The bad news is that WordPress is notorious for allowing bad guys in via plugins. Since anyone can write a plugin for wordpress, many times the coding standards are not very high. I’ve been bitten by a bad plugin before. It took me a while to figure out what was happening to my server. As soon as I rebuilt it, the hacker would break in… I finally narrowed it down to a plugin. Unfortunately it was days of downtime beck then because I was on a dedicated server. With cloud server, it sucks, but at least you can be back up in a couple hours.

With that being said, WordPress also gets falsely blamed for a lot of websites getting hacked, but in reality, the user probably had a bad, easy to crack password.

Let’s get started

When you first start a cloud webserver, the only open port  is 22 (ssh). You never want to shut this port down, because it is your lifeline to manage a server if all hell breaks loose. When I first start a server, I flush the firewall, just so I can get moving quickly.

iptables -F

I then go and do my business of installing LAMP and webmin.

After LAMP is working properly, it’s time to secure the server. Remember, at this point it is all wide open

My first warning is to remember that iptables work in order, so if you first directive is to drop all, you are going to get locked out immediately… You will probably have to reboot the cloud server, and hopefully it will use the old configuration with port 22 open. So you want to create all your allowed ports first, then shut the door on the rest.

Allow port 22, 80 and 10000. This is ssh, web, and webmin

iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 10000 -j ACCEPT

That allows access on our three main ports.

Now I need want to allow ICMP’s – The Internet Control Message Protocol (ICMP) is one of the core protocols of the Internet Protocol Suite. It is chiefly used by the operating systems of networked computers to send error messages—indicating, for instance, that a requested service is not available or that a host or router could not be reached.

iptables -A INPUT -p icmp -j ACCEPT

I also want to allow traffic on the loopback adapter

iptables -A INPUT -i lo -j ACCEPT

Next, we will want to use some standard rules for general network traffic. This goes a bit beyond the basic stuff, however iptables can determine the ‘state’ that a packet is in. This has to do with standard TCP communication. For example, the 3 way handshake between two hosts when transmitting data. Source: Howto Basic Ip Tables

iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

Now let’s shut out everything else, save the config and then restart ip tables

iptables -A INPUT -i eth0 -j DROP
service iptables save
/etc/init.d/iptables restart

Below is a screenshot of the Linux firewall in Webmin one you are done

Doing the research for this setup, I found many different ways that people secure their servers. I think this is a very solid solution for a typical cloud webserver.

References used for this blog post:

Advanced firewall techniques, including solutions to brute force attacks

5dollarwhitebox.org - Easy to follow firewall example solution

We already know that Google’s intentions aren’t to limit the Android platform to mobile phones. With the right hardware and expectations that these devices can truly be portable thin clients, an Android netbook might not be so far-fetched after all.

The problem with Google making an OS isn’t the fact that they are notorious for announcing products that turn out to be nothing more then feeble attempt to gain media exposure when a competitor is about to release a product or service. Google buys a ton of start-ups and Mark Cuban has an explaination why. Case in point, Opensocial. Opensocial was announce way too early because of the release of the Facebook platform, AKA Facebook apps. I was really excited about Opensocial and followed for about a year, learning how to implement it because all the major communities were jumping on like Linkedin, Myspace, Orkut (for you Brazilians), but it turned out to be absolutely useless. The concept behind Opensocial was to run common function across many website enabling personal data to exchange between communities.

Why did they release so early? Simple to create buzz. how cares what happens 2 years down the road. How many people will remember the service when it fades away? They got the press they wanted in 2007, they did their job.  Google needs to take notes from Apple about how to squash a release. Apple owned the Palm Pre on the release date.

So, why did Google announce the ChromeOS now? it’s still 2 years from release date?

1. Both Microsoft and Apple have new OS’s this year. Windows 7 is basically a service patch for Vista, or Mojave, or Longhorn, whatever MS calls it now… Hell MS just wishes Vista would go away too…
2. The New smartphone OS’s will run on netbooks. – Imagine the iPhone OS on an 8 inch netbook… To me that sounds awesome. Other OS’s include the android OS and the Palm OS, which is HTML based… All these have app markets which fits in nicely to the lightweight netbook market.
3. There is another OS out their called Linux, you might have heard about it from your grandma. It’s open source which is great, but also allows for many, many distributions. Will this happen to ChromeOS? too many choices makes people choose Apple or MS.
4. If you really think about it, ChromeOS, runs on the Linux kernel? so doesn’t that just make it another distribution? I would assume that Google’s not going to hide the terminal?
5. Linux already has an app market called Synaptic. Of course everything is free on synaptic and it’s not really an app market, it’s a GUI to apt-get, but can easily accommodate a marketplace. I even think Steam can be a full blown app market.

We all now Google is gunning for MS, and we all now Google has the power to make an OS… I’m just wondering why they are talking about it now.