Monday, August 31, 2009

Linode VPS Update

I've finally finished configuring and hardening our new Linode. Actually, "decided to stop" would be more accurate than "finished" because there is always more that could be done to improve a server's security. The law of diminishing returns definitely applies, though, so you'll have to balance your level of paranoia with the amount of time you can dedicate to the task.

As I mentioned in my previous post, installing a LAMP stack on a Linode is quick and easy. The hardening process is where the fun begins, especially if your sysadmin skills are a bit rusty (or non-existent). The biggest problem is finding information that is current, correct, and applicable to your individual needs. The official documentation for each of the LAMP components is mostly current and correct; however, reading through hundreds of pages to find the parts that are applicable to your situation is definitely time-consuming—even for Evelyn Wood graduates. At the other extreme, there are thousands of Web sites that offer applicable configuration advice, but finding ones that are both current and correct is a real challenge. In most cases, my solution was an amalgamation of various approaches drawn from individuals' documented experiences, which I checked against official references and corrected or improved where necessary.

For me, the hardening process followed the Pareto Principle: I completed about 80 percent of the process in about 20 percent of the time. Completing the final 20 percent was often tedious, occasionally frustrating, and dragged on and on. Nevertheless, I am glad I stuck with it. The time invested now will hopefully save us much more time in the long run.

Being in charge of your own security is one of the drawbacks of using a VPS or dedicated server because of the extra work required; however, it is also a benefit because you can go far beyond the security offered in most other types of hosting services, which must accommodate a wide range of applications and configurations. It's a trade-off that depends on many variables, so you'll have to evaluate your own situation carefully. Just don't fool yourself about how secure your server really is.