R – Securing a linux webserver for public access


I'd like to set up a cheap Linux box as a web server to host a variety of web technologies (PHP & Java EE come to mind, but I'd like to experiment with Ruby or Python in the future as well).

I'm fairly versed in setting up Tomcat to run on Linux for serving up Java EE applications, but I'd like to be able to open this server up, even just so I can create some tools I can use while I am working in the office. All the experience I've had with configuring Java EE sites has all been for intranet applications where we were told not to focus on securing the pages for external users.

What is your advice on setting up a personal Linux web server in a secure enough way to open it up for external traffic?

Best Solution

This article has some of the best ways to lock things down:


Some highlights:

  • Make sure no one can browse the directories
  • Make sure only root has write privileges to everything, and only root has read privileges to certain config files
  • Run mod_security

The article also takes some pointers from this book:

Apache Securiy (O'Reilly Press)

As far as distros, I've run Debain and Ubuntu, but it just depends on how much you want to do. I ran Debian with no X and just ssh'd into it whenever i needed anything. That is a simple way to keep overhead down. Or Ubuntu has some nice GUI things that make it easy to control Apache/MySQL/PHP.