Ask HN: Securing a server - Balance between being paranoid and wasting time?
So.. I'm currently working in a two person startup and I was lucky to get the sysadmin hat. I set up our linux server about two years ago when I had more time on hands, so I was a little over-thinking the whole stuff.
It runs:
- Apache with phpMyAdmin - MySQL - Glassfish
To secure this stuff, I installed a squid proxy which routes requests from the outside to localhost. In addition, all the services (MySQL, phpMyAdmin, Glassfish admin console) are only bound to localhost, so that you cannot access them from the outside (only throug the password secured squid). The only thing exposed is the application running on the Glassfish.
As we plan to move from dedicated server to Amazon hosting (for scaling etc), I was wondering if that stuff was a good idea in the first place. What are your experiences on this, was I wasting time?
Thanks!
6 comments
[ 2.7 ms ] story [ 36.5 ms ] threadOh, and DO change passwords every 90 days, at least.
PS: There is a script for MySQL that does some security check-ups. Google for mysql_secure_installation
Best regards and best of lucks.
Everything else miaumiua lists is great. I'd throw in a few random things I think of off the top of my head... mod_security, csf, mount tmp as noexec, LYNIS, phpsuexec, linux maldet.
Oh, and don't forget chroot (or something more modern, like jails or even SElinux).
Having said all of the above, for the typical startup, the main threat is not an attack on the server but some shoddy application code committed under yet another tight deadline.