Need help Running/Managing Server

In my typical Debbie-way, I have another “meaning of life” question!! :smiley:

So as my website gets more and more sophisticated - slight embellishment - and there is the risk that more than 5 people will actually ever visit my website, I am trying to become more knowledgeable about what it takes to maintain a SECURE SERVER…

Currently I have “Virtual Server” account with GoDaddy. I suppose it is what you call “unmanaged”. I have a Plesk panel - which is all but useless - and know nothing about SSH or Server Administration.

GoDaddy has a “Managed Virtual Server” option, but I am skeptical that they really do much more than I have now, and going from $40/month to $200-$300/month is not something I will be quick to do.

As I do things like storing all of my content in MySQL and having User Accounts in MySQL, I suppose security needs to be a greater priority for me.

Sure, I could hire some expert and pay them $100,000/year to be my personal System Administrator, but let’s be realistic here?! :rolleyes:

So, since I am on a budget and “don’t know what I don’t know”, what is a Top-10 List of Server Adminstration DO’s and DONT’s??

I don’t profess that I will ever become a Server guru, but I do believe that I can learn enough about Secure Server management to do a fair amount myself, and sub the rest out to someone who is an “expert”.

But in order to do either, FIRST I need to learn what I don’t know which includes the most common “gotchas” that are most likely to put me, my server, and my customers at risk.

Here is hoping you guys can enlighten me with the same success I have found in the CSS and PHP forums…

Thanks,

Debbie

#1 do and probably the main thing you need to make sure you are doing is make sure you are taking backups, and then make sure you are taking backups of those backups and also make sure you can successfully restore from your backups.

Everything else is gravy.

Backups don’t do a hell of a lot when my website and/or database gets hacked…

Debbie

Of course they do!!

If the hacker has done irepairable damage then you’ll need to restore the last backup before your site was hacked unless you want to do a complete re-install and lose all your data. If your data is really critcal then you should be monitoring your website every day, doing nightly incremental backups and periodic (weekly, monthly or whatever) full backups.

With a robust backup system you should not lose any, or at the most minimal, data if your site is hacked or damaged in any way.

Sure they do – you can repave and start afresh at absolute worst. You have a fighting chance of reconstructing things from before the attack. If you’ve got no backup then you’ve got an impossible problem to solve. Not having a backup is the single problem you can’t fix.

Having a Data Breach and losing millions of Customer Records, or having a virus where Malware is being installed on your Customers’ computers is much more damaging than not having a recent backup. (Which is what I was getting at in my OP.)

Debbie

There are no 100% guarantees against being hacked or your data breached in some way. Therefore you need to have a robust backup process in case your primary defences fail for some reason. If your data is breached in some way, often it can be a lot quicker and easier to just restore the last backup prior to the breach than go through manually repairing data.

In your op you said

I am trying to become more knowledgeable about what it takes to maintain a SECURE SERVER…

I agree with wwb_99 in that backups should be your #1 item on your to-do list.

#1 do and probably the main thing you need to make sure you are doing is make sure you are taking backups, and then make sure you are taking backups of those backups and also make sure you can successfully restore from your backups.

Everything else is gravy.

I like this, can I borrow your wording for some of my clients? :slight_smile:

For the OP spend some time learning what different kind of attacks happen and from where they can originate, then you can start learning how to prevent them. Lots of web servers are hacked via ftp or other non-http holes.

I was hoping you could give me a “Top 10 List” with maybe even some quick How-To-Prevent suggestions?

Securing a Server is a GIGANTIC TOPIC, and I could use some guidance. (Of course to some, “All you need is a backup and you are golden!”) :rolleyes:

Debbie

I never said that at all and I doubt wwb_99 was saying that as well. What we were saying is that a backup system is something you must have and not the only thing you must have :). I was getting the impression you were under the misunderstanding that backups are of no value at all. A robust backup system should enable you to get up and running as quickly as possible while losing none, or very little, data. Once you have your database and website restored then you can go plug your security hole before going back online to users.

Exactly. Backups aren’t the only thing, but they are the one thing that can act as a magic eraser for any other mistake you might make. The most awesome thing in the world about working in software is it is so easy to wipe the table and restore a previous version when things happen. Moreover, a pretty good general policy for dealing with security incidents is to take the gotterdamung approach and rebuild the boxes should something look hinky – you can’t ever prove they didn’t leave a rootkit behind.

Security is pretty nebulous. Specifics really depend on who you are, what you are running, who doesn’t like you and what you’ve got worth stealing. Beyond the obvious stuff like the law of least permissions and using reasonably difficult to guess passwords the one thing I’d really stress is that the best way to avoid having problems is to avoid having things people want. For example, don’t host your own authentication database but rather use OpenID, let the engineers at facebook and twitter worry about password security. Don’t host your own payment processing but rather outsource that to a 3rd party so you aren’t holding CC numbers.

I agree that primary consideration should be a backup strategy, and you should be clear that the backups will work and can be reinstalled by yourself.

A secondary consideration is off server personal data security. There’s a post in the web security forum right now which is the perfect example - somebody has had their email ‘hacked’ (in all likelihood a straightforward password guessed, or easy password reminder) which has allowed someone to access all their server and domain facilities via details stored in emails. Also, an insecure personal computer can fall prey to trojans that can expose access details.

If you use any third party CMS /control panels/scripts it’s worth subscribing to any security announcement /exploit databases available to be aware rapidly of any new exploits and of course keeping software up to date.

Another consideration is hardening of server access to facilities like ssh against brute forcing, e.g firewalling, removing root login, changing default port, using keys instead of passwords, port knocking