Posts Tagged 'Firewalls'

April 23, 2014

Security: 10 Tips for Hardening a Linux Server

In light of all the complex and specialized attacks on Internet-facing servers, it’s very important to protect your cloud assets from malicious assailants whose sole purpose is to leach, alter, expose, siphon sensitive data, or even to shut you down. From someone who does a lot of Linux deployments, I like to have handy a Linux template with some extra security policies configured.

Securing your environment starts during the ordering process when you are deploying server resources. Sometimes you want to deploy a quick server without putting it behind an extra hardware firewall layer or deploying it with an APF (Advance Policy Firewall). Here are a couple of security hardening tips I have set on my Linux template to have a solid base level of security when I deploy a Linux system.

Note: The following instructions assume that you are using CentOS or Red Hat Enterprise Linux.

1. Change the Root Password
Log in to your server and change the root password if you didn’t use a SSH key to gain access to your Linux system.

  • passwd - Make sure it’s strong.
  • Don't intend on using root.

2. Create a New User
The root user is the only user created on a new Linux install. You should add a new user for your own access and use of the server.

  • useradd <username>
  • passwd <username> (Make sure this is a strong password that’s different from your root password.)

3. Change the Password Age Requirements
Change the password age so you’ll be forced to change your password in a given period of time:

  • chage –M 60 –m 7 –w 7 <username>
    • M: Minimum of days required between password changes
    • m: Maximum days the password is valid
    • w: The number of days before password will warn of expiration

4. Disable Root Login
As Lee suggested in the last blog, you should Stop Using Root!

  • When you need super-user permissions, use sudo instead of su. Sudo is more secure than using su: When a user uses sudo to execute root-level commands, all commands are tracked by default in /var/log/secure. Furthermore, users will have to authenticate themselves to run sudo commands for a short period of time.

5. Use Secure Shell (SSH)
rlogin and telnet protocols don’t use an encrypted format, just plain text. I recommend using SSH protocol for remote log in and file transfers. SSH allows you to use encryption technology while communicating with your sever. SSH is still open to many different types of attacks, though. I suggest using the following to lock SSH down a little bit more:

  • Remove the ability to SSH as root:
    1. vi /etc/ssh/sshd_config.
    2. Find #PermitRootLogin yes and change to PermitRootLogin no.
    3. Run service sshd restart.
  • Change the default SSH 22 port. You can even utilize RSA keys instead of passwords for extra protection.

6. Update Kernel and Software
Ensure your kernel and software patches are up to date. I like to make sure my Linux kernel and software are always up to date because patches are constantly being released with corrected security flaws and exploits. Remember you have access to SoftLayer’s private network for updates and patches, so you don’t have to expose your server to the public network to get updates. Run this with sudo to get updates in RedHat or CentOS: yum update.

7. Strip Your System
Clean your system of unwanted packages. I strip my system to avoid installing unnecessary software to avoid vulnerabilities. This is called “reducing the attack surface.” Packages like NFS, Samba, even the X Windows desktops (i.e., Gnome or KDE) contain vulnerabilities. Here’s how reduce the attack surface:

  • List what is installed: yum list installed
  • List the package name: yum list <package-name>
  • Remove the package: yum remove <package-name>

8. Use Security Extensions
Use a security extension such as SELinux on RHEL or CentOS when you’re able. SELinux provides a flexible Mandatory Access Control (MAC); running a MAC kernel protects the system from malicious or flawed applications that can damage or destroy the system. You’ll have to explore the official Red Hat documentation, which explains SELinux configuration. To check if SELinux is running, run sestatus.

9. Add a Welcome/Warning
Add a welcome or warning display for when users remote into your system. The message can be created using MOTD (message of the day). MOTD’s sole purpose is to display messages on console or SSH session logins. I like for my MOTDs to read “Welcome to <hostname>. All connections are being monitored and recorded.”

  • I recommend vi /etc/motd

10. Monitor Your Logs
Monitor logs whenever you can. Some example logs that you can audit:

  • System boot log: /var/log/boot.log
  • Authentication log: /var/log/secure
  • Log in records file: /var/log/utmp or /var/log/wtmp:
  • Where whole system logs or current activity are available: /var/log/message
  • Authentication logs: /var/log/auth.log
  • Kernel logs: /var/log/kern.log
  • Crond logs (cron job): /var/log/cron.log
  • Mail server logs: /var/log/maillog

You can even move these logs to a bare metal server to prevent intruders from easily modifying them.

This is just the tip of the iceberg when securing your Linux server. While not the most secure system, it gives you breathing room if you have to deploy quick servers for short duration tests, and so on. You can build more security into your server later for longer, more permanent-type servers.

- Darrel Haswell

Darrel Haswell is an advisory SoftLayer Business Partner Solution Architect.

Categories: 
May 26, 2009

Be Prepared

The biggest headache in owning an IT company is security. Its also one of those things especially for a smaller company you don’t think you need till something happens. This always reminds me of when I was in boy scouts. “Be Prepared”.

