my first "production" debian server configuration

django nginx debian apache-2.2 mod-wsgi

Solution 1:

Updates, updates, updates.

  • Are you running Debian stable or testing? Sometimes keeping testing up to date is a bit more complicated than stable.
  • Are you running everything as Debian packages?

Make sure you are not running extraneous services. Run netstat -nap and check all processes that are listening on ports, make sure there's nothing there which is not strictly needed. Things that can listen just on loopback should do that.

All publicly accessible non-public stuff should be protected by strong passwords or stronger measures (ssh keys, etc.).

If you can, some measure against DoS would be nice. Throttling evil requests could be handy.

Solution 2:

There are a number of things I have installed on my debian production servers:

  • logwatch (apt-get install logwatch) - sends you an e-mail each day summarising the logs your server generated yesterday. A good way to spot potential problems coming up
  • apticron (apt-get install apticron) - e-mails you when there are newer versions of installed packages available, e.g. to fix security holes

Given the sensitivity of the data passing through the server, I would restrict SSH logins to key-based only (no passwords) as it makes it much more difficult to crack accounts at random. Whether you do that or not, root SSH is bad, dangerous and wrong and should be disabled or limited to a handful of trusted IP addresses

Make sure you're subscribed to [email protected]

Consider running rootkithunter, chkrootkit and integrit, all available via apt-get install, to check that nothing nasty has found its way onto your server.

Make sure the sensitive parts of your website (anything accepting credit card numbers, passwords, etc. especially the django admin interface) are accessible over HTTPS (SSL) connections only, not plain HTTP.

If you're properly paranoid/serious about security, get the hosting provider to read the SSH key fingerprints of the server out to you over the phone or send them in an encrypted e-mail to you so you can verify when you first connect to the machine that you're not being man-in-the-middle attacked (or log into it for the first time when physically sitting in front of it, if that's possible).

Related

Detailed Errors not working for WCF Service in IIS
Restrict non whitelisted IP's from viewing Directory list in Apache
Configure nginx to serve a 503 if a file exists
Win2008 DC in a Windows 2000 domain: can I keep the old DC?
Windows Advanced Firewall certificate based IPSEC
What does "Mail Deferred:" mean in Linux Logwatch
Windows 2008 - 40 GB inaccessible space, used by system. Where?
Ubuntu vm stops responding to host intermittently - but still responding to other network computers?
Create Exchange 2003 server side rule without logging in as user
How to enable sshd on Fedora 11?
Bluetooth mouse not auto-reconnecting
Storing passwords with python keyring