Locking down a box on the Internet [closed]

I'm a developer who is looking to put a new service on the Internet. I am new to administering systems and frankly I seem a little lost at where I should start with putting something on the web.

My application works fine on my machine, and I'm sure I can make it work fine on any box I put it on. But the security of that box is pretty important.

What are the things I'm going to need to know to prevent my service from getting hacked to shreds? Links to solid resources fine by me! I'm okay with a non-specific answer. I would love even just a starting point.

If I sign up for a standard hosting package (let's say from GoDaddy or something) can I simply tell them "make port 12345 open for communication" and let them handle the rest of the security details?

Thanks!


Solution 1:

I am not sure what most vendors provide, personally I think it would be a good idea for you to verify everything, even if they do some of the work for you. Here is a general answer that you maybe able to use as a checklist. It covers most of the major topics of what you'll find in almost every standard security reference.

Also please remember that while securing the OS/platform is important the majority of security issues actually happen at the application level in the service that you will be exposing. This SANS article suggests that at least 60% of the incidents are the result of an Internet facing service being compromised. So it is very important for you to make sure your application is not the problem.

Security checklist

Change defaults

  • Change passwords
  • Change ports for any remote administration interfaces
  • Adjust any commonly known usernames on systems that support renaming.

Remove any uneeded services and packages

  • Find out what is running, and disable and/or remove anything you don't need.
    • Some servers will come with web-based admin interfaces enabled. Disable them, or at least make sure that they can only be accessed by you.

Enable a host-based firewall

  • You may be protected by a network firewall as well, but security should be done in layers. Setup a firewall on the host and limit access to only what is required.
  • Use a default-deny rule set. You firewall should block everything, and permit only the traffic that you explicitly know is good.

Setup any Intrusion detection and prevent tools

  • If your system is running SSH look at setting up something like denyhosts or fail2ban.
  • Setup rate-limiting in your firewall so dictionary/brute force attacks are not possible.

Setup a system to monitor your availability

  • You want to be notified when something breaks. Setup a remote monitor or subsribe to a service that will monitor for you.

Setup a system so any logs and errors get to you

  • Shipping any syslog or event log data to a remote site. Or at least setup something like logcheck so that unusal behavior results in a notification being sent.

Come up with a plan on how you will be updating the system

  • Security is not something that can be done and then forgotten about. You need to be updating things. You probably should have a dev/testing server (VM?) that duplicates your production enviroment so you can test updates and then plan on when/how you will be updating the production box.

Setup a backup system so you can restore when the worst happens

  • Failures and system compromizes will happen. Setting up a good backup is what you will use to both detect that you have been comprmized and repair the system if you have been.

Check with your ISP to see what will happen if you get hit by a DoS, and what they can do to help in the case the worst happens

  • Not all disruptive behavior results in your box being compromized. Your service can be brough offline remotely. Figure out if your ISP will be able to help you and how you will be able to get help when that happens.

Setup encryptions where appropriate

  • Configure SSL/TLS for transmission of any PII.
  • Make sure any applications store any PII securely.