Rootconf is HasGeek’s first annual conference for sysadmins and devops to share experience and knowledge, to teach and learn, and to meet colleagues and friends.
More information at rootconf.in. Tickets are available from rootconf.doattend.com.
AM
Akash Mahajan
@makash
Securing a Linux Web Server in 10 Steps or Less
Submitted May 9, 2012
Section: Security
Technical level: Beginner
Session type: Tutorial
Learn the basic approaches to securing linux based web servers without getting too technical. This talk will be useful for anyone running a linux server with full root access.
You don’t need to be an experienced system administrator to understand and use the content of this talk. But if you are a full time system admin you will get to know a structured way of looking at server security.
The following types of servers running Linux
Virtual Private Server/Dedicated Server/Rackspace Cloud Instance/Amazon EC2
Not going to help if you have your website on Shared servers like
Dreamhost/Go Daddy/Host Gator
Outline
You will learn the holistic way of securing a linux server which can serve web sites. The 80/20 rule about hardening your linux web server with minimal effort.
*In Brief This is what we will cover *
- Reducing the attack surface.
- Patching and Updates
- Securing Secure Shell Access
- Securing Apache
- Securing MySQL
- Logging and Monitoring
- Setting up a basic firewall
Not going to be covered ( Mostly because of lack of time and ROI )
- Securing Email Servers
- Setting up VPNs
- Protecting Against Denial of Service Attacks
- Setting up SELinux, GRSec, Custom Kernels
- Chroot Jails
- DNS Server
Not Going to Discuss
- Why Ubuntu and why not <INSERT FAV. DISTRO>
- Why Not BSD
- Why Apache and why not <INSERT FAV. WEB SERVER>
Requirements
Mandatory
An open mind, a sense of humour.
Good To Have
- Bring a laptop running Ubuntu Server 10.04 LTS if you want to try out things.
- Refresh your understanding of the TCP/IP Stack
- Get a notebook to take notes
- You should have some idea what the following words mean
SSH, Apache, Web Server, Database Server, MySQL, BASH, Command Line
Speaker bio
I freelance as a Web Security Consultant. I help companies become secure by helping them understand approaches to security for servers, web applications, user data and sometimes their network.
Among other things I am the co-founder+Community Manager for “null - The Open Security Community” and OWASP Bangalore
- Website | @makash | Linkedin | Slideshare
Links
- Checklist/Workbook you can use.
- http://www.slideshare.net/akashm/checklistforsecuringlinuxwebserverin10stepsorless
- Download PDF from
- http://dp7937fi8z10f.cloudfront.net/Securing-Linux-Web-Server-in-10-Steps-or-Less.pdf
- https://help.ubuntu.com/community/Security
- https://help.ubuntu.com/10.04/serverguide/security.html
- http://www.yolinux.com/TUTORIALS/LinuxTutorialInternetSecurity.html
- https://benchmarks.cisecurity.org/tools2/apache/CIS_Apache_HTTP_Server_Benchmark_v3.0.0.pdf
- http://akashm.com
- http://linkd.in/webappsecguy
Slides
http://www.slideshare.net/akashm/securing-a-linux-web-server-in-10-steps-or-less
{{ gettext('Login to leave a comment') }}
{{ gettext('Post a comment…') }}{{ errorMsg }}
{{ gettext('No comments posted yet') }}