), I've never used mysql workbench so I'll give it a try.

I'll learn about ssh tunnels (I don't know what they are :P) and I'll use sftp jails instead of vsftp -anyway, reading the article from the linode library, doesn't look that terrible!- in fact, it looks even simpler than setup correctly a vsftpd account.

As I said about postfixadmin/webmin, I don't use them everyday; so I'm not going to have an example.com/postfixadmin ready to be hacked all the time, I believe I'm going to (de)activate it through some script only sometimes.

Thanks also for the advice about iptables, I was going to go crazy about it. I think I'll take a simpler approach with ufw; closing everything, and open only the needed ports.

Finally, what do you think about denyhosts and fail2ban? they show as recommended in the security section from the library.

Anything else you want to add, please be my guest! :D

I am fairly new to tunneling and webmin but you can do the following to keep it more secure;

write down your port number for webmin :)

in the webmin cpanel only allow login for the local machine and

restart webmin and see if the access has gone.

open a term and use the following command

ssh -p user@yourweb.com -L /localhost/ for example;

If your server port is 55555 and you want to connect to webmin on the port 22222 and map that to your local machine on port localhost:2020.

ssh -p55555 user@yourwebsite.com -L 2020/localhost/22222

Then go to your web browser and type;

http://localhost:2020

I think that should work, I use a tunnel for webmin and have written a short how to install well what I went through to install it for ubuntu 10.04. tbh there tutorial is good as well. here is the one i wrote any how. ~~[http://www.zeropointproductions.co.uk/how-to-install-webmin-ubuntu-apache2/" target="_blank">](http://www.zeropointproductions.co.uk/h … u-apache2/">http://www.zeropointproductions.co.uk/how-to-install-webmin-ubuntu-apache2/](

Hope this helps, hope I do not sound too condescending

> Lastly, replace all your snakeoil X.509 certificates with proper ones from www.startssl.com for free, you can thank me later.

Cheers,

Antonio

Thanking you later :)

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct