TL;DR
This is next post in series about Ruby on Rails security. In previous post I explained how to harden other servers. This time I will explain daily security check for CentOS servers.
After you securely set up your Ruby on Rails servers, you need to take care about their security on daily basis. Because time is the ultimate attack vector for all web applications.
Monitor Common Vulnerabilities and Exposures (CVE)
You need to create a collection of web pages that announce CVE advisories for components of your web application. Here is one typical Ruby On Rails application stack.
Next, check security logs that you had set up during the hardening phase.
Logwatch
logwatch | less
Fail2ban
fail2ban-client status
Selinux
less /var/log/audit/audit.log | grep AVC | less
Nginx log
log/nginx.access.log-YYYYMMDD*
This is where your application knowledge is important. In that file, I look for hacker patterns. First, I filter out regular application url paths, so what is left are robot scripts that are probing for known security issues for various applications.
For example:
zless /home/deploy/apps/betterdoc/current/log/nginx.access.log-YYYYMMDD* | egrep -v 'assets|images|favicon.ico|robots.txt|fonts
Note that I use zless, which is less for compressed files.
Do I need to restart servers?
There is a myth that you do not need to restart Linux servers after application update. Linux will not force you to do that, because running application would happily run with previous version. Which is bad if previous version has security issue. Remember, you set up automatic daily update for all server components. With command:
lsof -n | grep DEL | less
you will get a list of applications that still use in memory libraries that had been deleted from the server. If that command returns any list(DEL), you need to restart whole server (easier) or just the application that is listed.
In next post, I will describe security audit for Ruby on Rails application code.
