Page 1 of 1

Linux Server Security

Posted: Tue Mar 25, 2008 7:56 pm
by Sequalit
I have a Virtual Private Server hosting Ubuntu 7.10

Obviously I can SSH into the server with a root account...

What is the best way to keep my server secure.

1. User accounts? Obviously do not want to run as root all the time, what permissions should a general acount have, sudo? or if i have to do something special login as root?
2. Mysql Accounts? should the above user account have access to this?
3. FTP Accounts? and have ftp ability?
4. www folder permissions and what user should own them? and own the www folder?

Or one account for management, and another for mysql/ftp and another to own the www folder?

where is the best place to store the login information of the database for php scripts, in case your www folder gets compromised?

as far as iptables go, just the basic web ports right?

I know its alot of questions, if you take the time to answer, I thank you in advance :P

Re: Linux Server Security

Posted: Wed Mar 26, 2008 10:05 am
by samb0057
1. Create a user that is allowed to log in SSH and allowed to use the su command to log in as the root user (two logins, safer than one).
2. MySQL accounts are completely separate.
3. Just create what is needed. Keep permissions to a minimum, as a general rule.
4. Make the owner root or another admin user. Give the web server permission only to read these files, not write them.

I'd say make a management account that owns the www folder, and make separate ftp accounts as needed.
Store only in the www folder the files that the visitor will need to directly access. I keep all of my configuration files, functions, classes for my web sites outside of the www directory, and include them from my index.php in the www directory.

For IPTables you should allow 80 (web), 443 (secure web), 22 (SSH), and 21 (FTP). FTP gets a little complicated when dealing with firewalls so you may have to do some research there. Just make sure you don't accidentally close SSH, because then you'll be locked out and unable to change it. Also check out SFTP (SSH File Transfer), I find it much easier to use and more secure than FTP.