David Hall's picture

The Story

The other day I was showing off my wordpress virtual appliance to a friend.  I thought it was so cool how within a few minutes of download I had a fully function WP blog with cool plugins and a great theme running.  I told him I wanted to load it up on EC2 or some VPS hosting service.  He is an experienced web/sys admin and like most was scinical of things that are too easy. 

He did a quick look around and saw iptables was wide open and wrinkled his nose....   Is that a talent all sysadmins go to a special school to learn?

The Question

As these virtual appliances are most likely going to be running in an untrusted or hostile environment, what steps are done to harden the appliance?

I found what I think is an excellent article on hardening Linux boxes

Is some level of hardening intrinsic to TKL appliances? or is that up to the user?

Liraz Siri's picture

Good feedback. First note that all appliances ship with an Iptables firewall policy. You just have to log into Webmin and activate it.

In general, your sysadmin friend is right. If you don't need a service, it's best to shut it down. One of the security advantages of using TurnKey is that each appliance only includes what you need to run the application, plus a few additional services for convenience. That reduces the attack footprint. Also, TurnKey appliances auto-install security updates daily, no other distribution I know of does that out of the box. You could call that hardened but the focus is usability. Ideally security shouldn't be something you have to think about too much. If the box just updates itself, you can sleep a little better at night.

Incidentally, we came into IT from a military security background. The biggest lesson we've learned is that security is always secondary to functionality. If something doesn't work it's useless. Nobody will use it regardless of how "secure" it is. On the flip side, once something is working you can always tighten the screws by shutting down services you don't use (e.g., webmin, shellinabox, phpmyadmin), putting the machine behind a firewall, etc. The only limit in how far you go is your level of paranoia...

But there's a rub: beyond a certain point have to give something up for better security (e.g., convenience, functionality, complexity, etc.). It's not free.

When there's a choice to be made, our philosophy is to let end-users decide where they want to draw the line while providing the most usable, reasonable defaults.

Add new comment