IT security is a big business, but there are a lot of things we can do to prepare ourselves so we don’t have to spend hundreds or even thousands of dollars. Everyone in the IT world has to spend money on this one way or another. It could be spending your own time to secure your services, or paying someone to do it for you. If you don’t do either one of these, you’re going to end up losing money when you do get attacked or hacked.

The key is to be proactive, and not reactive. If you are always running after something its harder to catch than if your in front of it ready for it to come. So what we need is a plan, or maybe two. One plan is needed to set up security, and a second should be used to keep an eye on what is going on so things don’t get out of hand.

Some may know where to start when it comes to securing your server. You are in luck. I am going to go over the simple and most important steps to securing your server.

HOST ACCESS

This is the most important step to security. You don’t want people to be able to gain access to your system. There are some very simple steps to doing this.

1. Remote Console

The first thing you should do when setting up your server is to restrict the remote access to your server.

1 = Change the access port ( you can change the access port of both sshd and remote desktop)

2 = Use a secure password (SoftLayer has tools in the portal just to help you make a secure password)

3 = Only allow connections to remote access from trusted networks (this can be done by a firewall solution)

SoftLayer provides one solution that makes this really easy: our Internal Network and VPN. You can just setup your software to allow connections from 10.0.0.0/8 network and you are now protected!

2. Firewalls

This is a must have, and the good thing is that software firewalls are FREE. Both Windows and Linux O/S come with firewalls. Now we just have to set it up. Setting up firewalls can sometimes be hard, but most people don’t need anything fancy. Accept for the services you use, and deny everything else. Also remember if you do want remote access available via your public IPs, your really should restrict those ports via a firewall to make sure only your networks can access it.

AUDITING

This is next most important step to be proactive. The great thing is yet again SoftLayer provides you with the tools for FREE!

1. IDS (Intrusion Detection System)

This technology works by looking at all the little packets coming in and decides if it is bad traffic or good traffic. The hardware and software of this can be very hard to setup, and or very expensive. But you don’t have to worry about this. SoftLayer has farms of IDS hardware there for you, FOR FREE!

2. Scanning

1 = Virus

You will always want to make sure your data is clean and the best way to do that is a weekly virus scanning on your machine. The great thing is we also provide you with the software to do this FREE!

2 = Network

One of the best ways to looks for security problems is to have someone run a network scan on your system. These tools let you find all the holes that you may need to patch up so that your system is secure. Yet again SoftLayer provides you this tool for FREE!

So there you have it a short list of things to do, that will help you keep your data safe and out of the hands of hackers. Security is very important to you as an owner, and for your customers. Just remember if you are proactive, you can cut out a lot of the headaches later on. The other thing to keep in mind when doing this stuff for the first time is to document your steps. Now that you did all the leg work once, now you have a check list on how to do it every time you business expands and you order a new server.

May 6, 2009

Always Use Protection

When it comes to managing a server remember you can never be to careful. In this day and age we face a lot of things that can damage and even take a server to its knees here’s a few things for everyone to consider.

Anti-virus:

This is a must on systems open to the net now days. There are always nasty little things floating around looking to take your server apart from the OS out. For windows servers there are a multitude of choices and I’ll just mention a few that can help protect your goods. You can use several programs such as avast (which offers a free edition), ClamWin (open source), Kaspersky , and Panda just to name a few. I would suggest before installing any of these you check links such as http://en.wikipedia.org/wiki/List_of_antivirus_software to name one that provides a list of several choices and their compatibility. You may also want to read reviews that compare the available options and give you an idea of what to expect from them. This will allow you to make an informed choice on which one works best for you. Now with linux there are also several options for this including the well known clamav which from personal experience works really well and can be installed on a variety of linux disro’s(aka distributions). It’s very simple to use and may prevent you from headache later on down the road.

Firewalls:

Firewalls are a double edged sword but are most defiantly needed. When it comes to firewalls you can protect yourself from quite a bit of headache however if setup to strict you can block positive traffic and even yourself from reaching your server but in the long run a defiant way to help protect your server from unwanted visitors. A lot of firewalls also have modules and add-ons that further assist in protecting you and securing your server. If in doubt it’s always a good idea to have a security company do an audit and even a security hardening session with your server to make sure you are protected the best way possible.

Passwords:

This is probably one of the most important this you can do to secure your server. Use strong passwords (no using password or jello is not a secure password even if it is in all caps) and if you are worried about not being able to come up with a secure one there are several password generators on the web that can come up with secure ones to assist. Passwords should contain caps letters, numbers, symbols, and should be at minimum 8 – 10 characters (the more the better). It’s the easy to remember and easy read passwords that get you into trouble.

Armed with this information and so much more on security that can be located on the web using the great and all powerful Google should be a good start to making sure you don’t have to worry about data loss and system hacks. Also remember no matter how secure you think you are make regular backups of all your important data as if you server could crash at any time.

Subscribe to firewalls