2

I have been using Debian for a year, mostly as the distro for my internal company server. Now I am making a public e-commerce website and I am planning to use a dedicated Debian server at a datacenter for this purpose. I will be accepting credit cards for payment and directly transmit them to the bank gateway without storing any CC information.

I will be using Django 1.1.1, mod_wsgi, Apache2 for running django and nginx for serving static media.

  • Do you think this is a good setup?
  • What security measures would you suggest in the name of server configuration ? Any suggestions, links to best practices and tutorials will be appreciated :)

2 Answers2

5

Updates, updates, updates.

  • Are you running Debian stable or testing? Sometimes keeping testing up to date is a bit more complicated than stable.
  • Are you running everything as Debian packages?

Make sure you are not running extraneous services. Run netstat -nap and check all processes that are listening on ports, make sure there's nothing there which is not strictly needed. Things that can listen just on loopback should do that.

All publicly accessible non-public stuff should be protected by strong passwords or stronger measures (ssh keys, etc.).

If you can, some measure against DoS would be nice. Throttling evil requests could be handy.

alex
  • 1,329
  • 6
  • 9
  • Agreed, and for emphasis: stay away from compiling source wherever possible. If you need a piece compiled with options not in the standard package then look for a .deb or build a .deb. – CarpeNoctem Feb 28 '10 at 13:27
  • +1. Note that if the packaged versions of e.g. Django in debian lenny are too old, you can get newer packages by hooking up to http://www.backports.org – David North Feb 28 '10 at 13:29
  • CarpeNoctem. I would disagree on staying away from compiling from source. This is because Debian is notorious for having older versions of packages. Just because they are in Debian stable doesn't mean they are bug free. The mod_wsgi package is a good case, where they have tended to have an old version which is known to have issues. You thus need to do a little bit of research and apply some judgement over what you may have to compile from source code and not just blindly accept what Debian gives. The same applies to configurations like that for Apache. The defaults aren't good for Python. – Graham Dumpleton Feb 28 '10 at 22:16
1

There are a number of things I have installed on my debian production servers:

  • logwatch (apt-get install logwatch) - sends you an e-mail each day summarising the logs your server generated yesterday. A good way to spot potential problems coming up
  • apticron (apt-get install apticron) - e-mails you when there are newer versions of installed packages available, e.g. to fix security holes

Given the sensitivity of the data passing through the server, I would restrict SSH logins to key-based only (no passwords) as it makes it much more difficult to crack accounts at random. Whether you do that or not, root SSH is bad, dangerous and wrong and should be disabled or limited to a handful of trusted IP addresses

Make sure you're subscribed to debian-security-announce@lists.debian.org

Consider running rootkithunter, chkrootkit and integrit, all available via apt-get install, to check that nothing nasty has found its way onto your server.

Make sure the sensitive parts of your website (anything accepting credit card numbers, passwords, etc. especially the django admin interface) are accessible over HTTPS (SSL) connections only, not plain HTTP.

If you're properly paranoid/serious about security, get the hosting provider to read the SSH key fingerprints of the server out to you over the phone or send them in an encrypted e-mail to you so you can verify when you first connect to the machine that you're not being man-in-the-middle attacked (or log into it for the first time when physically sitting in front of it, if that's possible).

David North
  • 760
  • 1
  • 5
  • 12