Learn the basic approaches to securing linux based web servers without getting too technical. This talk will be useful for anyone running a linux server with full root access.

You don’t need to be an experienced system administrator to understand and use the content of this talk. But if you are a full time system admin you will get to know a structured way of looking at server security.

The following types of servers running Linux
Virtual Private Server/Dedicated Server/Rackspace Cloud Instance/Amazon EC2

Not going to help if you have your website on Shared servers like
Dreamhost/Go Daddy/Host Gator

Outline

You will learn the holistic way of securing a linux server which can serve web sites. The 80/20 rule about hardening your linux web server with minimal effort.

*In Brief This is what we will cover *

• Reducing the attack surface.
• Patching and Updates
• Securing Secure Shell Access
• Securing Apache
• Securing MySQL
• Logging and Monitoring
• Setting up a basic firewall

Not going to be covered ( Mostly because of lack of time and ROI )

• Securing Email Servers
• Setting up VPNs
• Protecting Against Denial of Service Attacks
• Setting up SELinux, GRSec, Custom Kernels
• Chroot Jails
• DNS Server

Not Going to Discuss

• Why Ubuntu and why not <INSERT FAV. DISTRO>
• Why Not BSD
• Why Apache and why not <INSERT FAV. WEB SERVER>

Requirements

Mandatory

An open mind, a sense of humour.

Good To Have

• Bring a laptop running Ubuntu Server 10.04 LTS if you want to try out things.
• Refresh your understanding of the TCP/IP Stack
• Get a notebook to take notes
• You should have some idea what the following words mean
  SSH, Apache, Web Server, Database Server, MySQL, BASH, Command Line

Speaker bio

I freelance as a Web Security Consultant. I help companies become secure by helping them understand approaches to security for servers, web applications, user data and sometimes their network.

Among other things I am the co-founder+Community Manager for “null - The Open Security Community” and OWASP Bangalore

• Website | @makash | Linkedin | Slideshare

Links

• Checklist/Workbook you can use.
• http://www.slideshare.net/akashm/checklistforsecuringlinuxwebserverin10stepsorless
• Download PDF from
• http://dp7937fi8z10f.cloudfront.net/Securing-Linux-Web-Server-in-10-Steps-or-Less.pdf
• https://help.ubuntu.com/community/Security
• https://help.ubuntu.com/10.04/serverguide/security.html
• http://www.yolinux.com/TUTORIALS/LinuxTutorialInternetSecurity.html
• https://benchmarks.cisecurity.org/tools2/apache/CIS_Apache_HTTP_Server_Benchmark_v3.0.0.pdf
• http://akashm.com
• http://linkd.in/webappsecguy

Slides

http://www.slideshare.net/akashm/securing-a-linux-web-server-in-10-steps-or-less