Six Steps to a More Secure Linux Server
I’ve worked as a remote Linux System Administrator for quite a while, and one thing that I’ve noticed is that many “administrators” out there don’t know how to configure or secure a server properly. This article is a quick reference on some of the more important (and easy) security or configuration tweaks that any administrator should do for their server. These six steps can dramatically increase the security and stability of any Linux server. The best part about these tips, is that they are all quick and easy to do as well, with each step taking less than 15 minutes!
1.) Security Updates Not Installed
Nearly every server that I work on is not running the latest (and most secure) software. Yes, Linux is a great Operating System- but all software has security problems. Enabling the installation of automatic updates via a cron script or similar is the easiest and most foolproof way to ensure that your server isn’t compromised. There really isn’t any excuse not to install the latest security updates- older packages are saved in the package archives in case there is a stability or compatibility issue, and the updated packages are logged as they are updated.
2.) Disable root login via SSH, and password authentication
Admittedly, I’ve been guilty of this myself sometimes. Let’s face it, everyone likes being able to quickly and easily log into their servers, and change settings. However, if you’re using password authentication, what’s to keep someone else from logging into your server? In addition, you should not use password authentication on your Linux server, to prevent others from logging into your Linux server. Instead, enable RSA signed authorization keys. This is more secure, since an attacker will not be able to guess or brute force a login session with your server.
3.) Disable or filter extra services
This is the second biggest issue that I see working with new client’s servers. Often, the system administrator who setup their Linux server did not perform a necessary final step- filter incoming connections that aren’t necessary. I’ve seen everything from the daytime service running, to MySQL listening for connections on a remote IP. If a Linux administrator is not familiar with iptables, there are several tutorials out there that will show someone how to create even a basic firewall ruleset. In addition, disabling unnecessary services is a basic step in server optimization as well- why run extra services that tie up resources if they aren’t needed?
4.) Test accounts or guest accounts still active
Another glaring security issue (and an often exploited one) is that a client will still have test user accounts running (often with extremely easy passwords, such as test) once a software solution is deployed to a production server. I don’t need to go into the security ramifications with this one- make sure that you get rid of those guest or test accounts!
5.) Advertising banners left on
We all love advertising, don’t we? However, advertising to the world that the version of Apache or Sendmail that you run on your Linux server is 3 years old is not the type of attention that you want. Simply disabling the server banners will help hide your server from the basic script-dependent attackers. Besides, why help the bad guys determine what software your server is running?
6.) PHP errors or application errors
I’m pretty confident that we have all seen an error or two displayed on a website. Some errors that are displayed are not a security issue at all, for instance Javascript errors. However, some errors are security issues (PHP is particularly bad with this), because they disclose sensitive information. The easiest way around this is to disable displaying errors in PHP (or your web applications). Otherwise, an attacker may be given information about your website’s database details, or file locations.
These issues are the top 6 security issues that I see on a daily basis in my work. You can all check your server or servers for these quick issues (these tips take almost no time at all), and dramatically increase the security of your server. However, if you have any problems implementing these security steps, please feel free to contact me.
on August 6, 2008 at 5:33 pm
Permalink
It depends entirely on what the server is expected to do.
If you are looking for a stable and secure platform for services that are to be exposed to the internet you may choose one platform, if you are looking for something that easily integrates with a windows environment and has lots of pretty widgets for administration you may choose another.
A great deal of it comes down to the personal taste of the administrator, what type of package management system (RPM, Deb, Pkg, etc) he prefers, and what type of start up scriptsdirectory structures he's confortable with.
Ultimately most of the major linux distributions have something unique and desirable to offer (otherwise they wouldn't be around for too long).
One other thing that may influence the decision is the need for commercial applications, you are more likely to use one of the "big box" flavors if you need Oracle or other business software support.
Finally, it depends on the size of the support staff at the company in question and how heavily they will need to lean on the support (or lack thereof) provided by the software distributor.
on August 6, 2008 at 5:49 pm
Permalink
can u install other windows manager such as Enlightment, IceWM, or Fluxbox (lighter than Xfce, KDE, or Gnome IMO) in this Ubuntu server?
on August 6, 2008 at 6:06 pm
Permalink
Crap comment, no more of this shit please.
on August 6, 2008 at 6:48 pm
Permalink
Best thing about Linux is that you can practically run it on anything. To comfortably fetch up websites and files using say Ubuntu linux, you should probably look for something equivalent to a later model Intel P3 or AMD Athlon (hopefully in the 1GHz range), 512MB or more RAM (you can comfortably run Ubuntu with 256MB, but for web server usage, you'll probably want more than that), and a good deal of hard disk space. A gigabit ethernet NIC is recommended, but you can do fine with a standard 10/100 NIC.
I'd suggest going on eBay or browsing through your local classified adverts, and finding a used comptuer and then simply install some extra hard drives into it. I reckon you can build a very speedy and reliable server for less than $250 total!
on August 8, 2008 at 7:49 pm
Permalink
I doubt you have any good reason to switch (i.e. someone said you should but you don't understand why). I doubt you know what would happen if you switched. I also doubt you asked godaddy how to do it.
on August 9, 2008 at 12:04 pm
Permalink
crap video, no more of this shit please