How to be server admin noob and manage security on Linode/SliceHost/Webbynode?
I'm considering moving a Rails app from a shared hosting provider to a dedicated server or a service like Linode, SliceHost, Webbynode, etc. where, if I understand correctly, the security of the server is completely down to you.
With shared hosting I'm used to not having root access and so firewall and most other security concerns tend to be handled by the hosting company.
So my concern is moving to a server where I (a server admin rookie) am taking care of security. I'd love to have an expert Server Admin take care of that however that is not possible.
Does anybody know of an affordable service like SliceHost or Webbynode where security is managed by the provider? I've looked at Heroku but due to an SSL full cert requirement it isn't affordable for me at the moment.
Alternatively, does anybody know if server images are available to use on Linode/SliceHost/Webbynode/other where security is taken care of or made simpler?
(I guess my chief concern is I'm a web app developer who thinks he's going to end up spending more time securing servers than coding. Perhaps I'm getting worried over nothing.)
Someone needs to take care of these things. Either you do it, or you pay someone to do it. You've been paying a hosting company to do it up until now (through the fees on your shared hosting plan). It's not just security you need to be thinking about, though; there's a whole range of things that a good systems administrator will be doing for you, from monitoring, installing and configuring new software as required, troubleshooting all manner of problems, and proactively responding to outages.
Without knowing what "affordable" means to you, I can't give any specific recommendations as to hosting companies who include management in their products. There are a few who provide comprehensive management, and a fair few more who claim to but don't. (I wrote a checklist of what to ask a hosting company as part of a larger answer on choosing a hosting company that should be useful in weeding out the doers from the sayers). The company I work for does it (and does it pretty well, I feel), but if Heroku isn't in your budget, I doubt we are either.
As far as finding a VM image where "security is made simpler", that just doesn't exist (except in the simplest case where you use an image that doesn't boot -- those tend to be fairly secure). Computer security isn't like a bolt-on spoiler, it's an on-going process of analysing your changing requirements, making the necessary configuration adjustments, sometimes saying "no, you can't do that, you'll get pwned" and working out some other solution to your problem. No VM image can do that for you; someone with a brain and working fingers needs to take care of it on an on-going basis.
The two most important aspects to worry about are SSH security and the firewall. I would recommend that you disable root logins, create a second user, use sudo and use public-key authentication. It's common for script-kiddies to try and brute-force logins. Fail2ban will help with that (to detect brute-forcing and add firewall rules to ban the IPs)
For the firewall, you can use a very easy to configure front-end for iptables called Firehol. Firehol lets you write rules such as:
interface eth0
server http accept
For what it's worth, you need to be paranoid. Only allow what is necessary (i.e you might only need ports 80, 443 and 22.) Don't forget application-level security.