[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
Hi Gordon. Thanks for your quick reply. Your comments are exactly the areas we need advice on. I realised I should have been more descriptive but was racking my brain as to the best places to seek advice. It would be the following issues. Some of which you have already mentioned. 1. Pass PCI Compliance for potentially capturing credit-card data (for use with Payment Gateways - such as SagePay Direct) 2. IP Firewall (Blocking requests from non-standard ports and country blocking - Only allowing from UK and Ireland and some european countries (France/Germany/Spain) - if possible !?!) 3. Security for the Apache/MySQL Daemons (running in Jails) or running as something other than www-data. Had bad experiences in the past with Wordpress installations and dodgy plugins overwriting all of our PHP files). This would also include the right permissions for files. The coding side (touch wood!) should be ok as we are using a well known and supported PHP Framework which has full support for SQL Injection / Cross Site Forgery attacks etc etc.. and we have coded with this in mind. Although nothing is 100% perfect in this world. The main trouble is we are PHP/MySQL developers and do not consider ourselves to be Linux administration experts. Only as far as getting the initial server up and running and basically installing Debian packages. Very concerned it is very easy to overlook these things and come unstuck. We are more than willing to pay for your time as a mentor and can explain this in more detail over the phone or by email. Thanks. Philip -----Original Message----- From: list-bounces@xxxxxxxxxxxxx [mailto:list-bounces@xxxxxxxxxxxxx] On Behalf Of Gordon Henderson Sent: 29 November 2011 12:50 To: list@xxxxxxxxxxxxx Subject: Re: [LUG] Linux Security Mentoring On Tue, 29 Nov 2011, Philip Radford wrote: > Hi All. > > Have re-joined the list after a few months away dabbling with > Microsoft Technologies (dare I say it!). Hope you're on the road to recovery now ;-) > We are starting a new business venture which uses a LAMP framework > running on Debian based servers. Excellent :) > We have funding set aside for mentoring, so we are specifically > looking for advice on online security and locking down the servers. > Does anyone on this list know of a company or someone in the field > within the Devon & Cornwall area who could provide mentoring/advice in this field of expertise.? How "locked-down" are you after? FWIW: I run hosted Debian based servers including ones that pass PCI compliance testing... On the firewalling side, I have a basic set of iptables scripts, but realistically (with the exception of my VoIP servers which are somewhat specialised) the easiest way is to simply not run services in the first place - ie. remove inetd from your system and make sure the install doesn't have cruft like nfs or samba installed... I don't think there's anything mainstream that uses inetd these days that doesn't now run as a daemon (e.g. dovecot for pop and imap and so on) and the old services it used to provide really aren't useful enough to provide them anymore. (IMO - things like echo and daytime) >From that point of view, it's fairly trivial to do and I can share my basic iptables script with you if you like. Then there's security in the form of vetting incoming HTTP (and other) requests - a sort of DPI (or active content filtering) on inbound data heading towards applications... (And in these cases, it might actually be easier to use a separate 'appliance' to front-end the requests) Deeper, then there's coding in a secure manner - not making cgi scripts vulnerable to attacks such as SQL injection (See: http://xkcd.com/327/ ) and cross-site scripting and so on. Also things like making sure nothing has world-writable permissions and so on - I see people blindly just making everything read/write "because it's easy" then wonder why some script kiddie managed to upload and execute some code that's scribbled all over their own php files... Other than that, it's basic sysadmin type stuff - file user, owner and group permissions - executable or not, marking partitions as noexecute if possible (which doesn't stop some scripts running), running regular checks for programs that shouldn't be there, regular security updates, and so on. Drop me an email if you want more info, but I know there are several others on the list who can help too, so there's no shortage of expertise in the south west which I think is quite reassuring. Gordon -- The Mailing List for the Devon & Cornwall LUG http://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/listfaq -- The Mailing List for the Devon & Cornwall LUG http://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/listfaq