I'm looking into moving our staging/testing server hosted on a little box locally to being hosted remotely so that it can be accessed from anywhere over the internet. This server hosts things like version control, bug tracking, a web server for staging/testing, and NTP, among other things. (It would also expose services like samba and ssh for developers to access it.)
How would I ensure the security of that server? I ask because we will be accessing important things remotely over the internet that we were previously accessing over a local network.
Even if I were to use iptables, I wouldn't be able to set proper rules only allowing access from our developers' workstations because they could be working from anywhere at any time. And dynamic DNS sometimes takes a while to update, so there could be times when they're left without access to this all-important server.
So conceptually what would be the proper way to configure iptables, and what other elements of security should I think about? I should mention that there's only a few people who would be using the services offered on that machine.
Is an option in this case a 'VPN'? How, if at all, would that help me here - I've read a bit about VPNs but don't know a lot about them, and am not sure whether it would be useful in this case. If it's useful here, is it something that would be implemented on our developers' workstations, on the new server, or both?
It's risky to expose the information on that server over the internet, but it's something it just makes sense to do based on the need for working from anywhere, and I just want to make sure I understand about this move from a security standpoint. Have any of you done something similar? Any tips or advice as I plan this out?
If security is of the upmost importance then I'd recommend going with a VPN setup as you mentioned.
But, normally for this type of thing I would ensure everything is as secure as possible (secure passwords, latest versions of software etc.) and allow access from all locations. That would be the easiest way for your developers to access the server, without having to deal with VPN and the issues that can sometimes occur with them.
█ Accelerated Hosting - From Constant Internet
█ Automatically serving your website from the nearest server
█ Get hosted on our global network! America / Europe / Asia
You could use CSF (www.configserver.com) and turn on port knocking to enable access from remote locations.
You'd definitely need a VPN for Samba, but if you run SSH over a non-standard port you're going to be pretty safe. I wouldn't run an FTP service at all, use SFTP which is both faster and far more secure. (FTP can send passwords in clear text, so simply don't allow it)
I'd also force the use of ssl/HTTPS with bug tracker app, and any part of your infrastructure that could send passwords (so there are no clear-text passwords).
Re the port knocking, you can enable known fixed sites and those with known dynamic DNS entries, and add port knocking for SSH access.
Also do the usual stuff like disabling root login over ssh, using sudo for root access, possibly logging reasons for root access, etc etc.
With your dev sites, you can use basic auth, or just put them under a subdirectory or something similar so someone can't stumble across them by accessing the domain (and use privacy on the domain registration if you don't want others finding it). Also make sure you block robots with robots.txt so it can't be accidentally indexed. (we've had this happen!!)
Oh - and probably worth saying - if there's risk involved, hire a known sysadmin to harden the server and to lock it down for you. Locking down a server is non-trivial, and you don't want to see it hacked, or worse, client information lost at a much later stage. A few hundred in setup could end up saving you thousands down the track, and it will certainly give you confidence.
Also talk to the sysadmin you use about how to securely setup multiple accounts, and the issues involved (eg staging through dev/alpha/beta/production, separation of users/accounts, how developers can work etc).
Oh - I'd also use RAID-1 or similar, and have a third separate backup disk. You could become very reliant on this machine over time.