With all the talk about security recently I thought I would add a quick post on some precautions to take when setting up a VPS. Most servers ( Windows and Linux ) I work on are behind a hardware firewall but a few of my smaller VPS's don't have that luxury and are totally open when you are first given access. I'm not going to go into detail on configuring the correct directory permissions, users services are run as or best practice for file uploading but simply mention one of the first things you should do on your shiny new linux VPS's ( Windows aswell of course but not covered here ) and that is settign up IPtables.
First I need to think about what do I want to expose to the net. Port 80 ( web ), 443 ( ssl ), and 22 ( ssh ). Now this server also has mySQL ( port 3306 ) but I'm happy to leave that closed and use a ssh tunnel when I need to use a admin tool from my local PC.
My server for this setup is Debian ( 5.0 - Lenny ) but these instructions should be almost the same on any distribution and exactly the same on Ubuntu. Jamie Krug has an excellent set of instructions on setting up Railo on Ubuntu and while my setup differs ( I use resin rather then tomcat ) his IP tables rule list is extremely handy and an excellent place to start.
One thing to note is that applying the rules manually without loading them at boot time means that if you accidentally lock your self out you can use your control panel to simply reboot the server and the rules will be unloaded. Handy while your just starting out.
Also note that for every website running under Railo gets it's own administrator so adding re-write rules to "hide" the admin pages is worth while to try avoid brute force password attempts ( you could also restrict this to a specific IP ).
( apache mod rewrite and Helicon ISAPI rewrite for windows will accomplish this )
Nothing I have mentioned is specifically applicable to Railo or ColdFusion and I protect my non CFML machines in the same way and with the price of unmanaged VPS's coming down greatly in price recently I thought this was worth a mention.
If anyone has any other improvements or suggestions let me know.
First I need to think about what do I want to expose to the net. Port 80 ( web ), 443 ( ssl ), and 22 ( ssh ). Now this server also has mySQL ( port 3306 ) but I'm happy to leave that closed and use a ssh tunnel when I need to use a admin tool from my local PC.
My server for this setup is Debian ( 5.0 - Lenny ) but these instructions should be almost the same on any distribution and exactly the same on Ubuntu. Jamie Krug has an excellent set of instructions on setting up Railo on Ubuntu and while my setup differs ( I use resin rather then tomcat ) his IP tables rule list is extremely handy and an excellent place to start.
One thing to note is that applying the rules manually without loading them at boot time means that if you accidentally lock your self out you can use your control panel to simply reboot the server and the rules will be unloaded. Handy while your just starting out.
Also note that for every website running under Railo gets it's own administrator so adding re-write rules to "hide" the admin pages is worth while to try avoid brute force password attempts ( you could also restrict this to a specific IP ).
( apache mod rewrite and Helicon ISAPI rewrite for windows will accomplish this )
Nothing I have mentioned is specifically applicable to Railo or ColdFusion and I protect my non CFML machines in the same way and with the price of unmanaged VPS's coming down greatly in price recently I thought this was worth a mention.
If anyone has any other improvements or suggestions let me know.


