Simplest Security Best Practices (for servers hosting Ruby on Rails apps)

The subject of security will be everlasting, as long as the internet and people exist. Security will never be satisfied; after all security is a learning, changing, fluid process. There are however, a few simple practices you can apply that will take you towards the goal of bulletproof-security. This is not a complete list, but something to get you started.

Servers hosting Ruby on Rails applications:

• use encrypted backups of every database to an external service (e.g. Tarsnap)
• host your user-generated content somewhere in the cloud (e.g. Amazon S3)
• use unattended upgrades - wiki.debian.org/UnattendedUpgrades (or a similar tool for your system)
• lock all traffic with iptables and whitelist those you want to expose (e.g. just port 22, 80 and 443)
• whitelist ips that can log in using ssh
• use ssh with rsa keys (no passwords!)
• disable root login
• whitelist ips that can connect to your database (for single instance servers listen 127.0.0.1)
• always use ssl-only to serve a website
• use fail2ban (or similar tools) to avoid ddos attacks on basic level
• use monit to check disks, cpu and memory usage
• monitor your app uptime with services like pingdom
• use tools like PagerDuty in combination with monit and pingdom for automated event escalation

Other best practices for reference: www.cyberciti.biz/tips/linux-security.

App codebase:

• use automatic security issue detection (static code analysis; e.g. CodeClimate)
• regularly review from devs not related to project (3rd person perspective)
• upgrade libraries regularly (bundle update every now and then; CodeClimate watches your Gemfile for vulnerabilities in gems too!)
• order pen tests every few months (preferably from an external company)

In reality, this list should be 3 times longer and include multiple solutions. Those are, however, the simplest things we chose to get you going. Let us know in comments if you think this basic list is missing something!