Want to open a server to the world; security tips???

R

RavinDJ

Supreme [H]ardness
Joined
Apr 9, 2002
Messages
4,448
I have a SuperMicro 1U server with a P4-3.0Ghz and I installed Ubuntu with Apache2/PHP/phpMyAdmin/MySQL.. basically, a LAMP server.

I opened port 8000 on my router and forwarded it to my 192.168.1.xx server.

I'd like to make it as secure as possible, obviously. Any tips/recommendations for a n00bie? :D

Thanks, guys!
 
ssh keys. deny password logins.

did you run the mysql secure setup script?

htaccess protect the phpmyadmin directory.
 
@OP

Make sure MySQL only answers queries on localhost and 127.0.0.1 (it treats them separately). Add a firewall so that SSH queries can only come from your workstation (or where ever you admin the server from).

Run the HTTP server as a non-privileged user, same for MySQL.
 
http://configserver.com/cp/csf.html

It seems a little complicated at first, but it is very easy to configure. It's an IPTables wrapper that lets you IP ban on X number of fails (for SSH, FTP, pop/imap, http, etc), ban based on geolocation, ban based on blacklists, etc.
 
I would honestly say run something that you need to configure instead, you'll learn a lot by reading the documentation and doing the practical work.

That said, what do you actually need? Unless you need a very specific functionality provided by Apache you're better off running ngnix which also is much easier to grasp. That said, if you need php at least the Suhosin patch for PHP would be a good start. You probably want MariaDB if you want to run any MySQL/MySQL-derivative at all. PostgreSQL is a more sane choice if you actually want to learn how to use SQL in the long run. You'll probably be better off running sqlite and/or flatfiles if you're interested in getting things running and dont really care about the programming part.

That said, a firewall is need etc so I'd suggest that you'd have a look at either Debian or FreeBSD. OpenBSD might be an option too but I don't have much experience with it. I personally prefer FBSD but that's a personal choice but I do like the very good documentation and consistency.

//Danne
 
Good idea to separate web, application, database and users into their own zones so if one gets compromised the intruders don't have automatic access to everything else. You'll need a firewall that supports zones like pfSense or business class.
 
Thanks for the input guys.

I'll keep you posted and I really appreciate the help. Time to spend some time on this...
 
You must log in or register to reply here.
Back
Top