7 Step Guide to a Secure Server

7 Step Guide to a Secure Server

Postby apex » Mon Feb 09, 2009 12:29 am

*REPOSTED* Feb, 2009. Original post from 2005.

7 Step Guide to a Secure Server
Know Your Attacker

If you operate any server that's connected to the internet there will be dozens to hundreds of break-in attempts every single day. There's no way to avoid this if your server is available to the public. The more software on your server the more chance one of the attempts will be successful.

Scores of crackers are running automated programs scanning millions of servers every day checking for a certain version of a certain software program which they know to be vulnerable. When they find a server that matches their criteria it's kept in a list for later use or an immediate attempt is made to gain access to the server.

Why is someone trying to get into your server?

There are a multitude of reasons, some are destructive while others are benign. They probably don't know you, or have anything against you. Your server and hundreds of others are simply tools for their purposes. Your server has resources; Bandwidth, disk space, CPU power, and information. These are what the crackers are looking for. They can use your CPU power to break encrypted passwords to other accounts. They can use your disk space and bandwidth to store and share pirated music, movies, and software. They can turn your webserver into a tool for hosting their advertisements or redirecting traffic to their websites. One of the most destructive uses is DDOS (Distributed Denial Of Service) attacks. They can turn your server into part of a vast network of compromised servers that when combined, act like one enormously powerful server with resources that can be directed at other servers or networks to completely shut them off from the internet. The most common reason to do this is to take over chat channels on Internet Relay Chat (IRC). These are loosely controlled places where egos are high and the person or group with the most compromised servers is king. They can use your server to protect their channels by acting as a barrier which will hold up only until your bandwidth and CPU power is exhausted, or until a competing groups breaks into your server to gain access to the other groups network. They may use your server to attack others. Either case can leave you without access to your server, with your sites offline, a high bandwidth bill, and possibly shut off the network by your ISP. It's a game to them and your server will be used up and tossed away without a second thought.

If your server has a fast internet connection, lots of disk space, and an admin who's not paying attention they will store pirated software and movies on it and give them away for free to thousands of people using up the bandwidth that you're paying for, costing you in overage fees, lost customers due to your sites being slow or unavailable, lost data, time, and money in repairing and securing your server again.

Your information is what makes your business unique. It's worth more than your hardware, it's often irreplaceable. Your customers trust you with their personal information and expect you to keep it safe. You must reciprocate that trust by taking measures to protect it. If you fail in this, you lose their trust and their business and your reputation can be damaged forever. Your reputation and the trust of your customers is worth much more than the cost of security. You are accountable if their websites are ruined, their identities stolen, their work lost.

The people who are going to break into your server are young and smart and if you haven't secured your server, it's there for the taking. There's little to no action you can take to retrieve lost revenues. There's little to no chance of ever finding the responsible party, and if you did they won't have any assets to compensate you for your losses.

Preventative measures are simple, they will save you time and money, and give you peace of mind.

1) Keep software up to date

This is the simplest and most effective way to keep your server secure. Crackers scan servers for known flaws in certain versions of software. These flaws take time to come to light, time for someone to write software to take advantage of the flaw, and time for crackers to locate your server and exploit the flaw. Software developers are constantly fixes bugs and security flaws. If you check for new versions often, and install them, it is far less likely that you're server will be compromised.

2) Monitor server activity

When there are attempts to break into your server or when it does gets cracked, there will be evidence of it. Your server has logging facilities built-in and there are many pieces of software which will sort through these logs and warn you of suspicious activity. When you notice an attempt on your server you can use that information to defend against that type of attack before it's successful. For example, If you see hundreds of failed login attempts to the root user, you can block that address from your network. Doing this will make your server more and more secure to the actual types of attacks that are currently happening.

3) Use secure passwords

Secure passwords are random and long. Anything else is easily cracked by computer programs. You can audit your server by using the same password cracking programs they use to test your security. Don't use important passwords in more than one location. If one location is compromised, every place you used that password is now wide open to the attacker. Change your password often. If someone does break your password and you don't notice, you may lock them out again the next time you change your password.

4) Use encryption

Telnet, FTP, HTTP, POP3. Checking your mail, logging into your admin web site, uploading and downloading to your server, managing your server. What do these protocols have in common? Your username and password is sent over the internet clear as day. A dozen or more computers between your home computer and your server will see your username and password. If any of them are compromised you and your server are now compromised. You can't secure every server that your data flows through, but if you encrypt your data it's safe to transmit over the internet. There are encrypted versions of software for each protocol: FTP, telnet, HTTP, and POP3 (SFTP, SSH, HTTPS, POP3S). The "S" in each of these stands for Secure. Each secure protocol is transparent in usage although it will take some effort to install and configure. If you don't encrypt every protocol that you use it's almost the same as encrypting none of them because it only takes one lapse in security to give your password away and for them to gain access to your server.

5) Disable unneeded services

Every service running on your server provides an opportunity for an attacker to break in. If you don't need it, shut it off. Scan your server with a tool like 'strobe'. It will list every service on your server with an open connection to the internet and you can disable any that you don't need.

6) Separate services into internal and external networks

If you have a web server that needs access to a database, place them on two different servers. Only allow access to the database server from the web server. This will protect the database server from outside attacks. This applies to any services or data which doesn't need to be directly accessible on the internet. Your public network should contain only that which absolutely has to be public. Your private network should contain everything else and be locked down tightly. Even if one server is compromised, your others will still be safe. If everything is on a single server, any small hole will lead to complete compromise.

7) If your server is compromised, rebuild it from scratch

You can't know exactly what has been done to your system. A crackers first priority after getting into your system is to stay in. A cracked system is valuable to the cracker and they will try to protect it. They will install backdoors to let them back in even if you've patch the hole they exploited in the first place. They can hide programs, modify log files, erase their tracks and their actions. They can change modification dates and attach their own code to any program on your server. You'll have to backup your data, erase your hard drive, and install everything again from sources that are known to be secure.

You're starting at a disadvantage: The person who breaks into your server has done it before, probably hundreds of times. They know exactly what they're doing. This may be the first time you've been compromised, or the second, hopefully not the third. Either way, they have more experience breaking in than you do so don't underestimate them. If they aren't smart they will be using programs written by other crackers that can be smart for them (such as Rootkits).

The good news is you don't have to spend an inordinate amount of time and money securing your server to an extreme degree. If you take these precautions your servers will be far more secure than most and your attacker is aiming for the least secure servers. They don't target you and then attempt to break in, they break into the server they've already found to be vulnerable.


John The Ripper Password Cracker
A Guide to Better Password Practices
Strobe TCP port surveyor
Locally check for signs of a rootkit with Chkrootkit
Know Your Enemy Articles
Posts: 355
Joined: Sun Aug 05, 2001 7:00 pm

Return to Legacy Hosting Discussion

Who is online

Users browsing this forum: No registered users and 1 guest