Tuesday, January 17, 2006

What to install on a new server for protection?

Today I was asked the following question by a friend of mine.

Q: I am currently working on moving my site to a new server so if anything needs to be installed or modified on the server let me know and I will make sure that it is done on the new server.

A: YES. There are quite a few things that you should do and install on your new server to secure it.

Here are a few recommendations right on top of my head:

1. Stop unneeded services.
2. Install protection against Brute Force SSH attacks (they can be costly) [BFD]
3. Install advanced firewall in addition to the default firewall (iptables). [APF]
4. Completely disable root login and admin login. [Custom Script]. If a user then attempts login as root, kick them off the server and log the attempt. I do it using a dummy shell.
5. Stop normal FTP and only use SFTP.
6. Have your Apache, MySQL, PHP and Kernel upgraded
7. Install mod_security (Depending on your site you may need to tweak the default ruleset)
8. Install something to monitor your applications and restart them if needed. [System Integrity Monitor]
9. Install something to clear Apache semaphores from time to time. [SIM can do this job]
10. In addition to Brute Force SSH attacks, you need something to protect you against other brute force attacks (FTP etc).
11. There may be a few other utilites that would help you greatly (but I'll have to check)

What else am I missing?



Aniket said...

i'm in the process of designing a GPS system and wanted to know that is it possible to keep MySQL and the database on a CDROM and query it from a C IDE(KDevelop)?

expecting help.

thank you.

Frank said...

Hello Aniket,

I have posted an answer here and asked for input from the community as well.