Any security tips for my first server? (complete beginner) [closed]

I'm paying for a VPS and hoping to launch my first website on it in the next few days.

I'm worried there might be some glaringly obvious security holes in the standard setup, so I'm keen to get some tips. About the only thing I know is to turn off error reporting in PHP and create users/privileges for MySQL. Any more stuff along those lines?

I'm using:

  • cPanel and WHM
  • CentOS 5
  • PHP
  • MySQL
  • Google apps as mail server (so maybe I should disable built in mailer server somehow?!)

There are a few security principles/tips you need to keep in mind:

  • Shut down the services you don't need

    If you don't need a specific service, shut it down. One thing less to worry about, especially regarding security.

  • Follow the least privilege principle

    If a service does not need to have super privileges, just give it the privileges it needs. For instance, if your web application doesn't need to drop tables, there's no need to enable the drop privilege in MySQL.

  • Have your services updated regarding security updates

    This is very important! From time to time, security holes are discovered. It's very important to have your applications updated when it comes to security issues.

  • Don't use default credentials

    Just don't use it. They're evil :) For instance, MySQL's root user doesn't have a password. Create one.

  • Backup everything that's important

    Backup everything you need to rebuild your server, and I mean everything. Also, test your backups on a regular basis. This is valid not only for security reasons, but also for business continuity reasons. One never knows when a backup might be needed.

Hope this helps!


Also try to force to bind mysql listening to localhost if it is acceptable for you (Listen directive) or even better, if possible, remove network support for mysql.


See also my first "production" debian server configuration

Always, always, always use the built-in package manager to install software - in Centos' case, that means Yum - http://wiki.centos.org/PackageManagement/Yum. This ensures that there's one central way to track and install security updates. Installing software from source on production servers is a security nightmare because you have to track and manually install security updates for all of it by hand.

Make sure you have a firewall in place, which only allows the services you need inbound - you could start with http://www.larted.org.uk/~dom/computing/code/iptfirewall

PHP should be hardened by disabling as many of the following functions as you don't need: http://www.eukhost.com/forums/f42/disabling-dangerous-php-functions-6020/

also make sure PHP is set to log errors, not display them.