
Ask HN: Securing a server - Balance between being paranoid and wasting time? - mnkypete
So.. I&#x27;m currently working in a two person startup and I was lucky to get the sysadmin hat. I set up our linux server about two years ago when I had more time on hands, so I was a little over-thinking the whole stuff.<p>It runs:<p>- Apache with phpMyAdmin
- MySQL
- Glassfish<p>To secure this stuff, I installed a squid proxy which routes requests from the outside to localhost. In addition, all the services (MySQL, phpMyAdmin, Glassfish admin console) are only bound to localhost, so that you cannot access them from the outside (only throug the password secured squid). The only thing exposed is the application running on the Glassfish.<p>As we plan to move from dedicated server to Amazon hosting (for scaling etc), I was wondering if that stuff was a good idea in the first place. What are your experiences on this, was I wasting time?<p>Thanks!
======
miaumiau
Greetings,

    
    
         Basically I would advise to follow some simple guidelines (back to basics):
    
     -> Don't run stuff with more permissions than needed (ergo, create a user for the services, lock them down, etc)
     -> Make sure you can check the logs to monitor for weird stuff (really, this is important, if you can react quickly you can mitigate many issues before they become serious)
     -> Don't run unnecessary services (do a cleanup on the host)
     -> As best as possible use repository stuff; much easier to be up-to-date (security patches and so on)
     -> Prepare an "emergency lockdown" script. Imagine something you can run that will lock nearly everything and put a nice page for the users, stating "We are performing some super-duper maintenance, blah, blah", don't scare the hell out of them, but allow yourself to carefully check what is happening without worrying with extra leakage. This can allow you to change passwords, block some suspicious IPs, etc (bonus points if you prepare a script to block IPs)
     -> Encrypt passwords and salt them. Really. This is a must, respect your customers.
     -> Extra bonus for a system that emails you as soon as there is a login in the system.
    

Just common sense I would say.

Oh, and _DO_ change passwords every 90 days, at least.

PS: There is a script for MySQL that does some security check-ups. Google for
mysql_secure_installation

Best regards and best of lucks.

~~~
blakesterz
>>"Oh, and DO change passwords every 90 days, at least." eh. That _might_
help, but my thinking is if someone got in they've already done something so
they no longer need that account or that password, so changing passwords is
_probably_ not going to help things. That being said, as long as you can keep
passwords managed (like using LastPass) then it's fine, and could help.

Everything else miaumiua lists is great. I'd throw in a few random things I
think of off the top of my head... mod_security, csf, mount tmp as noexec,
LYNIS, phpsuexec, linux maldet.

~~~
mschuster91
Random addition: disable root SSH login, disallow password-based SSH login
(switch to private key), maybe also add two-factor SSH authentication e.g.
with a hardware key, or Google Authenticator or whatever.

~~~
mnkypete
Thanks to all, I guess I'll stick to these basics first!

------
JoachimSchipper
The basic idea is good; I'm not convinced Squid buys you any security, though.
If everyone can operate that way, consider allowing access via SSH only.

Oh, and don't forget chroot (or something more modern, like jails or even
SElinux).

Having said all of the above, for the typical startup, the main threat is not
an attack on the server but some shoddy application code committed under yet
another tight deadline.

~~~
mnkypete
Thanks :) I'll see if the SSH solution is feasible.. The good thing is, that
we have very little server code at the moment (as much is done on client-
side), I hope we are not that bad at application code right now ;)

