Author Topic: Basic system protection  (Read 3562 times)

0 Members and 1 Guest are viewing this topic.

Offline kirrus

  • Full Member
  • ***
  • Posts: 133
  • Karma: 2
  • Sysadmin / Linux Tech Support
    • View Profile
    • Kirrus' Blog
    • Awards
Basic system protection
« on: October 01, 2010, 11:32:44 pm »
You must have, on any web-server or other service-providing system: A firewall.

You should have, if you can't firewall port 22 (ssh), fail2ban or denyhosts.

If you're running a shared webserver system (providing hosting for 2 or more different websites) you really should be running mod_security.

If you can't put phpmyadmin behind a firewall or basic auth (customers, *sigh*) then do keep it upgraded. Of course, keeping things upgraded covers any off the shelf software, wordpress is just as bad - quite a few of them have got code injection/filesystem manipulation issues.

If you can, and you're running a mod-php system, run the IPX version of apache, not mpm prefork.  It allows you to get apache to make customer code executed as that customer's user, which is a boon to tracking down which muppet didn't upgrade wordpress this time.

Of course, there are a lot of other things you can do as well, fastCGI, nginx, and other more fancy things when you get up to MP's sort of level ;)

 


SimplePortal 2.3.3 © 2008-2010, SimplePortal