Vengala Vinay

Having 9+ Years of Experience in Software Development

Home » An Auditor’s Checklist for Securing Shopify Backends on Linode

An Auditor’s Checklist for Securing Shopify Backends on Linode

SSH Hardening and Access Control

Securing SSH access to your Linode instance hosting the Shopify backend is paramount. This involves disabling password authentication, enforcing key-based authentication, and restricting root login. We’ll also implement a firewall to limit access to only necessary ports.

SSH Configuration (`sshd_config`)

Edit the SSH daemon configuration file. The exact path may vary slightly depending on your distribution, but it’s typically /etc/ssh/sshd_config.

Ensure the following directives are set:

  • PermitRootLogin no: Disables direct root login via SSH. All administrative tasks should be performed by a non-privileged user who then uses sudo.
  • PasswordAuthentication no: Disables password-based authentication, forcing the use of SSH keys.
  • PubkeyAuthentication yes: Ensures public key authentication is enabled.
  • AllowUsers your_admin_user another_user: Explicitly lists the users permitted to log in via SSH. Replace your_admin_user and another_user with actual usernames.

After making these changes, restart the SSH service:

sudo systemctl restart sshd

Firewall Configuration (UFW Example)

We’ll use UFW (Uncomplicated Firewall) for simplicity. Ensure it’s installed and enabled.

sudo apt update
sudo apt install ufw -y
sudo ufw enable

Allow SSH (port 22) and any other ports your Shopify backend requires (e.g., HTTP/HTTPS for reverse proxy, database ports if not on a separate network). For this example, we’ll assume only SSH and HTTP/HTTPS are needed.

sudo ufw allow ssh
sudo ufw allow http
sudo ufw allow https
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw status verbose

The ufw status verbose command will show the current rules. Ensure only the intended ports are open.

Database Security (MySQL/PostgreSQL)

The database is a critical component. Secure it by restricting network access, enforcing strong credentials, and regularly auditing access.

Network Access Control

If your database is hosted on the same Linode instance as your web server, bind it to the loopback interface (127.0.0.1) to prevent external access. If it’s on a separate Linode or a managed database service, configure firewall rules on both the database server and the application server to allow connections only from the application’s IP address.

For MySQL, edit my.cnf (often found at /etc/mysql/my.cnf or /etc/my.cnf) and set:

[mysqld]
bind-address = 127.0.0.1

Restart the MySQL service:

sudo systemctl restart mysql

For PostgreSQL, edit postgresql.conf (path varies, e.g., /etc/postgresql/X.Y/main/postgresql.conf) and set:

listen_addresses = 'localhost'

And in pg_hba.conf (same directory), ensure only trusted hosts can connect. For local connections:

local   all             all                                     trust

If connecting from another host (e.g., a web server on a different IP), replace trust with appropriate authentication methods (e.g., md5 or scram-sha-256) and specify the IP address:

host    all             all             192.168.1.10/32         md5

Restart PostgreSQL:

sudo systemctl restart postgresql

User Management and Permissions

Create dedicated database users for your Shopify application. Avoid using the database’s root user for application connections. Grant only the necessary privileges.

For MySQL:

CREATE USER 'shopify_app'@'localhost' IDENTIFIED BY 'your_strong_password';
GRANT SELECT, INSERT, UPDATE, DELETE ON shopify_database.* TO 'shopify_app'@'localhost';
FLUSH PRIVILEGES;

For PostgreSQL:

CREATE USER shopify_app WITH PASSWORD 'your_strong_password';
GRANT CONNECT ON DATABASE shopify_database TO shopify_app;
GRANT USAGE ON SCHEMA public TO shopify_app;
GRANT SELECT, INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA public TO shopify_app;
-- For sequences if applicable
GRANT USAGE, SELECT ON ALL SEQUENCES IN SCHEMA public TO shopify_app;

Store database credentials securely. Do not hardcode them directly in your application code. Use environment variables or a secrets management system.

Web Server Configuration (Nginx Example)

If Nginx is used as a reverse proxy or web server, it needs to be configured securely. This includes enforcing HTTPS, setting appropriate headers, and limiting request sizes.

