How to set up a safe and secure Web server

It's also a good idea to install (and configure) at least some basic IDS like tripwire. You should probably have it do checks on a cron job as well as doing chkrootkit.<p>Also a good idea to have your log files backed up somewhere else where your server does not have sufficient access to delete (or modify) them.<p>Also if you have multiple web apps running, chroot them if at all possible so that if something does break out it can't (so easily) wreak havok over your entire filesystem.<p>If you are using PHP also bare in mind that a common default is for all sessions to be written to /tmp which is world read and writeable. So if others have access to your server they can steal or destroy sessions easily.<p>I also didn't see mention of an update strategy for security updates. You can use apticron to email you with which updates are available and which are important for security.<p>You can set updates to go automatically (I recommend security only) but if you are more cautious you might want to test on a VM first. But keep an eye on them! This is very important, especially if you are managing wordpress etc through apt.<p>And so many other things that I have probably forgotten.<p>Having some form of audit (that tripwire can provide) is vital in those "oh fuck" moments where something doesn't seem quite right and you start wondering if you have been pwned but have no real way of actually knowing.

For anyone that wants more resources like this, I've found articles in Linode's library to be very helpful: <a href="http://library.linode.com/lamp-guides" rel="nofollow">http://library.linode.com/lamp-guides</a>

"...being locked to IIS as a Web server (or dependent on crippled Windows ports of better Web servers) means you'll be playing in the bush leagues. IIS is found running many huge and powerful websites in the world, but it's rarely selected in a vacuum..."<p>I sense a little bit of bias.<p>As a multiplatform developer I can think of a number of reasons why someone might opt to go the Windows Server route. ASP.NET MVC 4 is a first class framework and many prefer it over other popular alternatives on other platforms such as Django, Rails, and Cake. In addition, Visual Studio is arguably the best IDE available and publishing to an IIS server is dead simple.<p>As for cost, full versions of Visual Studio and Windows Server can both be obtained for free through the DreamSpark program for college students and through the similar BizSpark program for startups and small businesses.

If you want a safe and secure Web server, use what your distribution gives you. Don't add third party sources if you can avoid it, ie. don't need features &#60; 1 year old. It's hardly safe and secure if it's not had long enough for people to find problems with it anyway.<p>Instead, go with what your distribution gives you. The people who put your favourite distribution together work on making the system safe and secure as a whole. People who don't think it is safe and secure file bugs and they get fixed. And you have one place to get all your updates in case fixes are needed.<p>If you start adding third party sources, you're on your own as to managing any implications of the way you've put it together. Just because each individual component is safe and secure doesn't mean that it is as a whole. For example, Ubuntu add hardening (AppArmor) for various server daemons which you won't get if you just download apache from the project website.<p>If you need a guide on putting a system together yourself, then you aren't someone who can manage these implications yourself, and you're trusting the guide author in not having made any mistakes. Are you really in a position to judge his competence?<p>Just use your distribution's standard web server and you'll get your safe and secure Web server in one command.

Ah well, it's rather a "how i set up a small web server for fiddling around with stuff" not so much a professional article about security. Sorry, but the first page is like "mhh, yeah, geeks hate MS, let's use the other choices" under the hood. Why? Because it doesn't really mention a technical choice against MS. Don't get me wrong i would never ever use Windows Server but when i'd write such an article i'd have to find at least a few technical pros and cons for the choices i preset. "Uhhh, the internet is more like a unixy thing" doesn't cut it.<p>This goes on with the choice for Ubuntu Server. Why? Is it an article about "safe and secure web server" or about "how does my grandma set up a server"? There are much more choices in terms of reliability and proven track record like FreeBSD, OpenBSD, Debian, RHEL/CentOS. The choice was made because it's easier to set up and apparently the author is too lazy to _really_ do his homework.<p>In the end, i'd say if the articles title would be "beginners guide how to setup a server" i wouldn't comlain..

Better hardware would be an HP Microserver (which should win the contest for "worst URL ever"):<p><a href="http://h10010.www1.hp.com/wwpc/us/en/sm/WF05a/15351-15351-4237916-4237918-4237917-4248009.html?dnr=1" rel="nofollow">http://h10010.www1.hp.com/wwpc/us/en/sm/WF05a/15351-15351-42...</a><p>Has ECC RAM support. Takes 4 3.5" hard disks, and runs very quiet and cool.

I think it's time articles like these start suggesting an infrastructure as code product, like chef or puppet, to do the heavy lifting.<p>I feel like doing this stuff by hand should be considered insecure and outdated..

Vurtualization is not for production. Why to have this useless layer, which messes up your CPU caches even more, interfere with you IO and complicates memory model? What for?<p>Virtualization was build for server providers to make easy money, not for server owners to gain performance advantages.<p>Vistualization is not for production. Production servers need <i>less</i> code, not more.<p>It is the same kind of mistake as JVM - we need less code, integrated with OS, not more "isolated" crapware which needs networking, AIO and really quick access to the code from shared libraries.<p>And, of course, a setup without middle-ware (python-wsgi, etc) and several storage back-ends (redis, postgres) is meaningless.<p>Update:<p>Well, production is not about having a big server which is almost always 100% idle, and can be partitioned (with KVM, not a third-party product) to make a few semi-independent virtual servers 99% idle. This is virtual, imaginary advantage.<p>On the other side, your network card and your storage system cannot be partitioned efficiently, despite all they say in commercials. And that VM migration is also nonsense. You are running, say, a MySQL instance. Can you migrate it without a shutdown and then taking a snapshot of an FS? No. So, what migration you're talking about? It is all about your data, not about having a copy of a disk-image.<p>It is OK to partition development, or 100% idle machines - like almost all those Linode instances, which have a couple of page request in a day - this is what it was made for, same as old plain Apache virtual-hosting. But as long as one needs performance and low latency, all the middle-men must go away.

