The problem of server security is becoming more and more severe
every day, and without special attention from all people involved in server
management a security breach is inevitable. Globaltap has an exemplary
connectivity to the Internet backbone, which makes any server at Globaltap a
prime target for crackers, much more so then at any lesser connected place.
The following is a collection of advice to help you keep your
server more secure. By no means this is a complete security manual, this page is
only meant to give an overview of important security point and is mainly aimed
at Linux/Unix server security, although some advice is applicable to all
platforms. This list might seem excessive at first, but today's network reality
is that this is a bare minimum needed to avoid downtime and lots of clean-up
General security hygiene:
Regular backups are very important for many
reasons. They are important to be able to recover from a devastating
security compromise. Sometimes restoring the server from a backup is the
only way to recover from a break-in. We recommend that you perform
backups on a regular schedule, preferably every night.
Good passwords are important to keep hackers away
from your accounts and ultimately from the server. Pick passwords which
are hard to guess, and change them regularly. This document
goes into details of how to pick good password.
Unencrypted protocols are bad because they expose
passwords to the network. Do not expose your passwords out in the open
because crackers use password sniffing as one of the primary tools for
gaining unauthorized entry. Any unencrypted protocol should not be used
to pass passwords over the network .If you have to use an insecure
protocol, such as ftp or FrontPage extensions, make sure it has a
separate and different password from any user account on the system. If
possible, enable insecure protocol only for a short period of time when
it is required. Try to switch to encrypted protocol: anything that can
be done via ftp can also be done via ssh.
Regular software upgrades are essential to
keep your server secure. If you are running Redhat type system, use yum
upgrade on a regular basis. Upgrading your server on a regular basis is
not a guarantee that it will not be broken into, but ignoring regular
upgrades is a sure way to get your server compromised. We recommend you
upgrade your software at least once a week.
Minimalize. Turn off the daemons you do not need.
Erase the software you do not use. Close the user account right away
when they are no longer needed. Check your /etc/passwd for accounts that
have real shell which do not need it. Check your /etc/shadow for
accounts that have a password which do not need it. A program or an
account cannot be used for a compromise if it does not exist on the
server. The more programs are installed and the more accounts you have
enabled the more possibilities exist for compromise.
Improving security by restricting access:
Secure your ssh daemon. Make sure you do not
allow root logins via ssh because there is a known way to compromise a
server via ssh opening from another compromised server. There is an
option in sshd_config to turn off root logins via ssh - use it. You can
always use "su" to go into root account once you have logged into a
regular user account. Restrict the accounts which can be logged into via
ssh, and restrict which IP's can login via ssh, see this link for a
ssh has become a target for brute force password guessing. It is common
to see thousands of messages per day in syslog for failed ssh logins.
One way to reduce these attacks is to run ssh daemon on a non-standard
port. Another way is to restrict which IPs can use ssh either via pam
rules (as in above link or using firewall).
Use firewall rules to restrict access to your
server. Any modern Linux distribution includes iptables firewall. Use it
to only allow access which is needed. For example, you can use iptables
to only allow certain IP's to login via ssh. If for some reason you
cannot use firewall on your server, open a ticket with our helpdesk:
Globaltap does have a central firewall and we do offer free filtering to
our customers (setup fees may apply).
Security tools. There are many good tools for many different
purposes, and we cannot cover them all here. See, for example, this
http://www.ciac.org/ciac/SecurityTools.html However, we do want to
mention a few tools which we find to be very beneficial:
Intrusion detection tools we recommend for Linux are
or tripwire (http://www.tripwire.org/).
There are a number of other ones, see
Network intrusion detection tool snort:
System log summarizer comes with many Linux
distribution: logwatch (http://www.logwatch.org/)
Review logwatch output every day.