Secure dev server with remote staff

Question

What are the best practices to secure a development server where the staff is remote?

On that server, it will run apache2 webserver and mysql.

Server O/S is Debian 9.

My idea is that:

• Only SSH connections with SSH keys will be allowed.

• Every employee will have permissions only in its home directory.

• Employees will have permissions to run only some allowed sudo commands.

Am I missing something?

Answer 1

Additional important steps:

• Firewall everything. Only expose SSH port, HTTP and HTTPS (+ any other application specific ports)
• Make sure MySQL is binding to localhost only, run the secure set up (be careful with PW length it only supports 32 chars)
• Install and configure Fail2Ban to dynamically block any suspicious requests
• Remove/disable any unused Apache modules
• Make sure your least privilege access controls are set up properly, e.g individual keys, easy way to revoke access, full logging of all commands and terminal history
• If possible implement IP whitelisting for SSH access

Desired steps:

• Use a CI solution for the actual code deploys, this adds a layer of governance and control to the source code appearing on the server

• Lock down the public facing side with IP whitelisting/basic auth, no sense it getting crawled and bombarded when it is in development

• Make sure your Apache and MySQL logs are set up properly with the correct log level and permissions (Apache logs are owned by root so be careful if making any changes here)

• Move ssh off port 22. No doubt someone will moan about this, yes it is security through obscurity but coupled with Fail2Ban the advantage here is less bot traffic on port 22.

You have not mentioned any of the services or languages used, if you are using PHP etc their is a whole host of other measures to take as well.