This guide doesn't cover important things like the firewall and blocking attackers (shorewall, fail2ban) and properly configuring mysql, php, etc.<p>If you have a small server, I'd really recommend checking out these scripts that assist with configuring and setting up a server very quickly: <a href="http://lowendscripts.com/wiki/shell_scripts" rel="nofollow">http://lowendscripts.com/wiki/shell_scripts</a><p>I personally used a fork of lowendscript last year to set up some servers, but if I had to set up a new server today, I'd check out some of the other other options at that link, like Minstall: <a href="https://github.com/maxexcloo/Minstall" rel="nofollow">https://github.com/maxexcloo/Minstall</a> But this Xeoncross lowendscript fork is still very active: <a href="https://github.com/Xeoncross/lowendscript" rel="nofollow">https://github.com/Xeoncross/lowendscript</a>

I recently worked on a site run on such a server. I've set up my own servers before, and I think it can be fun, but this time it was the other guy's. I have to say it was pretty annoying because the little things that were not set up properly added up to a website that wouldn't deliver email, a shell environment with awful defaults...yuck. There was a lot of maintenance that was ignored because the guy just didn't have the time. Well, that's what commercial web hosts are for. It's amusing to think that some overburdened IT guys believe they're doing their clients a huge favor by running a vanilla web server in their network closet.

Pardon my stupidity, but how would one go about getting an IP address for a server installed at home? Is it a static IP address provided by my ISP, or something else ?

Article covers main parts of the webserver setup and gathers very interesting information scattered all over the Internet. All the nginx setup and config things are REALLY useful, all the more regarding the poor quantity/quality of resources one can find out there. Really useful to me. I wish I had one guide like this when I setup my own webserver. I made a tl;dr version but the main interesting parts stay all the nginx tricks for me <a href="http://tldr.io/tldrs/50b5ccb711c0ea5051000f29" rel="nofollow">http://tldr.io/tldrs/50b5ccb711c0ea5051000f29</a>.

<a href="http://stackoverflow.com/questions/72394/what-should-a-developer-know-before-building-a-public-web-site" rel="nofollow">http://stackoverflow.com/questions/72394/what-should-a-devel...</a><p>can't believe that hasn't been on HN before, so added it: <a href="http://news.ycombinator.com/item?id=4841329" rel="nofollow">http://news.ycombinator.com/item?id=4841329</a>

What kind of 'top' program is this shown in page 3 (direkt link to the image: <a href="http://cdn.arstechnica.net/wp-content/uploads/2012/11/webserver-workerprocesses.jpg" rel="nofollow">http://cdn.arstechnica.net/wp-content/uploads/2012/11/webser...</a>)

knockd + fail2ban + iptables<p><a href="http://howto.biapy.com/en/debian-gnu-linux/system/security/harden-the-ssh-access-security-on-debian" rel="nofollow">http://howto.biapy.com/en/debian-gnu-linux/system/security/h...</a><p>also, chrooted sftp-only accounts<p><a href="http://en.wikibooks.org/wiki/OpenSSH/Cookbook/SFTP#Chrooted_SFTP-only_Accounts" rel="nofollow">http://en.wikibooks.org/wiki/OpenSSH/Cookbook/SFTP#Chrooted_...</a>

Personally, I'd just pay $10/month or whatever and spin up a cheap VM on Rackspace, EC2 or similar with 256MB of RAM and a few gigs of disk storage. A simple web server really doesn't need a full on server (or desktop, even).<p>It's a bit different if you're expecting said site to get 100K+ views per day or is going to host some big database, but even then I'd probably run it in the cloud to save on bandwidth costs.

Is there really any benefit to using nginx over Apache 2.4 (Event MPM)?

Frankly, articles like these are a deterrent to all but the most techie of people. Why go through all this and shell $270 when you can get an Amazon EC2 instance free for a year!

Am I the only one who thinks that SSD are useless since most of the time the processing will be bottlenecked by the network overhead?

This article would make a really nice screencast that would be much more useful to newbie sysadmins.

Nitpick:<p>&#62; Temporary files usually start with a dot or a dollar-sign.. to make sure that Nginx never serves any files starting with either of those characters...<p>&#62; location ~ ~$ { access_log off; log_not_found off; deny all; }<p>Wouldn't that regex match temporary files <i>ending with ~</i> (as it should)?

nice introduction article (on mostly how to setup nginx); the title should reflect this instead of focusing on 'safe and secure' ... if one was to store something valuable (lets say cc info) you would want to go far beyond what this article covers. #justsayin

The only way to make a server 100% secure is to grind it into dust and fire it into a black hole.

What a bias. Using Debian and not even mentioning forks like Red Hat. Downvoted, never recommend.