Greetings. Not so long ago I began to use a VPS / VDS server, so the question arose – what should be done to eliminate obvious security holes? What interests me is the server setup, not the security in scripts and program code. The server is running Ubuntu. I would like to hear general recommendations and what you should pay attention to.
If you put it from the official release, all the security is already there.
If you are the only real user in the system, then you do not need to do anything else. It's simple: you don't need to differentiate between rights. The exception is system users (memcache, mysql, www-data), but again,
apt-get will do everything for you. System users are numbered up to 1000 (
cat /etc/adduser.conf | grep FIRST_GID ,
cat /etc/passwd ). Working as
root all the time is not safe anyway.
In the case of such "monopoly" the password for MySQL is not necessary to set, since by default it listens only to
localhost . Moreover,
Mongodb without a password by default, since they are accessible only from
localhost , and the time when a bunch of users (accountants, programmers, etc) worked on one server, who needed to be "filtered" by access, has passed.
root also disabled by default, and web servers run under
fail2ban I would not bet if you have a cryptographically strong password (try the apg command), login is not
root and you are not paranoid. You can look at the logs a little later – there will be a brute-force root, and no one knows your username except you. And the server does not report that there is no such user. This is my IMHO.
But the really important things are timely software updates (my first share was broken through a vulnerability in some graphics package). You've probably heard about high-profile vulnerabilities like heartbleed and Meltdown. Also, do not run dubious scripts downloaded on some forum without analysis.
The second is the correct configuration of the installed software, here, as appropriate, see the documentation.
- decided to make
ftp– be prepared for a password leak, since the login-password will be transmitted through several servers in clear text. An alternative is
sftp. I also recommend chroot chroot
- let your friend use the server –
chroot, MySQL password,
shell_execand other similar functions for PHP (see
Third. Most often they break through vulnerabilities in web scripts. This is a separate big topic. Examples:
- leaked source code and site passwords from the
.gitrepository in the root of web documents. Add blocking via
.htaccess(apache) or nginx rule, or create a repository above the web document root.
- allow the web server to write only to a single directory – "uploads" (
media/upload/, etc), and forbid the execution of scripts from this directory
- use git, with its help it is possible to understand "what has changed"
- do not use dubious CMS assemblies and update their versions regularly
- if you are a developer, be sure to read about XSS and SQL Injection
If you decide to go even further, then: