Ask YC: Securing your servers?
What techniques do you use to secure your servers? I've had a lot of good luck with things like SuSE and AppArmor for my servers, but I'm curious if there are other Linux flavors (or other OSs) that have some solid security tools for surviving wild on the internet.
What do you use? What wouldn't you ever use again? Any absolute rules that you force yourself to follow before even bringing your server online?
Thanks!
24 comments
[ 6.1 ms ] story [ 61.2 ms ] threadIn /etc/ssh/sshd_config, disable root logins:
PermitRootLogin no
Even if you think your password ist strong. This will stop a majority of the brute-force password-guessing attacks. For extra credit, install denyhosts as well. It has stopped a _lot_ of bad guys trying to brute-force my servers.
AllowUsers user1 user2...
And it's probably best to disable password logins and use keys instead (http://www.google.com./search?hl=en&q=ssh+authorized_key...).
2. Lock them down as much as possible in configuration and access (for example: use iptables to restrict acces to only your home/office where possible).
3. Apply vendor security updates as quickly as possible (subscribe to mailing lists).
4. Remotely backup your data.
5. Hope for the best.
Perform a minimal install of your operating system then source compilation of latest services, with minimal features enabled. It is possible to compromise this configuration but it harder because there are less dormant features to exploit and it doesn't utilise widely used binaries.
1. Disable root logins via ssh (as noted above by bbb).
2. Move ssh port from port 22 to something nonstandard. According to my logs, the number of idiots who try brute-force attacks on my machines dropped from 4/day to 0.
3. Put an iptables script into /etc/init.d and make sure it runs on startup at the normal multiuser run levels (on Debian, the command is something like /sbin/update-rc.d, but I don't remember exactly). I looked into more sophisticated firewall packages which generate iptables rules, but found them rather complicated, and probably overkill (YMMV). I essentially blocked all incoming traffic except on the nonstandard ssh port and ports 80 and 443.
Services which use ports other than 80, 443, and ssh should run on a privately routed network, or, at minimum, on a separate network interface with draconian access rules. iptables is pretty easy to use once for this stuff you get the hang of it.
4. Disable password authentication for SSH and use a public/private key. Of course, use a good password on the private key.
5. (bonus) keep the installed software to the bare minimum. Less software, less bugs.
6. (extra bonus) look apache's mod_security, it's an application level firewall (filters requests to the application, so, for example, you can filter SQL injections or invalid characters before they reach your app).
2) Only run the minimum amount of services.
3) Don't give anyone else access to the system. (root exploits) Also be cautious if you are running some freely available software (such as phpbb). When a security hole is found, an attacker could deploy code on your machine resulting in a denial of service attack against other internet users, or in worst case, compromising your machine with a root exploit.
4) If a security exploit is found , update! If your server got compromised, make a fresh install.
I like the Slicehost guides to getting a server up and running relatively safely. The link has some good basic server hardening tips to start you off.
FreeBSD comes pretty locked down but OpenBSD is locked down as tight as a gnats arse. It's pretty safe to say that if your OpenBSD server is compromised it's something _you_ have done rather then something _you_ have NOT done. It's a good starting point.
2)Get a proper /etc/sudoers
3)Use IP tables to limit SSH connections to trusted IP's/networks. Setup a port knock if you roam around a lot.
4)Read your daily logwatch
5)Turn off ports/services that are not in use (this is somewhat less necessary with a halfway decent iptables setup)
6)Use SSH keys instead of passwords!
7)Log to a syslog server that is highly secured as well
8)Run a nessus scan on your box regularly
9)Minimize how much specific information about your underlying OS various services display
Software like Fanstasico can keep your software automatically updated across user accounts.
#1: Keep your system up-to-date. Your most likely entry vector is a perfectly legitimate service like Apache or OpenSSH (or even worse, some PHP application) being cracked 'cause you never installed a critical security patch.
#2: Run different services as different users. There's no reason for your Mongrel listeners, cron jobs, reverse proxy, and god knows what else to run as the same user. Basic uid/gid partitioning is at the core of good POSIX security.
#3: Never, ever trust a public web application or server with total access to your data. Use your database server's access controls to limit admin-level access, and consider running your load balancer, public applications, and admin tools on separate hosts.
#4: Find ways to prevent password storage, entry, and checking on your application servers. Read up on and understand Kerberos, even if you aren't going to use it: it's the industry standard for an authentication system that doesn't require clients to expose their password to servers.