Results 1 to 5 of 5
  1. #1
    Join Date
    Feb 2005
    Posts
    127

    How to secure a hosted staging/testing server

    I'm looking into moving our staging/testing server hosted on a little box locally to being hosted remotely so that it can be accessed from anywhere over the internet. This server hosts things like version control, bug tracking, a web server for staging/testing, and NTP, among other things. (It would also expose services like samba and ssh for developers to access it.)

    How would I ensure the security of that server? I ask because we will be accessing important things remotely over the internet that we were previously accessing over a local network.

    Even if I were to use iptables, I wouldn't be able to set proper rules only allowing access from our developers' workstations because they could be working from anywhere at any time. And dynamic DNS sometimes takes a while to update, so there could be times when they're left without access to this all-important server.

    So conceptually what would be the proper way to configure iptables, and what other elements of security should I think about? I should mention that there's only a few people who would be using the services offered on that machine.

    Is an option in this case a 'VPN'? How, if at all, would that help me here - I've read a bit about VPNs but don't know a lot about them, and am not sure whether it would be useful in this case. If it's useful here, is it something that would be implemented on our developers' workstations, on the new server, or both?

    It's risky to expose the information on that server over the internet, but it's something it just makes sense to do based on the need for working from anywhere, and I just want to make sure I understand about this move from a security standpoint. Have any of you done something similar? Any tips or advice as I plan this out?

    Thanks.

  2. #2
    If security is of the upmost importance then I'd recommend going with a VPN setup as you mentioned.

    But, normally for this type of thing I would ensure everything is as secure as possible (secure passwords, latest versions of software etc.) and allow access from all locations. That would be the easiest way for your developers to access the server, without having to deal with VPN and the issues that can sometimes occur with them.
    Accelerated Hosting - From Constant Internet
    Automatically serving your website from the nearest server
    Get hosted on our global network! America / Europe / Asia

  3. #3
    Join Date
    Apr 2003
    Location
    NC
    Posts
    3,093
    I would suggest a vpn, something like openvpn would work. You would have to install openvpn on the server and clients. Make sure all of the services are bound to the vpn IP and not the public IP.
    John W, CISSP, C|EH
    MS Information Security and Assurance
    ITEagleEye.com - Server Administration and Security
    Yawig.com - Managed VPS and Dedicated Servers with VIP Service

  4. #4
    Join Date
    Nov 2004
    Location
    Australia
    Posts
    1,737
    You could use CSF (www.configserver.com) and turn on port knocking to enable access from remote locations.

    You'd definitely need a VPN for Samba, but if you run SSH over a non-standard port you're going to be pretty safe. I wouldn't run an FTP service at all, use SFTP which is both faster and far more secure. (FTP can send passwords in clear text, so simply don't allow it)

    I'd also force the use of ssl/HTTPS with bug tracker app, and any part of your infrastructure that could send passwords (so there are no clear-text passwords).

    Re the port knocking, you can enable known fixed sites and those with known dynamic DNS entries, and add port knocking for SSH access.

    Also do the usual stuff like disabling root login over ssh, using sudo for root access, possibly logging reasons for root access, etc etc.

    With your dev sites, you can use basic auth, or just put them under a subdirectory or something similar so someone can't stumble across them by accessing the domain (and use privacy on the domain registration if you don't want others finding it). Also make sure you block robots with robots.txt so it can't be accidentally indexed. (we've had this happen!!)

  5. #5
    Join Date
    Nov 2004
    Location
    Australia
    Posts
    1,737
    Oh - and probably worth saying - if there's risk involved, hire a known sysadmin to harden the server and to lock it down for you. Locking down a server is non-trivial, and you don't want to see it hacked, or worse, client information lost at a much later stage. A few hundred in setup could end up saving you thousands down the track, and it will certainly give you confidence.

    Also talk to the sysadmin you use about how to securely setup multiple accounts, and the issues involved (eg staging through dev/alpha/beta/production, separation of users/accounts, how developers can work etc).

    Oh - I'd also use RAID-1 or similar, and have a third separate backup disk. You could become very reliant on this machine over time.

Similar Threads

  1. Info on Staging Server & Production Server
    By verbality in forum Dedicated Server
    Replies: 5
    Last Post: 01-19-2011, 10:05 PM
  2. Staging Server / Customer Screening Process idea?
    By MjrGaelic in forum Running a Web Hosting Business
    Replies: 3
    Last Post: 06-20-2009, 02:20 PM
  3. How do I browse a website on a staging server?
    By jayman369 in forum Programming Discussion
    Replies: 8
    Last Post: 03-06-2007, 07:44 PM
  4. Hosted load testing services?
    By bryonhost1 in forum Hosting Security and Technology
    Replies: 2
    Last Post: 02-01-2007, 04:04 PM
  5. PHP Testing/Staging on XP
    By jimtomas in forum Web Design and Content
    Replies: 2
    Last Post: 10-04-2003, 09:57 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •