my first "production" debian server configuration
Solution 1:
Updates, updates, updates.
- Are you running Debian stable or testing? Sometimes keeping testing up to date is a bit more complicated than stable.
- Are you running everything as Debian packages?
Make sure you are not running extraneous services. Run netstat -nap and check all processes that are listening on ports, make sure there's nothing there which is not strictly needed. Things that can listen just on loopback should do that.
All publicly accessible non-public stuff should be protected by strong passwords or stronger measures (ssh keys, etc.).
If you can, some measure against DoS would be nice. Throttling evil requests could be handy.
Solution 2:
There are a number of things I have installed on my debian production servers:
- logwatch (apt-get install logwatch) - sends you an e-mail each day summarising the logs your server generated yesterday. A good way to spot potential problems coming up
- apticron (apt-get install apticron) - e-mails you when there are newer versions of installed packages available, e.g. to fix security holes
Given the sensitivity of the data passing through the server, I would restrict SSH logins to key-based only (no passwords) as it makes it much more difficult to crack accounts at random. Whether you do that or not, root SSH is bad, dangerous and wrong and should be disabled or limited to a handful of trusted IP addresses
Make sure you're subscribed to [email protected]
Consider running rootkithunter, chkrootkit and integrit, all available via apt-get install, to check that nothing nasty has found its way onto your server.
Make sure the sensitive parts of your website (anything accepting credit card numbers, passwords, etc. especially the django admin interface) are accessible over HTTPS (SSL) connections only, not plain HTTP.
If you're properly paranoid/serious about security, get the hosting provider to read the SSH key fingerprints of the server out to you over the phone or send them in an encrypted e-mail to you so you can verify when you first connect to the machine that you're not being man-in-the-middle attacked (or log into it for the first time when physically sitting in front of it, if that's possible).