Ask HN: Securing a server - Balance between being paranoid and wasting time?

3 points by mnkypete ↗ HN
So.. I'm currently working in a two person startup and I was lucky to get the sysadmin hat. I set up our linux server about two years ago when I had more time on hands, so I was a little over-thinking the whole stuff.

It runs:

- Apache with phpMyAdmin - MySQL - Glassfish

To secure this stuff, I installed a squid proxy which routes requests from the outside to localhost. In addition, all the services (MySQL, phpMyAdmin, Glassfish admin console) are only bound to localhost, so that you cannot access them from the outside (only throug the password secured squid). The only thing exposed is the application running on the Glassfish.

As we plan to move from dedicated server to Amazon hosting (for scaling etc), I was wondering if that stuff was a good idea in the first place. What are your experiences on this, was I wasting time?

Thanks!

6 comments

[ 2.7 ms ] story [ 36.5 ms ] thread
Greetings,

     Basically I would advise to follow some simple guidelines (back to basics):

 -> Don't run stuff with more permissions than needed (ergo, create a user for the services, lock them down, etc)
 -> Make sure you can check the logs to monitor for weird stuff (really, this is important, if you can react quickly you can mitigate many issues before they become serious)
 -> Don't run unnecessary services (do a cleanup on the host)
 -> As best as possible use repository stuff; much easier to be up-to-date (security patches and so on)
 -> Prepare an "emergency lockdown" script. Imagine something you can run that will lock nearly everything and put a nice page for the users, stating "We are performing some super-duper maintenance, blah, blah", don't scare the hell out of them, but allow yourself to carefully check what is happening without worrying with extra leakage. This can allow you to change passwords, block some suspicious IPs, etc (bonus points if you prepare a script to block IPs)
 -> Encrypt passwords and salt them. Really. This is a must, respect your customers.
 -> Extra bonus for a system that emails you as soon as there is a login in the system.
Just common sense I would say.

Oh, and DO change passwords every 90 days, at least.

PS: There is a script for MySQL that does some security check-ups. Google for mysql_secure_installation

Best regards and best of lucks.

>>"Oh, and DO change passwords every 90 days, at least." eh. That might help, but my thinking is if someone got in they've already done something so they no longer need that account or that password, so changing passwords is probably not going to help things. That being said, as long as you can keep passwords managed (like using LastPass) then it's fine, and could help.

Everything else miaumiua lists is great. I'd throw in a few random things I think of off the top of my head... mod_security, csf, mount tmp as noexec, LYNIS, phpsuexec, linux maldet.

Random addition: disable root SSH login, disallow password-based SSH login (switch to private key), maybe also add two-factor SSH authentication e.g. with a hardware key, or Google Authenticator or whatever.
Thanks to all, I guess I'll stick to these basics first!
The basic idea is good; I'm not convinced Squid buys you any security, though. If everyone can operate that way, consider allowing access via SSH only.

Oh, and don't forget chroot (or something more modern, like jails or even SElinux).

Having said all of the above, for the typical startup, the main threat is not an attack on the server but some shoddy application code committed under yet another tight deadline.

Thanks :) I'll see if the SSH solution is feasible.. The good thing is, that we have very little server code at the moment (as much is done on client-side), I hope we are not that bad at application code right now ;)