Server Security
If you're introducing public facing web servers into your organization, you'll need to keep on top of
your security – we've seen a lot of large scale, public hacking scandals recently (Sony, Playstation
Network, Xbox Live and plenty more).
There are plenty of individuals out there that would love to mess up your website or application –
it's a challenge for them to do so and they get a sense of satisfaction from stealing your data,
whether it's useful to them or not.
If I am honest, I don't believe that it is possible to defend from all the possible attacks that could
come your way, but I do believe that the steps outlined below will help to defend against the less
sophisticated hackers out there.
User Management
Using the root user of your Ubuntu server is never suggested. This is because, if you and several
other users are managing a server, you'll have no record of who did what, also, everyone will have
access to do everything.
This probably isn't a huge issue in the early phases of your application / website deployment, but
imagine you've grown, your website is making a significant amount of money daily and you've
started to hire new system administrators.
They all have root access to your servers and one of them decides to make a change. That change
brings the system crashing down, you're website / application goes offline and you have no idea
who was responsible.
These issues happen, in the most part, not because of malicious intent by your employee, but
rather because they have access to commands and functionality that they do not know or
understand.
As is mentioned above, it's never the best idea. The safer option is to make use of a function called
sudo (super user do), which enables the user to temporarily increase their privileges on the
system, using their own password, rather than root. This enables you to control which user can
carry out each of the server commands and it also means you can track what actions each user is
taking.
You can disable the root password (sudo passwd -1 root) and even disable the root account all
together (usermod –expiredate 1), all of these commands can be read about further by typing man
sudo into your terminal.
User management on Ubuntu is very straightforward. In order to add a user, you can use the sudo
functionality (outlined above) and type sudo adduser username, this will then prompt you to enter
lots of information about that user, such as name, phone number etc…
Deleting a user is just as simple (dangerously simple). Again, using the sudo command, you can
type sudo deluser username.
Deleting the user is not the same as deleting all the related data for that user. For example,
www.netshock.co.uk