[CentOS] Please I'd like to install 2 websites on my un managed VPS on CentOS6

Thu Feb 23 19:52:52 UTC 2012
m.roth at 5-cent.us <m.roth at 5-cent.us>

John R Pierce wrote:
> On 02/23/12 11:05 AM, Wuxi Ixuw wrote:
>> Please suggest a one as I am keep goggling and all result bring books
>> dealing with linux as a real server and not a vps.
>
> you could do worse than starting here...
> http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/
>
> VPS and real hardware work exactly the same once the software is
> installed.
>
> my base level suggestions:
>
>   * start with a *minimal* install of the latest release (currently 6.2)
>   * create your user account, give both user and root account different
>     secure passwords

I was assuming his provider gave him a working system, not virtual bare
metal.

>   * secure the SSH server (no root, key instead of password
>     authentication, only allow ssh from your home/office networks or a
>     few secure 'bastion' hosts, etc)
>   * yum update right after install and reboot

Yup.

>   * install *just* the services you need, only from trustworthy yum
>     repositories

YES! For about 10 years, I ran an old rh (NOT RHEL) system as a
firewall/router for my home network. I ran Bastille Linux over it - which
is *not* a distro, but a set of hardening scripts. Great stuff, and NIST
recommendations these days refer to it, last time I looked.

After running Bastille, *then* I got paranoid: I never installed X
(security holes), or *any* compiler, or language I didn't absolutely need
(no gcc, yes to perl). No nuttin'... and to the best of my knowledge,
though I did see scans, I never had an intrusion, partly due to firewall
rules of DROP, and partly because they had nothing to use to run their
nasties.

If it got installed, and you don't need it, don't only turn it off, yum
remove. At work, and home, I certainly don't need either bluetooth or
avahi running, on wired boxen.

>   * secure the services you install as appropriate
>   * document your configuration, including what packages you needed to
>     install

YES. You do *not* want to be trying to figure out what you'd done, a year
from now, at 17:00 on a Friday, or 02:00 some morning.

>   * script a secure backup of your configuration specific conf and data
>     files to reliable offsite storage.

Yup. Or have the full website, and all configuration files for the system,
on your machine at home or work, so you can just upload the whole thing.

>   * plan on regular yum updates, and staying up on security alerts, such
>     as CERT
<snip>
RH, and this offshot I know of, called CentOS, are pretty good at
announcing security fixes in a timely manner.... (take a bow, Johnny).

        mark