*I've never done linux admin OR: I'm not a hardcore system administrator*
*Now that we've finished securing our slice*
Whoa nelly, you're not *quite* done securing that doggy! I'm not accusing you of being one fo them CC-types, you know, "cargo ..." but here's some things you need to reasonably secure that thing
- domain registrar: conceal your home address, email, phone number in _whois_; There's at least one registrar that does this for free,
- SSH brute force attacks: set iptables to drop more than a few connections a minute (ifconfig: check NIC is "eth0")
- update the ruby interpreter from p-111:
- DENYHOSTS: read this guy's account of how many IP's he's blocked: hint: not dozens, no, not hundreds, either
- a few people can use TCP wrappers, having fixed IP addresses, but that's a relative rarity, I think, in the age of Comcast (yes that's what our era is)
- encrypt home directory. Excellent blog, Mr. Kirkland's
- strong password, not dictionary crackable: take the first letters of a sentence, mix upper and lowercase letters, append punctuation, numbers; OR do the mixed case thing on a dictionary word, split in the middle, insert punctuation, numbers;
- login ID not "demo" certainly, and not prone dictionary attacks. Ideally different user names for mysql and linux/SSH, but capistrano doesn't like this by default.
- which brings us to auditing capistrano, fabric, vlad, or whatever you're using to deploy from SVN/git. Make sure no login ID's and passwords are creeping in (rails' database.yml) to the slice in plaintext. You probably want to check for personal info: name, address, phone, IP addresses, whatever.
- heidi SQL: this is a common addon
- slice Manager: this is the big invitation for the crackers: "Hit Me, Kick Me!" I haven't seen any satisfactory answers, but all the more reason your login id and password shouldn't be dictionary-crackable.
- SElinux, appArmor, grsecurity (don't know how easily 1st 2 go with ubuntu)
- some good books. You need to read something about security. I spent few hours picking some good ones for you;
- blogs/wikis, too: Mr. Ellis has a good series
(truthfully, it was only a few minutes. OK, 45 seconds)
No comments:
Post a Comment