3

I'm considering moving a Rails app from a shared hosting provider to a dedicated server or a service like Linode, SliceHost, Webbynode, etc. where, if I understand correctly, the security of the server is completely down to you.

With shared hosting I'm used to not having root access and so firewall and most other security concerns tend to be handled by the hosting company.

So my concern is moving to a server where I (a server admin rookie) am taking care of security. I'd love to have an expert Server Admin take care of that however that is not possible.

Does anybody know of an affordable service like SliceHost or Webbynode where security is managed by the provider? I've looked at Heroku but due to an SSL full cert requirement it isn't affordable for me at the moment.

Alternatively, does anybody know if server images are available to use on Linode/SliceHost/Webbynode/other where security is taken care of or made simpler?

(I guess my chief concern is I'm a web app developer who thinks he's going to end up spending more time securing servers than coding. Perhaps I'm getting worried over nothing.)

womble
  • 96,255
  • 29
  • 175
  • 230
Eliot Sykes
  • 153
  • 4
  • I don't have an official answer, so I'll just leave this as a comment -- I've used slicehost numerous times for different projects and rarely do too much but make sure everything is updated and only services I need running are running. I've never had an issue with security. Not that that means anything, but maybe my anecdote can provide some comfort. – scraft3613 Jan 09 '10 at 19:00
  • Define "affordable". That can range from tens of thousands of dollars a month to "I'd like something a bit cheaper than the $0.89/decade discount deal". – womble Jan 09 '10 at 21:15
  • 1
    Ok - so just to be clear - what are you looking for in a dedicated host that you want to move away from the shared one? If you don't want to be an admin, but need some serious processing power or process freedom, google for "managed hosting" - that's what you're after. – viraptor Jan 09 '10 at 21:39
  • Thank you for all the helpful answers and comments, they've given me a lot to think about. I'll research "managed hosting", thx viraptor. Sorry I wasn't clear on pricing, something in the $20 to $80 per month range. I realise this is still pretty broad. – Eliot Sykes Jan 11 '10 at 11:50

2 Answers2

1

The two most important aspects to worry about are SSH security and the firewall. I would recommend that you disable root logins, create a second user, use sudo and use public-key authentication. It's common for script-kiddies to try and brute-force logins. Fail2ban will help with that (to detect brute-forcing and add firewall rules to ban the IPs)

For the firewall, you can use a very easy to configure front-end for iptables called Firehol. Firehol lets you write rules such as:

interface eth0
   server http accept

For what it's worth, you need to be paranoid. Only allow what is necessary (i.e you might only need ports 80, 443 and 22.) Don't forget application-level security.

Andrew
  • 616
  • 5
  • 11
1

Someone needs to take care of these things. Either you do it, or you pay someone to do it. You've been paying a hosting company to do it up until now (through the fees on your shared hosting plan). It's not just security you need to be thinking about, though; there's a whole range of things that a good systems administrator will be doing for you, from monitoring, installing and configuring new software as required, troubleshooting all manner of problems, and proactively responding to outages.

Without knowing what "affordable" means to you, I can't give any specific recommendations as to hosting companies who include management in their products. There are a few who provide comprehensive management, and a fair few more who claim to but don't. (I wrote a checklist of what to ask a hosting company as part of a larger answer on choosing a hosting company that should be useful in weeding out the doers from the sayers). The company I work for does it (and does it pretty well, I feel), but if Heroku isn't in your budget, I doubt we are either.

As far as finding a VM image where "security is made simpler", that just doesn't exist (except in the simplest case where you use an image that doesn't boot -- those tend to be fairly secure). Computer security isn't like a bolt-on spoiler, it's an on-going process of analysing your changing requirements, making the necessary configuration adjustments, sometimes saying "no, you can't do that, you'll get pwned" and working out some other solution to your problem. No VM image can do that for you; someone with a brain and working fingers needs to take care of it on an on-going basis.

Community
  • 1
womble
  • 96,255
  • 29
  • 175
  • 230