How to nail down security? (One for the proper techies)

mrscruffy

Hi all, I hope you can help.

I plan to install a flavour of Linux on a desktop machine and run a number of services such as a web-server, database, tomcat, ssh and ftp for both intranet and Internet applications.

I also want to run a cron job to backup data regularly.

As I plan to make the machine publicly available I need to plan for someone hacking my machine.

So in order to nail down security (first off assuming all the individuals apps are correctly installed, updated and set up) are there additional steps I can take and how effective will they be in either resisting attack or restoring:
1) run the publicly available apps on a separate partition(s)?
2) save the backups to a separate partition?
3) save the backups to a separate physical drive (internal/external)?
4) or should I really be using two separate machines?
5) any others?

Thanks for any advice

ubergeek

Keep EVERYTHING publicly available on a separate system and put it within a DMZ of a firewall.

wolfman

ubergeek wrote: »

Keep EVERYTHING publicly available on a separate system and put it within a DMZ of a firewall.

??? A DMZ sits outside of a firewall doesn't it? It's the least secure place to put something.


Ideally you'd just use it as a web server, and set up a separate machine for your database. On the web server the only thing you expose would be the web service itself (ie port 80 and 433), and it would connect internally to your database. And then you'd use another machine for ftp, service like that etc...

However, not everyone has that much hardware.

As far as data is concerned and backups. I'd run a separate drive for any data. Keep it completely separate from the OS. You need not worry about backups (as that's something you should do internally before the data is pushed live). Have a look at using Subversion for version control and continuous integration.

But when taking backups, have it in layers.
So maybe an hourly (or every few hours) incremental backup (where it only looks for changes). And maybe a daily backup of the whole lot. And then every couple of days, make a full backup and keep it off-site, or upload it somewhere secure.

For stuff like ftp, make sure it goes through SSH. Also use non standard ports. A secure VPN may be a better idea for ftp, and remoting on to the server.

You could put everything on the one machine. I've hosted stuff on the one machine before. It's not ideal though, but if set up correctly you should be ok.

ubergeek

wolfman wrote: »

??? A DMZ sits outside of a firewall doesn't it? It's the least secure place to put something.

A DMZ isn't outside the firewall.

By opening ports through to your internal network, you're opening the gates to problems.

A DMZ will allow you to control the access to public facing and internal systems differently.

However, if all you have is this system and nothing else to worry about, then crack on as wolfman says.

wolfman

ubergeek wrote: »

A DMZ isn't outside the firewall.

By opening ports through to your internal network, you're opening the gates to problems.

A DMZ will allow you to control the access to public facing and internal systems differently.

Ah yeah my mistake. Just been reading up. I was confusing it with a typical home router's DMZ, which itself isn't a proper DMZ in the true terms of things. With home routers, if you put a PC in the DMZ it's fully exposed (like with my Draytek).