I've been asked by a friend to set up a server for him. He wants it to be as secure as possible, and that's my goal too. It's a dedicated Linux server with Linode, so it does not come with any third party software (just the OS). The only services that the server will be running are:
SSH
Web Server: Apache + PHP
Database: MySQL
What steps are required to ensure the best possible security? I have the following already done:
OS
- Installed the latest OS updates. These will be updated periodically.
- Disabled any services that are not needed
Services
- Created a new user with a strong (random gibberish and long), in its own group, that is able to 'su', disabled root SSH logins and only permitted this user to login via SSH.
- Only allowed the new user's group to SSH.
- Changed SSH port to a random number
- Disabled SSH port v1 (only v2 enabled)
- Disabled SSH password authentication. Public/Private keys are required.
- Increased the SSH logging levels. I may eventually get things to log externally, because I know attackers like to tamper with that sort of thing.
- chroot has been set up for Apache and MySQL
Security
- Installed and configured Snort ( http://www.snort.org/ )
- Configured iptables to deny everything, except for the required ports (MySQL can only be accessed locally, so it is blocked to the outside world)
- Installed and configured fail2ban ( http://www.fail2ban.org/ )
- Installed and configured knockd ( http://www.zeroflux.org/projects/knock ) for SSH access
- Installed and configured denyhosts ( http://denyhosts.sourceforge.net/ )
- Installed and configured Tripwire ( http://sourceforge.net/projects/tripwire/ )
Rootkits / Vulnerabilities
- Installed and configured Nessus ( http://www.tenable.com/products/nessus )
- Installed and configured Rootkit Hunter ( http://www.rootkit.nl/projects/rootkit_hunter.html )
- Installed and configured Linux Malware Detect ( http://www.rfxn.com/projects/linux-malware-detect/ )
- Installed and configured chkrootkit ( http://en.wikipedia.org/wiki/Chkrootkit )
Other
- Backups occur daily (for now)
- A script is setup to check everything to ensure everything remains up.
- An external script is setup to check uptime, as well as an account with Pingdom to also check for uptime. We will be notified if something does go down.
I realise a lot of this is redundant (eg. Why have fail2ban when SSH password logins are disabled?), but I don't want to take any chances.
I know there can never be a 100% secure server, especially considering that after all of this work it's going to be some PHP script that allows an exploit, but for the sake of argument let's say that the only script that will be running is a "Hello World!" script, thus security is as high as it can be.
What are Reddit's thoughts? Any suggestions on how to tighten this sucker a little more? I would LOVE some assistance from a seasoned professional, especially someone that does this on a daily basis for well known sites (any Reddit server admins around? :))
Also, if there's a better subreddit for this type of thing, please let me know so I can get some more advice.
[link] [32 comments]