It’s important to keep computer systems updated and this process should be as simple as possible to stay safe and secure. A server that runs web applications should be simple to build, easy to patch, update and upgrade, and it should have a great manual. Then being able to monitor problems remotely and be alerted to issues helps the website operator ensure that everything is running correctly. E-commerce systems require high security and are subject to PCI-DSS Compliance since they process financial transactions and should be audited periodically including self-audits by the operator to ensure there is no data or financial leakage.
We’ll take a freshly installed FreeBSD operating system (versions 9 and 10 were used with this article) and build a jail system where we’ll install a secure, fully functional server capable of processing credit card transactions online quickly and simply, keeping hackers out at the same time.
With the popularity of complex web-based applications, a common problem for administrators is how to keep web servers secure without limiting the many types of web applications and scripts that can be installed. Too often, software is installed by users will contains security vulnerabilities that will be found today or in the future, vulnerabilities that can and will allow someone to compromise a system. It’s not a matter of if, it’s just a questions of when will your server be exploited? Administrators require layered security to severely limit the breach and have notification systems that monitor for any unexpected activity on the server. There are thousands of automated scripts out there written by hackers who search the Internet for vulnerable software that is easy to exploit. A good administrator needs to minimize this risk and the risk that all web applications provide once they are installed, and use planning, architecture, secure builds and operational tools that run, secure, monitor and report on the state of a web server.
It is not very difficult to get a basic FreeBSD system running. On modern hardware, a default install from removable media can take as little as five or ten minutes. But a base system is not a adequate or secure enough for today’s business and e-commerce needs. In this article, we’ll take the most common web server configuration, Apache/PHP/MySQL, and put it in a CHROOT/jail virtualization environment, add strong firewall, a web application firewall, a file integrity monitor to notify us of any changes to the system, and we’ll strong public-key authentication for remote access.