AM
Akash Mahajan
@makash
Securing a Linux Web Server in 10 Steps or Less
Submitted May 9, 2012
Section: Security
Technical level: Beginner
Session type: Tutorial
Learn the basic approaches to securing linux based web servers without getting too technical. This talk will be useful for anyone running a linux server with full root access.
You don’t need to be an experienced system administrator to understand and use the content of this talk. But if you are a full time system admin you will get to know a structured way of looking at server security.
The following types of servers running Linux
Virtual Private Server/Dedicated Server/Rackspace Cloud Instance/Amazon EC2
Not going to help if you have your website on Shared servers like
Dreamhost/Go Daddy/Host Gator
Outline
You will learn the holistic way of securing a linux server which can serve web sites. The 80/20 rule about hardening your linux web server with minimal effort.
*In Brief This is what we will cover *
- Reducing the attack surface.
- Patching and Updates
- Securing Secure Shell Access
- Securing Apache
- Securing MySQL
- Logging and Monitoring
- Setting up a basic firewall
Not going to be covered ( Mostly because of lack of time and ROI )
- Securing Email Servers
- Setting up VPNs
- Protecting Against Denial of Service Attacks
- Setting up SELinux, GRSec, Custom Kernels
- Chroot Jails
- DNS Server
Not Going to Discuss
- Why Ubuntu and why not <INSERT FAV. DISTRO>
- Why Not BSD
- Why Apache and why not <INSERT FAV. WEB SERVER>
Requirements
Mandatory
An open mind, a sense of humour.
Good To Have
- Bring a laptop running Ubuntu Server 10.04 LTS if you want to try out things.
- Refresh your understanding of the TCP/IP Stack
- Get a notebook to take notes
- You should have some idea what the following words mean
SSH, Apache, Web Server, Database Server, MySQL, BASH, Command Line
Speaker bio
I freelance as a Web Security Consultant. I help companies become secure by helping them understand approaches to security for servers, web applications, user data and sometimes their network.
Among other things I am the co-founder+Community Manager for “null - The Open Security Community” and OWASP Bangalore
- Website | @makash | Linkedin | Slideshare
Links
- Checklist/Workbook you can use.
- http://www.slideshare.net/akashm/checklistforsecuringlinuxwebserverin10stepsorless
- Download PDF from
- http://dp7937fi8z10f.cloudfront.net/Securing-Linux-Web-Server-in-10-Steps-or-Less.pdf
- https://help.ubuntu.com/community/Security
- https://help.ubuntu.com/10.04/serverguide/security.html
- http://www.yolinux.com/TUTORIALS/LinuxTutorialInternetSecurity.html
- https://benchmarks.cisecurity.org/tools2/apache/CIS_Apache_HTTP_Server_Benchmark_v3.0.0.pdf
- http://akashm.com
- http://linkd.in/webappsecguy
Slides
http://www.slideshare.net/akashm/securing-a-linux-web-server-in-10-steps-or-less
{{ gettext('Login to leave a comment') }}
{{ gettext('Post a comment…') }}{{ errorMsg }}
{{ gettext('No comments posted yet') }}