10 Security Guidelines to protect your server box in Internet

June 9, 2006 @ 2:47 | In Internet, Linux | |

I’m not an expert system administrator, but it is one of my hobbies. I describe here a checklist of things I have learned playing with my linux box (the one I use for my blog) in the last years. Although the guidelines are generic to any Operating System the examples given are specific for Gentoo Linux. I expect to help anyone configuring a secure server.

1. Master the Operating System you use

Stay away from the Windows vs Linux wars. Choose the OS you like and learn about it. Most of the security breaks are due to administration errors: not staying up to date, running services not needed, bad password policies…

Using Linux is itself no guarantee of security. You have to manage it properly.

Personally I am in love with Gentoo Linux: a Linux distribution from programmers to programers.

2. Have your system updated (automatically if possible)

Security bugs are discovered every day (Bugtraq List). So you should be updating your system everyday and doing it as automatically as possible. In Windows you have Windows Update for updating the operating system. Software not part of the operating system should be updated independently.

For Gentoo, you can have all your system updated easily:

emerge −−sync
emerge −−update −−newuse −−deep world −−pretend

These two lines will only synchronize with the latest packages and show you the info. The integration process should be done manually to detect potential issues.

You can check for known security vulnerabilities in Gentoo Linux using the Gentoo Linux Security Announcements (GLSA) (currently a service in beta)

glsa-check -l

At the moment glsa-check is an experimental tool.

3. Run the minimum number of services

Do not have services you do not need. Every installed service may be a new security hole on your computer. Some linux distributions come with a generic configuration with a lot of default services you won’t need. Disable all the services and start activating the ones you need. That is exactly what you get when you start installing Gentoo from scratch.

4. Firewall your system

Have a robust (highly configurable and with a decent support for logging and alerts) firewall installed on your server and configure it properly.

Linux firewalls are based on Iptables. This is a great tutorial on Iptables. Ulogd is a daemon for iptables very useful to have an independent log file for your firewall.

5. Use encryption when connecting with your server

Do not use telnet, rlogin or ftp. Those protocols go across the Internet unencrypted. In Windows, if you use Terminal Services enable encryption. In linux, OpenSSH is the right tool.

OpenSSH allows you to encrypt all traffic and provides tunnelling for the rest of the ports. Use OpenSSH with the RSA/DSA authentication. I always have with me the private key in my USB removable device. If you examine your logs you will see dozens of attempts per day trying to log into your machine. If you have your server connected 24h/day you should have this port well secured. Disable direct root login and try to use a high level port. OpenSSH offers you sftp, the encrypted version of ftp.

6. Detect changes to important system files

You want to know every change that is made to your system files, at least to the critical ones. AIDE is your friend here. It works by making cryptographic hashes for the files to be checked. Those hashes should be stored in a safe device: a read-only one, for example.

7. Check against rootkits

You don’t want rootkits in your computer. So, you should be doing continuous checkings against this. I recommend to run both Rootkit Hunter and chkrootkit every day.

8. Scan all your logs to detect suspicious activity

You should watch all your logs everyday. Doing this automatically is prone to errors, so you should have a daemon doing this for your and emailing you when it finds something suspicious. Logwatch is an useful tool for this. It will send you emails every day with automatically generated reports.

9. Continuously monitor your system

It is vitally important that you continuously monitor the health of your system to detect anomalies: cpu usage, network traffic, memory usage, system temperature, hdd status, etc. Cacti (a back-end for RRDtool) is ideal for this.

10. Automatize as much as possible

Minimize the things you manually do. You have Task Scheduler in Windows and Cron Jobs in Linux. For example, these are the some tasks I have automatized in my server:

Synchronize to the latest stable packages.

#!/bin/sh

emerge −−sync &> /dev/null
emerge −−update −−newuse −−deep −−nocolor world −−pretend

Check for known vulnerabilities in the system.

#!/bin/sh

/usr/bin/glsa-check -l -n 2> /dev/null | grep ‘[[:digit:]]\{6\}.*\[N\]‘

Run AIDE to detect changes in system files.

#!/bin/sh

/usr/bin/aide -u -V1 > /root/safestatus/aide.last && diff /root/safestatus/aide{,.last}

Look for rootkits with chkrootkit.

#!/bin/sh

/usr/sbin/chkrootkit -q > /root/safestatus/chkrootkit.last && diff /root/safestatus/chkrootkit{,.last}

Look for rootkits with rkhunter.

#!/bin/sh

/usr/bin/rkhunter −−update &> /dev/null && /usr/bin/rkhunter -c −−cronjob −−skip-keypress −−report-mode | grep -v “Scanning took” > /root/safestatus/rkhunter.last && diff /root/safestatus/rkhunter{,.last}

Generate reports from system logs.

#!/bin/sh

if [ -x /usr/sbin/logwatch.pl ] ; then
exec /usr/sbin/logwatch.pl 2>&1 > /dev/null
fi

Check for new network ports opened.

#!/bin/sh

/bin/netstat -tlpn > /root/safestatus/netstat.last && diff /root/safestatus/netstat{,.last}

And that makes ten guidelines. I know I leave lot of topics (nessus, snort, etc) but they will have to wait for other posts. I hope you have enjoyed this recommendations. Do not hesitate to give comments here.