In one of my last posts, I mentioned I was going to write a post on securing SSH. As it turns out, I really like most of this advice , so rather than recreate it, I'm just going to comment and expand on it. Go read that article, then the rest of this will make sense.
Non-standard ports?
Item #5 in that list, about running on non-standard ports, I'm not that fond of. As we saw in an earlier blog post, it is trivial to port scan and find out where stuff is running, so …
- : Rackspace Cloud Servers vs. VPS Platforms
- Luigi Montanez: Engine Yard Express: A Production Slice on Your MacBook Pro
- redemption in a blog: Setting up virtualization on Ubuntu with KVM
- Obie Fernandez: The Self-Destruct File
- MicroISV on a Shoestring: Running Apache On A Memory-Constrained VPS
- Rail Spikes - Home: Fixing the Heroku "Too many authentication failures for git" problem
My last two blog entries have talked about ways of locking down services to specific ports and IPs. In this entry, I want to show you two tools for inspecting your running server so you can see the result of your hard work, and identify other things that might need to be locked down.
Knowing What Your Server is Running
The first tool we are going to look at is netstat. Log into your linux server, and type this: sudo netstat -lnpt
you'll see some output that looks like this (server …
- Simone Carletti's Blog: How slow are (Ruby) Exceptions?
- Mental Paging Space: Reverting a Cisco LAP1142N to Atonomyous Mode
- OnRails.org: You Mifi card status iPhone App on the Available on the AppStore now.
- Zen and the Art of Programming: Follow up to my Gmail third-party access post
- Ruby Inside: Interesting Ruby Tidbits #32: DataMapper, Screencasts, IP Addresses, Euruko 2010 and more
- Labnotes: Necktie: dress to impress
…you're logging model/table changes on a per user basis. There are many hacks to accomplish this, but David Bock has a gem called SentientUser which does this a little cleaner.
Once your websites goes big and you start to worry about malicious user attacks, you may want to take a look at Arto Bendiken and Brendon Murphy's Rack::Throttle Middleware . Throttle does just want you think it does, allowing you to limit the number of requests a user can ping your …
- casperfabricius.com: Bundler and Rails 3 environments
- DevInterface Blog: The top 20 plugins to create a Rails application
- Tammer Saleh: Engine Yard University: Zero to Rails 3
- Engine Yard Ruby on Rails Blog: Announcing Engine Yard University: Zero to Rails 3
- castilhor blog: Setting up a Ruby on Rails / Windows Development Environment
- YouTube Videos matching query: rubyonrails: Ruby on Rails repository virtulization from 2004 to 2009 with Gource
Much like my last entry on memcache , I'm not trying to write the ultimate security guide for securing a mysql server... I'm just outlining the kinds of steps you should take to have a level of security on par with the locks on your car... Enough to encourage the average plunderer to move along to another target.
Listen Only Where You Want to Hear
Just like memcache, the default mysql install is listening patiently on all your server's ethernet devices for someone to …
- How Software is Built: Interview with Stefano Fornari - CTO - Funambol
- Zen and the Art of Programming: Who is accessing your Gmail account?
- Simone Carletti's Blog: How slow are (Ruby) Exceptions?
- zargony.com: Let browsers cache static files to greatly speed up your site
- SKORKS: How Search Engines Process Documents Before Indexing
- High Scalability: GEO-aware traffic load balancing and caching at CNBC.com
A couple of weeks ago I was setting up a few servers for a new client. Part of that setup was an instance of memcache, and I took a few minutes to show a colleague the 'how and why' of a secure memcache install. She said "You should blog that". It made it to my 'to do' list, but I hadn't gotten around to it until now.
was an inspiration to me. I can't believe the high-profile websites that had security problems with their memcache instances; clearly …
- On the Path: Securing MySQL in 10 minutes
- The Queue Blog: Link dump for August 8th
- saladwithsteve: Simulating Byzantine failure with SIGSTOP
I have been blogging a lot this week about my thoughts behind a methodology for agile assessments. While I have implied it, I haven't specifically answered the question "Who would run the agile assessment process?"
The Team
As I discussed in this post , an agile assessment should first be useful as a retrospective tool, performed by the team itself, with no external agents needed. I could see an assessment format based on a series of questions used to lead a discussion, …
In my earlier blog post on assessing agility , I asked three questions. This is my answer to " Who is the 'audience' for the assessment of an agile team?".
If we are going to 'assess' our software development teams, who is going to be the audience for the information collected? I think there are several:
The software development team itself . As I described in the last entry, this is in some ways an extension of the 'retrospective' concept. …
- On the Path: Who Runs an Agile Assessment?
- Vineet Gupta | Computer Programmer: Edge vs. Cloud Computing
- : Simple Load Balancing on Cloud Servers
- Lee Munroe: Are you a webmaster?
- Article RSS Feed: March 2010 Meeting
- Ruby News: Red Dirt RubyConf 2010
In my earlier blog post on assessing agility , I asked three questions. This is my answer to "Why would a successful agile team want an 'assessment'?".
Every successful agile team I have been on performs periodic 'retrospectives'. Every iteration, they ask questions like "What did we do well?, What didn't we do well?, What should we change?". Periodically, they do larger retrospectives, following ideas from books like Esther Derby's Agile Retrospectives .
- Topics: Thing
- On the Path: Who Runs an Agile Assessment?
- Riding Rails - home: Community Highlights
- blog.mhartl | Michael Hartl's tech blog: Mass assignment in Rails applications
- codahale.com: When Formality Works
- Rails Envy ยป Home: Episode 104: Something New
- ronin coder: Django for Rails devs
In my last blog post on assessing agility , I asked three questions. This is my answer to "how an assessment is different from a certification".
First, I'd like to give a historical perspective for my answer. For several years, I worked for a company that was infatuated with the CMM / CMMi model for process improvement (I was *not* one of the infatuated, which I think gave me a healthy perspective for its strengths and weaknesses). I originally heard …
- On the Path: Who Runs an Agile Assessment?
Several years ago, I was working on a death march rails project with a small team. I needed some support from capistrano to prevent us from making some bone-headed miskates, like having two people trying to deploy the app into production at the same time (fielding calls from anxious clients). Dunce-cap was born .
Dunce-cap is a plugin (I'll gemify it someday) that adds a few new capabilities to your capistrano deploy. Install it with:
./script/plugin install git://github.com/bokmann/dunce-cap.git