In previous post I described how to do security hardening for your Ruby on Rails web server. In this post I will talk about other servers: database, openvpn, cache and job.
Database server holds web application data so hacker will definitely try to get direct access to it.
You first need to do basic server hardening explained in my previous post. After that you need to be sure:
- that other servers port is not publically available
- access to other server is properly securely configured
One is resolved by putting your servers behind firewall. Second depends which server do you use. Here is example for postgres database server. Here is you strategy. When you know you database server, Google for its security settings and apply official guidelines that you will found.
How to securely connect directly to your servers? You can publically expose ssh port, but this is not good strategy. You need to use vpn connection.
Simply explained, openvpn is ssh that uses certificate (public/private) authentication. It will make hacker job much harder. You need one dedicate box with openvpn server. Also, you will need openvpn client. So after VPN is set up, here is how you connect to your servers:
- establish open vpn connection
- connect using ssh to your servers that now have ip address from VPN network range
In next post I will explain how to do daily security check for servers and their software components.