DrupalCon Portland 2013: LINUX SYSTEM SECURITY TUNABLES
While regular web hosting best-practices should always be in place to make your site defensive against attack, there are even more things you can do to improve your host's "post intrusion" stance. A layered set of security precautions can discourage an attacker's attempts at privilege escalation.
The first line of defense is privilege separation. Beyond keeping a system's administrative users separate from web server users, it's important to maintain strict control of any SSH keys or similar cross-host access mechanisms. Two factor authentication is surprisingly easy to implement. And in cases where there are clear lines between sites or services, adding mandatory access controls can help strengthen the existing boundaries.
To frustrate an attacker's information gathering and potential vulnerability exploitation, there are a lot of system tunables that can be trivially enabled. These span the network, filesystem, virtual memory, and debugging facilities of the kernel. Additionally, more can be done to protect the kernel from userspace. While it may look pointless to keep root user access separate from kernel-level access, it can play a significant role in hardening a system, especially those with external kernels as seen with some VPS providers.
The first line of defense is privilege separation. Beyond keeping a system's administrative users separate from web server users, it's important to maintain strict control of any SSH keys or similar cross-host access mechanisms. Two factor authentication is surprisingly easy to implement. And in cases where there are clear lines between sites or services, adding mandatory access controls can help strengthen the existing boundaries.
To frustrate an attacker's information gathering and potential vulnerability exploitation, there are a lot of system tunables that can be trivially enabled. These span the network, filesystem, virtual memory, and debugging facilities of the kernel. Additionally, more can be done to protect the kernel from userspace. While it may look pointless to keep root user access separate from kernel-level access, it can play a significant role in hardening a system, especially those with external kernels as seen with some VPS providers.