VPS Administration for the Absolute Beginner

I have a new site that I want to build, something that I as a programmer wish existed. While there is no way this site would ever reach StackOverflow levels of success, I do hope that it will have a broad appeal and become decently successful - I'm optimistic, anyway.

I'm going to start with a shared host, possibly sticking with the company which hosts my blog since I know them well enough, but I don't think shared hosting is a good long term solution.

As such, I've been checking out various VPS providers, mainly Slicehost and Linode so far, for their potential as a "next-stage" provider. The problem is that I feel I would be completely out of my element with a VPS. I only have limited experience with Linux (I've tried it a few times on my laptop, but always ran into issues that made me give up on it - usually wireless issues), and while I'm pretty sure I could get the basics setup, I worry that I'd leave things horribly insecure or that I just couldn't handle maintenance issues.

Obviously, my idea may flop entirely, but I'd rather not get caught with my pants down if I ever got to the stage where a VPS becomes a necessity.

So, are there any good tutorials / (e-)books / articles describing how to get to know your VPS, or any other issues I should be concerned with. The site would most likely be a "classic" LAMP stack, though I may decide to swap things out later on as the need (or want, really) arises.

My absolute top priority in this is security, hence this post. I have very little doubt, given the resources online - most notably Slicehost and Linodes tutorials sections, that I could hack together a workable solution, but I need to know that I'm not leaving critical vulnerabilities open by doing this.

An ounce of prevention, etc.

Thanks!


Edit:

I've also asked this question at Hacker News and Reddit over the past couple of days, so perhaps the links to those discussions might be useful:

  • Hacker News
  • Reddit

Solution 1:

If your Unix sysadmin skills are ... well, zero, then my advice is: Don't do it! Don't try to hack together a secure server configuration from a few tutorials and newbie guides.

Reasons:

  1. You won't succeed. The net is overflowing with turorials with poor or factually wrong content. You won't know which threats are likely for your setup and which are not, and you'll make bad judgments about which security measures to implement. The end result won't be a secure server.
  2. It's not an efficient use of your time. Spend your time on your key differentiators, that is your understanding of the market need and your programming skills.

You can find managed solutions very easily. Either:

  1. Go to Webhostingtalk.com's forums, and read reviews of managed VPS providers, and pick a good one (ServInt, Wiredtree and others). The service provider handles basic OS patching etc, you're responsible for your own application.

    OR

  2. Set up an unmanaged VPS with a good provider (Linode) and hire one of the many "outsourced sysadmin" type of companies to secure and administrate it. Again you can do comparison shopping for the "outsourced sysadmin" provider at Webhostingtalk.

Solution 2:

While the Slicehost/Linode wikis are a great resource, it's worth noting that when it comes to "securing" a VPS, not all VPS's are created equal.

Both Slicehost & Linode offer Xen-based VPS's exclusively and this has quite a few implications when it come to security. For example:

  1. A typical recommendation for securing the /tmp directory is to mount it on a separate partition and mark it as "noexec,nosuid". The guide might suggest using the command "mount -o loop,noexec,nosuid". If you are running an OpenVZ VPS, this command will fail - even as root, you do not have adequate rights on the loopback device.
  2. If you would like to install a iptables-based firewall on your VPS, an OpenVZ VPS would require your provider to make some changes at the "Host Node" level. This is because in an OpenVZ VPS you share the kernel with other instances.
  3. It's always good to keep your VPS up-to-date with the latest patches. Except if you are running an CentOS VPS on OpenVZ, a blind "yum update" will reliably result in a broken VPS. Kernel,dev and other such updates are verboten in this environment.

I guess what I'm trying to point out is that there really isn't one "true" guide or book for securing a VPS. It depends on the specific environment & OS you are running on, plus what level of paranoia is sufficient for you. In the end, I rely on a set of server build notes and config files that I created through trial & error and maintain in a private git repo - that way, bringing up a new server just requires lots of copying & pasting.

For general reference, the "Security" section of HowToForge and this article with some relatively obscure "security through obscurity" tips might be useful.

Solution 3:

I'm also thinking of getting a VPS. Looking at Gandi and it's looking pretty good.

Saw on your HackerNews-thread that someone talked about the Ubuntu Server Book. I haven't read it, but I found the Ubuntu Server Guide. There's a security chapter, but only read part of it yet so don't know if it's any good. But saw that they cover how to get automatic security updates. Think it could be a great source.