Enforcing HTTPS

Ensure all HTTP traffic is redirected to HTTPS. This is typically done in your Nginx server block configuration.

server {
    listen 80;
    server_name your-shopify-domain.com;
    return 301 https://$host$request_uri;
}

The main server block for HTTPS should include SSL/TLS configuration:

server {
    listen 443 ssl http2;
    server_name your-shopify-domain.com;

    ssl_certificate /etc/letsencrypt/live/your-shopify-domain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/your-shopify-domain.com/privkey.pem;

    # Recommended SSL settings for security and performance
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers on;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 10m;
    ssl_session_tickets off;
    ssl_stapling on;
    ssl_stapling_verify on;
    resolver 8.8.8.8 8.8.4.4 valid=300s; # Use your preferred DNS resolvers
    resolver_timeout 5s;

    # HSTS Header (optional but recommended)
    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;

    # ... rest of your proxy_pass or root configuration
}

Security Headers and Request Limits

Implement security headers to protect against common web vulnerabilities. Also, limit request body size to prevent certain types of denial-of-service attacks.

server {
    # ... (previous SSL configuration)

    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-XSS-Protection "1; mode=block" always;
    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
    # add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; object-src 'none';" always; # CSP is highly site-specific, configure with care

    client_max_body_size 10m; # Adjust as needed, but keep reasonably small

    # ... (proxy_pass or root configuration)
}

After modifying Nginx configuration, test and reload the service:

sudo nginx -t
sudo systemctl reload nginx

Application-Level Security

While Linode provides the infrastructure, the Shopify application itself must be secured. This section focuses on common practices relevant to a backend application.

Dependency Management and Updates

Regularly scan and update all application dependencies (e.g., PHP libraries via Composer, Python packages via pip). Vulnerabilities in third-party code are a common attack vector.

For Composer (PHP):

composer outdated
composer update --no-dev # In production, remove dev dependencies

For pip (Python):

pip list --outdated
pip install --upgrade -r requirements.txt

Input Validation and Output Encoding

This is primarily an application code concern, but crucial for backend security. All user-supplied input (from API requests, forms, etc.) must be rigorously validated against expected formats and types. All data outputted to be rendered in a browser or sent in an API response must be properly encoded to prevent cross-site scripting (XSS) and other injection attacks.

Example (PHP – conceptual, actual implementation depends on framework):

<?php
// Assume $userInput is data from an API request parameter

// Validation example
if (!filter_var($userInput, FILTER_VALIDATE_EMAIL)) {
    // Handle invalid email format
    die("Invalid email provided.");
}

// Output encoding example (for HTML context)
echo htmlspecialchars($userInput, ENT_QUOTES, 'UTF-8');
?>

Secure API Endpoints

If your Shopify backend exposes API endpoints, ensure they are protected. This includes:

  • Authentication and Authorization: Implement robust authentication (e.g., API keys, OAuth, JWT) and ensure users/clients only have access to resources they are authorized for.
  • Rate Limiting: Protect against brute-force attacks and abuse by limiting the number of requests a client can make within a given time frame. This can be implemented at the Nginx level or within the application.
  • Input Sanitization: As mentioned above, all API inputs must be sanitized.
  • HTTPS: All API traffic must be over HTTPS.

Logging and Monitoring

Comprehensive logging and active monitoring are essential for detecting and responding to security incidents.

System and Application Logs

Ensure that system logs (e.g., /var/log/auth.log for SSH activity, /var/log/nginx/access.log and /var/log/nginx/error.log for web server activity) and application logs are being generated and stored securely. Consider centralizing logs to a dedicated logging server or a cloud-based service for better analysis and retention.

Configure log rotation to prevent disk space exhaustion.

# Example: Check logrotate configuration for nginx
sudo ls -l /etc/logrotate.d/nginx

Intrusion Detection Systems (IDS) / Intrusion Prevention Systems (IPS)

Consider deploying host-based IDS/IPS solutions like Fail2ban to automatically block IPs that exhibit malicious behavior (e.g., repeated failed SSH logins, web server attack patterns).

sudo apt install fail2ban -y
sudo systemctl enable fail2ban
sudo systemctl start fail2ban

Configure /etc/fail2ban/jail.local to enable specific jails (e.g., for SSH, Nginx) and set ban times and thresholds.

[DEFAULT]
bantime = 1h
findtime = 10m
maxretry = 5

[sshd]
enabled = true
port = ssh
logpath = %(sshd_log)s

[nginx-http-auth]
enabled = true
port = http,https
logpath = %(nginx_error_log)s

Restart Fail2ban after configuration changes:

sudo systemctl restart fail2ban

Regular Auditing and Vulnerability Scanning

Security is an ongoing process. Regular audits and scans are crucial.

Configuration Audits

Periodically review all configuration files mentioned above (sshd_config, Nginx configs, database configs, firewall rules) to ensure they align with security best practices and your organization’s policies.

Vulnerability Scanning

Utilize vulnerability scanning tools to identify known weaknesses in your system and application stack. Linode offers a vulnerability scanner, and third-party tools like Nessus, OpenVAS, or commercial SaaS solutions can also be employed.

Patch Management

Maintain a rigorous patch management process for the operating system and all installed software. Automate security updates where feasible, but always test updates in a staging environment before deploying to production.

# Example for Ubuntu/Debian:
sudo apt update
sudo apt upgrade -y # Consider unattended-upgrades for automated security patches