This topic serves as a checklist for addressing security concerns with your machines. The way you secure your machine can vary widely depending on how you plan to use it.
In this topic:
These are general guidelines for ensuring machine security.
Scan all ports on your public facing server with a tool like NMAP or Snoop. This will give you a list of all open ports.
Have all servers send logs to a central server.
You should limit the number of IP addresses that are public and accessible from the Internet. Setting up a bastion host provides control over entry points to your systems.
By default the SSH server is very secure. You can further secure your SSH server by editing the /etc/ssh/sshd_config file to:
- Only specify v2 of the SSH protocol.
- Only allow authentication through SSH public keys and disable password authentication.
Monitoring is vital to ensuring the security of your machines. You can setup monitoring and configure security thresholds that alert you when a threshold is reached.
|Joyent partners with New Relic and Nodefly to provide Joyent customers with free performance monitoring:|
Role Based Access Control is a powerful but lesser-known feature of Solaris. You can find information on how to setup RBAC on a machine here.
These security guidelines specifically apply to machine users who plan to setup a WordPress blog. When installing a WordPress blog on a machine, you need to ensure that you protect it from malicious attacks.
Managing your blog through source control software, such as Subversion or Perforce, is always a good best practice to follow regardless of security concerns. However, managing a blog in this way allows you to diligently manage your blog content. You can use source control tools to track modifications to content and compare differences between modifications. Managing a blog in this way also ensures that you always have a preserved copy of your blog in various states of development.
You should modify the write permissions of the Uploads directory for your blog so that only your web server can write to it. This may mean you will have to modify permissions for other directories and services. Run this command on the Uploads directory for your blog.
A best practice is to have this in your apache configuration file rather than .htaccess to prevent someone from deleting it if permissions are set incorrectly.
|The <Location></Location> blocks are not supported from within .htaccess files so you will have a .htaccess file under the /wp-admin/ directory.|
If you use LDAP, limiting it to your webdev group is useful:
Make sure you keep your Wordpress software up to date. You should also sign up for release notifications.