How to secure a server
A locked gate is an obstacle, but a skilled attacker can easily defeat it. Now, what if this gate has 10 different kinds of locks, is rigged with an alarm, and leads to a mine field? Yeah, that would dissuade a vast majority of attackers. This approach to security is called Defense in depth. Server security experts use a similar approach called Layered security to keep out attackers.
From hiding critical information, to IP based access restrictions, there are a wide array of defenses that can be deployed on a server. So, even if an attacker manages to bypass one layer, there’ll always be another defensive layer to take its place.
Today, let’s take a look at how to secure a server using Layered security.
1. Protect and update system software
Vulnerable software is perhaps the most popular way for hackers to gain access to a server. Software vulnerability results from using outdated or non-authentic software. Here are the various ways in which you can ensure your software packages are secure:
- Update software packages periodically – Configure the package management software (such as Yum) to send you notification when an update is available.
- Delete unwanted packages – Default OS installs contain packages you may not need. For eg. a database server need not have web server components.
- Apply security updates ASAP – Auto updates can be configured for security updates. For eg., in Redhat compatible systems yum-security plugin can be used for this purpose.
- Use only verified, authentic repositories – Get application repos only from official repositories cross verified using PGP signature.
- Protect your base repos from being overwritten – If you use multiple sources for your software, protect your core system libraries from accidental deletion. For eg., in RedHat compatible systems, you can use “yum-protectbase” for this purpose.
2. Enforce strong user account security
Why break down the door, if you have the key? Valid login details are the equivalent to getting a key to a well secured door. It is the path of least resistance and often over-looked by server administrators. Attackers use phishing, brute forcing, or social engineering to steal login details. Here are a few tips to secure user accounts:
- Prevent account setup with empty passwords – Configure the account setup policies and/or scripts so that a password is mandatory to setup an account.
- Enforce use of strong passwords – Users tend to set easy to remember, short passwords, but it is often vulnerable to dictionary attacks. Enforce use of long passwords.
- Setup password expiry – The longer a password remains unchanged, the more time an attacker has to guess the right login combination. Force periodic password resets.
- Prevent use of old passwords – Some attackers keep pilfering sensitive information using stolen passwords. Changing passwords periodically can block this, but it won’t work if the user sets the old password. So, prevent re-use of passwords.
- Lock account after login failures – Hackers use automated tools that push in hundreds of passwords per minute to get a working combination. You can prevent it by setting the account to lock after a few login failures.
- Use IP restriction where possible – For sensitive users such as administrators, limit logins to a pre-approved set of IPs.
- Restrict permissions of user accounts – Build a security policy that prevents users from listing other system users, or navigating out of their home directories.
- Setup centralized authentication to avoid exploits via unused accounts – Old accounts or test accounts are a favorite loophole for attackers. Centralized user management systems such as LDAP can help you easily audit and remove old accounts.
- Configure secure authentication systems to block password snooping on the network – Attackers can sniff our username/password pairs sent across networks. Use of secure authentication systems like Kerberos avoid sending passwords across the network, thereby foiling sniffing attacks.
- Consider using 2 factor authentication – For critical accounts, such as administrative accounts, setup 2 step authentication.
- Educate users on good security practices – Publish a page on your website explaining how Phishing, Social Engineering, Trojans or other malware can be used to steal login details.
3. Lock down public facing services
Much like how open windows are access points to a house, open ports are access points to a server. Unsecured ports and services are easy entry points for attackers. Here’s how you can lock down public facing ports:
- Disable un-used services from auto-start – In a default OS installation, many services are set to auto-start. This will open ports to the public, which may not be secure. So, disable all services you do not need.
- Enable SSL in all services – Many services such as Web, Mail, FTP, etc. require end-users to authenticate to access services. Attackers can steal these login details by listening to the traffic. To prevent this, enable encryption for all services.
- Monitor open ports and sockets – Many kinds of malware (such as RATs or Bots) open a communication link to their malicious handlers using non-standard ports. So, it is important to monitor if any new ports or sockets were opened without your knowledge.
- Monitor for malware taking over standard service ports – Some malware are known to kill standard services such as FTP or POP3, and occupy their ports. A service listing will show nothing out of ordinary, nor will a firewall block such a port. Use specialized tools to monitor such “port hijacking”.