PHP DevOps Tutorial: Things You Need to Take Care of When Setting Up a New Server
Codementor PHP expert mentor Chris Fidao is a PHP developer who runs Servers for Hackers, the newsletter about servers, for programmers. Chris recently sat down with us during Codementor’s Office hours and answered some of our viewers’ questions about servers. Here is one of the questions he answered:
The text below is a summary done by the Codementor team and may vary from the original video and if you see any issues, please let us know!
What are some things you need to care of while setting up a new server?
I prefer Ubuntu over CentOS because Ubuntu’s server edition is really solid and easy. I’m in a situation where I can often get the latest software and afford to run into issues. I don’t typically use some more advanced security things like SELinux, or Security Enhanced Linux, which usually comes as the default in CentOS or Red Hat. SELinux is a good option for production systems, and you often see it used by enterprises, but I don’t use it for my personal stuff because it’s complicated. The minimum things I do take care of are:
- creating new users
- making sure root user can’t log in to the server with SSH
- using SSH keys instead of password-based authentication
- user permissions (user access and management)
- making sure users can’t abuse the use of sudo (e.g. who can use it and who can’t) network-based stuff.
- set up a firewall and locking down as much as you can without sacrificing functionality fail to ban
I’ll open up other ports and other network interfaces as needed. If I had a server set up with mySQL being on a different server, or if my servers needed to communicate with each other but not with a client, I can open up a private network to communicate with each other instead of having everything blocked with the firewall. I also turn on automatic security updates in Ubuntu, and this is different depending on your server type, so I guess it’s a little more different on Debian servers, but it’s almost the same. However, if you use CentOS or Red Hat, it’s a little more complicated because you can turn on updates but there is no easy way to specifically turn on security updates.
Going beyond this would be the look into SELinux, and that can really help you out locking down users from taking advantage of having sudo access or more access than you want them to have (e.g. editing certain files, using certain binaries like delete, move, etc.) Fail to ban is also important, as it will monitor logs for certain processes like Nginx or access logs for SSH. This is all configurable, but if it finds too many failed logins from a certain host or a certain IP address, it can ban them for a set period of time. It logs all that, so you can check your log file to see if there are any intrusion attempts.
Other posts in this series with Chris Fidao:
- PHP Office Hours: How to Use Nginx With Your Web Application
- Nginx & Node.js vs Apache
- Nginx Tutorial: Serving Static Content Without Using a Directory