Tuesday, October 30, 2012

Re: Help me choose OS for django server

+1 for fail2ban

It's surprising that a 3-year attack eventually succeeded if you
had fail2ban installed, which should have blocked the attack after
just a couple tries.  Or had you not yet learned about fail2ban?
I got hacked once too, before I learned about fail2ban.  Never
since.

--Fred
Fred Stluka -- mailto:fred@bristle.com -- http://bristle.com/~fred/
Bristle Software, Inc -- http://bristle.com -- Glad to be of service!
Open Source: Without walls and fences, we need no Windows or Gates.

On 10/30/12 7:09 PM, Trevor Joynson wrote:

I highly recommend fail2ban.

And definitely use SSH key only auth (PasswordAuthentication no).

I've had a box with a 32 char random password get brute forced. Took three years to do, but it happened.

On Oct 30, 2012 4:08 PM, "Nikolas Stevenson-Molnar" <nik.molnar@consbio.org> wrote:

> First, is this a good idea?  Do you think I can do this securely using
> the django, apache, and lighttpd docs? or am I asking for trouble?
>  What are the major security issues I need to be aware of when
> administering a server?
This depends on your specific security requirements. If you're mainly
concerned with protecting your server and website from unwanted
tampering, then the important things are 1) only allow connections to
ports you're using (HTTP) and restrict access via SSH to your IP or a
local network; 2) make sure the software you're using is secure (the
ones you mention are good; though I think Apache is vulnerable to a type
of DDOS attack: http://en.wikipedia.org/wiki/Slowloris); 3) check your
own code; Django is good about security but that doesn't mean you can't
build an insecure application with it; 4) choose good passwords, etc.
and if you're particularly concerned, consider using keys for your SSH
connection.

> Also, if I go this route, I'll need to choose an OS.  I'm running a
> production server (just Apache + mod_wsgi) using my Arch Linux box,
> but I don't think arch is the best idea.  I'm sorta trying to decide
> between CentOS and Ubuntu.  Leaning toward CentOS, but just a little
> worried it might be missing some of the packages I need.  I've never
> used CentOS before.  Any advice?
I've used both and haven't noticed much difference for the things I do.
I would recommend nginx in place of lighttpd (better maintained), and if
you're using either of those, Apache isn't necessary (though you will
need a WSGI server, such as Gunicorn).

_Nik

--
You received this message because you are subscribed to the Google Groups "Django users" group.
To post to this group, send email to django-users@googlegroups.com.
To unsubscribe from this group, send email to django-users+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/django-users?hl=en.

--
You received this message because you are subscribed to the Google Groups "Django users" group.
To post to this group, send email to django-users@googlegroups.com.
To unsubscribe from this group, send email to django-users+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/django-users?hl=en.

No comments:

Post a Comment