Building Your Startup: Security Basics

Final product image
What You'll Be Creating

This tutorial is part of the Building Your Startup With PHP series on Envato Tuts+. In this series, I'm guiding you through launching a startup from concept to reality using my Meeting Planner app as a real-life example. Every step along the way, I'll release the Meeting Planner code as open-source examples you can learn from. I'll also address startup-related business issues as they arise.

The production server for Meeting Planner currently runs at Digital Ocean (see other tutorials about them at Envato Tuts+.) In today's episode, we'll dive into the basics of web server security. I'll cover securing the Linux VPS running Meeting Planner and some basic Yii security. In the next episode, I'll dive more into programmatic Yii application security.

I do participate in the comment threads below, so please share your feedback. Please let me know if there are security topics you feel that I missed. I'm also open to new feature ideas and topic suggestions for future tutorials.

As a reminder, all of the code for Meeting Planner is written in the Yii2 Framework for PHP. If you'd like to learn more about Yii2, check out our parallel series Programming With Yii2.

If you haven't yet, try out Meeting Planner right now by scheduling your first meeting. Feel free to post feedback about your experience in the comments below. 

Hosting and VPS Security

Common Resources

If you're running a generic Linux VPS, you may want to review my earlier Envato Tuts+ tutorial, Securing Your Server Login. It covers a number of steps which we'll revisit today, including SSH security and firewalls.

Digital Ocean is also a great resource for security practices. An Introduction to Securing your Linux VPS is one of the best overviews that they offer. Plus, they have cool graphics.

Startup Series - 7 Security Measures via Digital Ocean - graphic of Hun-like invaders
via Digital Ocean's 7 Security Measures to Protect Your Servers

Here are three other articles they offer which I utilized for the background in this tutorial:

Keeping the Server Updated

Firstly, it's vital that you keep your server up to date with regular updates and upgrades. This integrates security patches from software (and open source) providers that you're using.

Here are the basic steps—you'll likely be familiar with them:

Dist-upgrade uses some intelligence to manage the interdependencies of updated packages:

To ensure that it takes full effect, you may need to reboot on occasion. I always stop my database and then restart:

When Meeting Planner has more users, more elaborate restart mechanisms may be needed.

Configuring SSH Login

Startup Series - SSH Key Authentication
Image via Digital Ocean's 7 Security Measures to Protect Your Servers

You have the option of using your private key when creating a Digital Ocean droplet. When I set up Meeting Planner, I repeated the steps I outlined here: Securing Your Server Login.

I also moved SSH login to a custom port, not the commonly used (and attacked) port 22.

Setting Up a Firewall

Startup Series - Firewall Request Filtering
Image via Digital Ocean's 7 Security Measures to Protect Your Servers

Next, I installed UFW, the uncomplicated firewall:

However, I did not say yes to that request. The warning reminded me to double-check all of my SSH requirements.

For example, I turned off the default SSH port and turned on the one that I am using:

Then, I set a sudo request for the future to disable UFW in case my settings weren't correct:

Then, I enabled UFW and ran through my remaining settings:

Here are the results:

Note: Because my database is currently running on the same server as Meeting Planner's web services, I can block port 3306. However, as usage for the site scales to multiple servers, changes will be needed.

I also edited the UFW configuration to enable the firewall when the server restarts:

Because of the delayed disable command, I had to enable UFW again after five minutes.

In addition to my Securing Your Server Login, the Digital Ocean guides UFW Essentials: Common Firewall Rules and Commands and How To Setup a Firewall with UFW on an Ubuntu and Debian Cloud Server are helpful when configuring UFW.

Setting Up SSL

Startup Series - Lets Encrypt New Certificate Authority Free Automated and Open

For the security of people using Meeting Planner, I also set up SSL as described in Using Let's Encrypt SSL With Your WordPress Project.

And, you may notice, I allowed https access on port 443 when setting up the firewall above. Requests to http://meetingplanner.io automatically redirect to https://meetingplanner.io.

Getting Started With Yii2 Application Security

Beyond the Linux security foundation, we also need to be thoughtful about securing the Yii Framework on top of PHP. You may wish to read Programming With Yii2: Security, most of which we'll review in the next episode.

However, today, we'll implement some basic access control features for Meeting Planner.

Access Control

One of the initial benefits of using a PHP MVC framework is that all requests for pages are routed through a single index.php file. As I described in Programming With Yii2: Routing and URL Creation, Yii carefully manages incoming requests for pages and directs them to the appropriate controllers and action methods.

In addition, it's our job to secure controller requests when they come into the application. Primarily, who is this person and do they have the right to access this page?

As discussed in the Yii2 Security tutorial, Yii has a variety of options for managing access. Meeting Planner primarily uses the Access Control capability.

Securing Front-End Application Requests

Here's an example of traffic coming into the Meeting Controller which users commonly access:

The access behavior safeguards all the methods mentioned in 'only'. The actions listed with roles '@' require authenticated users—in other words, only users that have logged in can see these pages. Users that aren't logged in are redirected to the default home page. However, pages with roles '?' are open to the public.

So, for example, only an authenticated user can create a meeting, but anyone can enter the application through the meeting/command URL. That's because we use the command URL widely in emails, and it has another layer of authentication, described in the Delivering Invitations tutorial

The command URL allows users that aren't logged in (and even meeting participants that have never been to the site before) to securely access specific pages.

Securing Back-End Application Requests

For the back-end system of Meeting Planner, only administrators can access these pages. Because administrators are denoted in our User table in a custom, application-specific way, I had to build a custom Access rule to verify them. Yii's basic roles only support authenticated @ and unauthenticated ?.

Let's look at the back-end MessageController for sending site-wide email updates to our users:

The custom rule ensures that the user is not a guest and passes isAdmin() before forwarding them to the proper action. Other users are redirected to the back-end login page.

We've accomplished a lot today, but there's still a lot to do.

Looking Ahead

If you run a server, you've probably appreciated today's review of basic Linux and hosting security. In the next episode, we'll explore security steps related more closely to the Yii Framework and the Meeting Planner application.

Watch for upcoming tutorials in the Building Your Startup With PHP series. There are a few more big features coming up.

Related Links

Tags:

Comments

Related Articles