[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
On Tue, 29 Nov 2011, Philip Radford wrote:
Hi All. Have re-joined the list after a few months away dabbling with Microsoft Technologies (dare I say it!).
Hope you're on the road to recovery now ;-)
We are starting a new business venture which uses a LAMP framework running on Debian based servers.
Excellent :)
We have funding set aside for mentoring, so we are specifically looking for advice on online security and locking down the servers. Does anyone on this list know of a company or someone in the field within the Devon & Cornwall area who could provide mentoring/advice in this field of expertise.?
How "locked-down" are you after?FWIW: I run hosted Debian based servers including ones that pass PCI compliance testing...
On the firewalling side, I have a basic set of iptables scripts, but realistically (with the exception of my VoIP servers which are somewhat specialised) the easiest way is to simply not run services in the first place - ie. remove inetd from your system and make sure the install doesn't have cruft like nfs or samba installed... I don't think there's anything mainstream that uses inetd these days that doesn't now run as a daemon (e.g. dovecot for pop and imap and so on) and the old services it used to provide really aren't useful enough to provide them anymore. (IMO - things like echo and daytime)
From that point of view, it's fairly trivial to do and I can share my
basic iptables script with you if you like.Then there's security in the form of vetting incoming HTTP (and other) requests - a sort of DPI (or active content filtering) on inbound data heading towards applications... (And in these cases, it might actually be easier to use a separate 'appliance' to front-end the requests)
Deeper, then there's coding in a secure manner - not making cgi scripts vulnerable to attacks such as SQL injection (See: http://xkcd.com/327/ ) and cross-site scripting and so on. Also things like making sure nothing has world-writable permissions and so on - I see people blindly just making everything read/write "because it's easy" then wonder why some script kiddie managed to upload and execute some code that's scribbled all over their own php files...
Other than that, it's basic sysadmin type stuff - file user, owner and group permissions - executable or not, marking partitions as noexecute if possible (which doesn't stop some scripts running), running regular checks for programs that shouldn't be there, regular security updates, and so on.
Drop me an email if you want more info, but I know there are several others on the list who can help too, so there's no shortage of expertise in the south west which I think is quite reassuring.
Gordon -- The Mailing List for the Devon & Cornwall LUG http://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/listfaq