Linux Server Setup: Part 3 - Basic Security

Updated: August 12, 2010

Preventative Measures

A preventative measure is a tool or component set in place to deter hackers or bots from attacking a server and to forcibly stop them if they still try. These tools range from physical safety devices to software programs designed to detect exploits or viruses.

Firewall

Some believe that security begins and ends with the firewall. If that were the case, most sites would be hacked on a regular basis. A firewall is a network application that prevents unauthorized use of network ports and protocols. Since it still allows authorized use, an attacker can still easily attack the server using an authorized method, such as accessing a website. Nevertheless, a firewall is necessary and can lessen the number of possible attacks and their effects.

For a dedicated server, you will normally have two firewalls. The first line of defense will be the router firewall. In a data center, a server may be connected to a router with several other servers. The router's firmware should have firewall software built into it.

The second line of defense is a software firewall installed on the server. Linux has built-in kernel firewall support, and system administrators can access it through software called iptables. Some Linux distributions have frontends for iptables, and you can also install additional software, such as APF (Advanced Policy Firewall), for easier firewall configuration.

OS Security

Linux is regarded to be one of the most secure operating systems, but keeping it secure still requires effort. Whenever Linux developers find a vulnerability in the kernel, they will create a patch to fix it. These patches are usually applied to new security release versions that Linux distributions will pick up and push out to their users. For that reason, you need to perform regular updates of your server's operating system.

Other OS security to consider:

  • Rotate passwords, and make sure they are strong
  • Keep file permissions as strict as possible
  • Move user /home directories, and the /tmp directory onto separate partitions with limited permissions
  • Chroot users within virtual file systems, especially if you are using virtual private servers (VPS)

Software Security

Any Linux software that interacts with the network needs to be secured. Some of the most important software applications to secure are (examples in parentheses):

1. Web Server (Apache)

With web servers like Apache, security is always going to be a concern. That is because it is the most exposed piece of software on the server. Anyone with a web browser can access it through your websites.

Because HTML is designed to be a one-way presentation, static sites are usually secure, but most modern sites have dynamic components, such as server-side scripting languages (PHP, ASP.Net, Python, etc.). By creating dynamic web applications, you also make your website more vulnerable, since attackers can search for vulnerabilities in the code and formulate URLs to exploit them.

The first method of preventing exploits is to test your code for cross-site-scripting (XSS) weaknesses and other vulnerabilities. You should also keep any content management systems or other third-party web applications updated.

The second prevention method is to use an application firewall, such as ModSecurity. Rather than blocking attackers from unauthorized ports, ModSecurity takes care of the most vulnerable authorized one, which is the web server's port. It does this by limiting what Apache can do with various scripting languages, effectively preventing web applications from unintentionally allowing someone to take over a portion of the server. It also allows for tweaking and customization to suit your specific security needs.

2. Mail Server (Postfix)

Mail servers can be hot spots for security breaches and unwanted solicitation. To prevent your mail server from being exploited, consider the following:

  • Test your mail server for an open relay. If it is open, close it.
  • If you are not using your mail server at all, disable it and close all email ports (25, 110, etc.).
  • Require authorization for sending and receiving mail.
  • Use SSL encryption for mail transactions.
  • Use an automated mail scanning tool, such as MailScanner.
  • Use spam-catching software, such as SpamAssassin.
  • Use anti-virus software, such as ClamAV.
  • Limit the number and frequency of open connections.

3. Shell access and file transfer (SSH and FTP)

  • Disable Telnet completely. Do not use it.
  • Disable SSH for all but the necessary users.
  • Do not allow direct root user login.
  • Require regular changing of user passwords.
  • Prefer SFTP and other secure transfer methods over plain FTP.
  • Chroot users to their home directories in FTP.
  • Limit the number of possible connections.

Defensive Measures

To defend a server under attack, the first thing to do is find out what exactly is happening. An attack could come from a vulnerable script run by the web server. If so, patching the script will usually stop the attack. On the other hand, an attack on the mail server through repeated requests can be stopped by limiting the number and frequency of requests. Often times, a defensive measure will require the implementation of a preventative measure that should prevent future attacks.

You can also use software and a variety of free and paid services to scan your server for exploits and offer solutions to fix them. These include rootkit scanners, virus scanners, server monitoring systems, and website vulnerability tests. Find the cause of the problem and fix it as soon as possible.

In rare instances, the attack on your server may be due to an exploit in actual system software. In those cases, you may have to temporarily disable the software and upgrade to a newer, more secure version. If there is no newer version, you may need to report the exploit to the software developers, who will then release a fix as soon as possible. You may find that they are already aware of the problem and offer a temporary workaround.

Featured Research