Saturday, September 19, 2009

Top Tips for Protecting Your Linux Servers

Unless you have been living in a strange planet somewhere outside out universe, you will have noticed that more and more companies are now making that transition from Microsoft Windows based server to Unix/Linux platforms for various reasons ranging from cost to security concerns.

If you or your company are part of that trend, the question is how do you ensure that your setup is as secure and robust as possible? It's one thing to move to a more trusted and secure platform, it's another when it comes to keep a tight lid on it to ensure that you do not leave your system to unauthorised access from just about anyone.

In this post, I will try and list a few of the vital steps you should take to ensure that your system is not porous.
  • Make sure no one can browse the directories
  • Make sure only root has write privileges to everything, and only root has read privileges to certain config files
  • Run mod_security

One of the most important things you should decide on is what ports should be open to the outside world. For most people, the only port necessary is the default HTTP port 80. Only root should have write access to the system. It is almost impossible to find a company without database of some sort these days, so if you have one, make sure that the root account details is changed.

If you must connect remotely to your server, make sure you open SSH port 22, disable you root account on your server, create a user on your MySQL database with limited privileges and review those privileges for those not required.

As crazy as it may sound, you should not announce to the world that you run your own server on your home or office connection. You never know you might come after your setup - that's another reason why you should not run your apps on root account. It also helps if you have a dynamic IP - this way you can't be endlessly getting hammered. A simple restart gets you a new IP.

Finally, bear in mind you're opening up a can of worms as soon as you start opening anything up to external traffic. Remember what you consider an experimental server, almost like a sacrificial lamb, is also easy pickings for people looking to do bad things with your network and resources.

No comments:

Related Posts with Thumbnails