OS hardening for API / DB server

[graphiclunarkid]

We need to review and improve security on the dev-censor-1 server in at least the following areas:

• Firewall configuration
• MySQL
• Apache
• PHP
• Modx
• SSH
• Shut down and disable unused services

[dantheta]

Are you happy for participants with sudo access to make changes, or should we run suggestions by You or Lee first?

[graphiclunarkid]

I think it's fine if you just go ahead and change things but we should try to document the configuration somehow.

Ansible? Text file in /root?

[dantheta]

Firewall tightened, MySQL user config updated. Notes in /root/mysql.txt. Denyhosts previously installed.

[dantheta]

I've added some ansible config, but it needs testing.

[graphiclunarkid]

If you can provide some brief instructions I'm happy to test. Do we need to stand up a VM in which to do this? I'm a bit constrained by data-transfer limits here but I can arrange to visit a friendly neighbourhood cafe-avec-wifi if a big download will be involved...

[dantheta]

That's cool - all it really needs is a clean CentOS 6 VM to test. I'm about to do that here, so don't worry too much about eating all of the local bandwidth. I'll post the result (and the ansible recipes to the config repo) and possibly close the ticket when it's working.

[dantheta]

I was thinking that we could do with some monitoring for the server as well, before/during live day. I'm a fairly dab hand with Nagios, if that's any help.

[graphiclunarkid]

Monitoring would be a great idea. The only problem I foresee is that we don't have anywhere to host it that isn't also serving production code (and is therefore something we want to monitor) :neutral_face: I don't know whether @gwire has nagios set up on another server already that we can use?

[dantheta]

If it helps, I have nagios running on a VPS monitoring my server estate. I'm happy to temporarily add the A&A VMs and the blocked.org.uk api server and queues for live day.

[graphiclunarkid]

Might be a good idea if you have time and don't mind. Feel free to add my org.org email address to the list receiving alerts. We should still aim to move it over to whatever ORG uses for monitoring ASAP though (there might be something monitoring the existing blocked.org.uk site, but if there is, it will probably need checking and updating at least).

[dantheta]

Nagios is monitoring the API server, the queues and the A&A VMs. A complete ansible playbook for the API server has been checked in to the config VM. I think we can call this one closed.