Please read part 1 first.
Securing the beast
Now I’m getting close to wanting to move the box to a server room. That means that it’ll be directly connected to the internet, with no router and no nating. It will be attacked. A lot. If there’s any obvious hole in it’s defences, it will get owned.
I’m not a security expert, but I do know that there’s no such thing as absolut security. You just secure the box as well as possible, with the resources you are willing to use. It’s a compromise between usability, resources and security.
I see security as a triangle between, keeping the machine up to date, making sure that the installed programs are setup as secure as possible and keeping an eye on the box for strange behaviour (did somebody get through).
When you look at the security page at debian.org, all it tells you is to keep the packages up to date. I’ll start by looking at that.
This is my own personal notes on how I set up my new server box. It started out as my notes on how to turn a debian 3.1 Sarge installation into a LAMP box. At the moment it’s a rather detailed dummy’s and/or beginners step-by-step guide to making a LAMP box.
More on what LAMP is at wikepedia
Now Sarge 3.1 is a bit old at the this time, and a new version is just around the corner, but then I’ll learn how to upgrade a debian box when that happens.
I’ll try and be as detailed as possible. I really hate those how-to’s that go “they you press Y,, then N, and then… [do something that might as well be magic, unless you are a guru]”. I’ll try and link to the place where I picked up a bit of knowledge or the idea for doing something.
I’m not a linux wizard. I’ve been running a FreeBSD for a long time, as my webserver, but I can barely keep that alive and malware free. I’ll be trying to set up this box, so that it keep it self up to date and as secure as possible.
Now be aware that this is not the most clever, fast or secure way of doing this – this is just the way that I did it using the bit information that I could find on how to do what I wanted. Some of the stuff that I do is redundant and is redone later. Sometimes several times.
If somebody feels like added comments that tells how things can be done faster, better, more secure I’ll appriciate it and probably incorporate it into the doc.
(feel free to make comments on gramma and spelling – I’ll fix it and then delete your comment. I do appriciate it, it’s just kind of off-topic for the blog)