Your Server

How hard is it to run a secure Linux server, with Apache, PHP, MySQL, and mail services?

I will be getting my own dedicated server soon and while I have a functional knowledge of the concepts of Linux, I don't know everything. Will my server be reasonably secure if I am sure to keep everything updated and patched (assume there are no PHP scripts vulnerable to SQL injection etc.)

Public Comments

1. Make sure you have strong passwords for everything. This includes your database. Use SSH to connect, scp or some other secure program to transfer files (not vanilla FTP, since it transmits passwords in the clear). If your database doesn't need to talk to other hosts, configure it so it only listens on the loopback interface. Be careful when configuring your mail server, so it isn't an open relay. Get a cert for the web server, so you can use SSL to protect information that gets sent over the net. The biggest potential source of vulnerabilities will be from whatever web apps you install. Subscribe to the announcement/security mailing list(s) for those apps (and for the Linux distro you use), so you don't get blindsided. Before you install something, you might want to check out a security site (like Secunia) and search to see what advisories have been issued for that software w/in the recent past. This will give you an idea about just how worried you should be about potential issues down the road (and what current issues there are that haven't been fixed, yet). If you're rolling your own web apps, there are a whole bunch of things to watch out for, especially if you're doing things with user data (file uploads, SQL searches, form processing, etc).