Server Security Basics
From SuperbHosting Support Wiki
Contents |
The Basics of Dedicated Server Security
Having a Security Policy
A good security policy can help you keep organized and learn from any mistakes or oversights encountered while administrating your server. A good security policy is designed to provide balance between usability and security of any server or service. Ultimately if you want your server to be secure from hackers on the Internet you should disconnect it from the Internet and turn it off. This is 100% secure but 0% usable. A balance needs to be found somewhere in between.
You must decide before hand who will have access to what services and information on the server. Should the public be able to access the database service on your server (like MySQL or MSSQL) or is this something you only want the scripts on the server to be able to access? Do you want all of your users to be able to connect to the server with SSH or only the administration staff? These are just two considerations of many you should consider when defining your security policy. A firewall is a very usefull tool for enforcing these types of security policies. File permissions and file ownership on the server will help enforce other policies such as user "A" cannot read or write to files owned by user "B".
Passwords
Ensure that *all* passwords used on your server are complex and protected. The minimum requirements for a password should be:
- At least five characters
- No dictionary words
- Mixed Case
- Contain at least one number
- A mix between numbers and letters
Attackers use lists of commonly used passwords and even known username:password pairs that have been used in the past. An example of a commonly used username/password pair would be a persons first name as the user name and that person's last name as the password. A list of commonly used passwords (that attackers might try) can be found at http://www.openwall.com/passwords/wordlists/password.lst.
Even if a password is not on the list above but is not sufficiently complex
A good password generator can be found at https://www.pctools.com/guides/password/.
Remote Access
Remote access via most protocols should be limited to the bare minimum that the person who has been granted access _needs_ to perform their tasks. One should not be afraid to give minimum access and ask that person to request special operations to be performed by someone with more access. Examples of remote access protocols are SSH, Terminal Services (RDP), FTP, VNC etc.
Some of the most common issues around remote access are:
- Too many people having root access to the server and therefor no one is accountable for its security
- Not enough levels of remote access security and therefor someone can login to the server directly as root via SSH. This requires cracking only one password versus logging in as a regular user with access to use "su" or "sudo" and an providing an additional password to execute processes as root.
- Not limiting connectivity to the remote access service with a firewall rule or the use of a services ability to deny connections except those from certain IP addresses.
- Anonymous FTP should be AVOIDED at all costs unless absolutely necessary and special provisions have been made to avoid abuse by third parties who want to use your disk space and monthly traffic to trade pirated works.
Firewalling Techniques
Firewalls can not only used to keep traffic from reaching your server but they can also provide protection by filtering what traffic can come from your server destined to other remote hosts. This filtering of inbound and outbound traffic are respectively known as ingress and egress filtering.
A common example of an attack on many web servers is to execute an arbitrary command on the server through the web browser to fetch a malicious script from a server somewhere else in the world and then execute it. If a server administrator was to limit a servers ability to make outgoing connections to port 80 (http) it would not be possible for the miscreant to fetch the file from an external location and they would give up and move on to the next potential victim on their list.
All Except...
You may want to allow everything in and out of your server except for a few protocols you know are unwelcome or restricted to the public. An example of this would be one rule that blocked incoming SSH or RDP connections that did not originate from a specific IP address followed by another rule that allowed everything else. This is the simplest and most ineffective way to firewall a server. If you choose this method of filtering you should still consider filtering the egress traffic as well as the ingress traffic.
Nothing But...
This is a more complex method of filtering unwanted traffic to and from your server but is far more effective. This will effectively give you the ability to know exactly what your server can and will be used for by others which in turn makes it easier for you to focus on certain services for security issues pro-actively.
Types of Attacks/Hacks
Password Cracking
The two major types of password cracking methods are brute force attacks and decryption. Brute force attacks can be performed by repeatedly trying username and password pairs on your server until a working combination is found or your shadow or SAM file can be downloaded and brute forced in an offline fashion. Scripts perform the first brute force method while programs like [John the Ripper] could perform the other.
Decryption is almost always performed offline - the cracker will have obtained your shadow or SAM file and attempt to use a program like [l0phtcrack (now called LC5) on it
We recommend trying this programs out yourself *on your own server* to see if you can crack any passwords you or your users are using.
Misconfiguration Exploits
An example of this would be allowing a miscreant to FTP a malicious file to a server and then utilize a poorly written php script to execute that script. FrontPage extensions are associated with this type of attack as well since under certain conditions they may allow for third parties to write to a site's HTML directories.
Web Application or Service Security Exploits
Web based applications or services (eg. Webmin) are the most popular reason why most servers are exploited. The common usage of http and https protocols on the Internet make it difficult to detect attacks because of the sheer volume of traffic. Differentiating between regular web traffic and miscreant activity is difficult and false positives are extremely common when attempts are made to do so.
Most of the tools used to perform these exploits are automated and scan large areas of the Internet within hours. Once some level of access is gained by a successful exploit a poorly written web application (even one .ASP or .php script) can provide an attacker with an avenue to:
- obtain sensitive files from the server (like the shadow or SAM file),
- instruct the server to download files from another server somewhere and execute them,
- use carefully crafted URLs to fool a web based application to include a configuration file from another web server that contains malicious instructions instead of configuration values,
- execute very serious exploits that give an elevated access level such as root to install other services or modified binaries that root kits contain and/or
- get their foot in the servers door just enough to utilize it as a jump-point to find more exploitable servers.
Denial of Service (DoS and DDoS)
This can be a very basic and usually targeted attack on a specific server or website that affects the performance or availability of a service on a server. This can also be a very elaborately planned attack designed to take out an entire network.
See [Denial of Service Attack] for more information.
