2

So I need a server that will host only 1 website. I will install debian as O.S.

I want to know: do I need to setup an user to do my stuff or, considering I will the only user of the server, I can use the root user to login via ssh and to do all my stuff?

Thanks for any suggestions, i am pretty new to this word.

dynamic
  • 740
  • 6
  • 17
  • 32

4 Answers4

4

Duncmc is exactly right. "It's good practice to disable root login via SSH. Set yourself up with a user account which you use to SSH in and then use sudo for any administration tasks."

I would go farther and say best practice.

Next apache should have its own user and group. In your httpd.conf there are several configuration options you should change.

ServerSignature Off ServerTokens Prod LimitRequestBody (1.5x the size of your biggest possible page) Remove Aliases for icons documents and error.

Here is a decent starting point. http://www.hermann-uwe.de/security/articles/securing-apache-checklist

user67823
  • 104
  • 2
  • "Next apache should have its own user and group" what do you mean with that? www-data after installing it with apt-get ins't sufficient? – dynamic Jan 23 '11 at 15:28
2

You can do whatever you want as root, but apps such as Apache shall have own account, because if someone get in through it, they won't have root rights.

Ency
  • 1,231
  • 1
  • 19
  • 27
  • hmm ok. So when I will install apache,mysql and php with apt-get it's better I am logged in with the secondary user? – dynamic Jan 23 '11 at 12:06
  • You install apps as root, but applications run under another account, eg. apache has www-data by default. Basically if you install through apt-get/aptitude you don't need to take care about it, it happens automatically. But sometimes you want to run some apps with non-root account than you need to do it manually. – Ency Jan 23 '11 at 12:09
  • Hmm ok.. Do I have to create this user www-data on debian or there isn't the need? – dynamic Jan 23 '11 at 12:15
  • USer is created during installation via apt-get, if you will install by compiling, you should follow installation manual, there will be section aimed to user account. – Ency Jan 23 '11 at 12:22
1

You are probably better off with "log in as a normal user, use su or sudo to gain root proivileges" and "any external-facing service runs as its own user" (ssh will, by necessity need to be running as root).

Main reason is that "log on as non-root, elevate privileges" allows you to block remote root login and log any escalation (ideally to a remote log server) and by running services segregated in "privilege space", the chances of one service causing an exploitable hole in another is minimized (and any penetration has a bigger chance of being contained).

Vatine
  • 5,440
  • 25
  • 24
1

It's good practice to disable root login via SSH. Set yourself up with a user account which you use to SSH in and then use sudo for any administration tasks.

duncmc
  • 175
  • 2
  • 8