Skip to end of metadata
Go to start of metadata

This topic serves as a checklist for addressing security concerns with your machines. The way you secure your machine can vary widely depending on how you plan to use it.

In this topic:
At a Glance

This topic is a checklist for ensuring your machine is secure.

General Security Guidelines

These are general guidelines for ensuring machine security.

Scan public systems for open ports

Scan all ports on your public facing server with a tool like NMAP or Snoop. This will give you a list of all open ports.

Central logging server

Have all servers send logs to a central server.

Setting up Bastion Host with VPN

You should limit the number of IP addresses that are public and accessible from the Internet.  Setting up a bastion host provides control over entry points to your systems.

Securing your SSH server

By default the SSH server is very secure.  You can further secure your SSH server by editing the /etc/ssh/sshd_config file to:

  • Only specify v2 of the SSH protocol.
  • Only allow authentication through SSH public keys and disable password authentication.

Enable Monitoring and set Alerts

Monitoring is vital to ensuring the security of your machines. You can setup monitoring and configure security thresholds that alert you when a threshold is reached.

Joyent partners with New Relic and Nodefly to provide Joyent customers with free performance monitoring:

partner applications

Enable Role Based Access Control (RBAC)

Role Based Access Control is a powerful but lesser-known feature of Solaris. You can find information on how to setup RBAC on a machine here.

Security Guidelines for working with WordPress

These security guidelines specifically apply to machine users who plan to setup a WordPress blog. When installing a WordPress blog on a machine, you need to ensure that you protect it from malicious attacks.

Manage your Blog through Source Control Software

Managing your blog through source control software, such as Subversion or Perforce, is always a good best practice to follow regardless of security concerns. However, managing a blog in this way allows you to diligently manage your blog content. You can use source control tools to track modifications to content and compare differences between modifications. Managing a blog in this way also ensures that you always have a preserved copy of your blog in various states of development.

Configure your Uploads Directory as Writable by the Webserver

You should modify the write permissions of the Uploads directory for your blog so that only your web server can write to it. This may mean you will have to modify permissions for other directories and services. Run this command on the Uploads directory for your blog.

Use HTTP Authentication to Access /wp-admin/ through a Browser

A best practice is to have this in your apache configuration file rather than .htaccess to prevent someone from deleting it if permissions are set incorrectly.

The <Location></Location> blocks are not supported from within .htaccess files so you will have a .htaccess file under the /wp-admin/ directory.



If you use LDAP, limiting it to your webdev group is useful:

Update your software

Make sure you keep your Wordpress software up to date. You should also sign up for release notifications.

Labels:
bastion bastion Delete
rbac rbac Delete
source source Delete
ldap ldap Delete
logging logging Delete
vpn vpn Delete
snoop snoop Delete
nmap nmap Delete
checklist checklist Delete
ssh ssh Delete
blog blog Delete
wordpress wordpress Delete
control control Delete
security security Delete
Enter labels to add to this page:
Please wait 
Looking for a label? Just start typing.