What are the best security measures you can do to prevent unauthorized attacks on your server. Like I have a Red Hat 7 server. I know of some of the basic security features like a hosts.allow for IP address access.

Anything else you would suggest, maybe a website/guide. I also need to install Mod_gzip on the server to help compress the bandwith.

Any suggestions would be helpful?

Shawn

Kill any services that you aren't using and kill telnet (use SSH instead). Use an up to date FTP server (ProFTPd 1.2.2 is a popular choice). Those are just the basics. Go to RH's site and look for security patches they have released for your version and apply them per their instructions. That'll secure up a lot of known holes. Also, use a firewall. :) Keep everything out unless you need it (port 80, 53, 25, etc). Take a look at Portsentry and Tripwire for added security.

As for mod_gzip, grab the .c file from their website and compile it using apxs. Using the -i option with apxs also installs it for you, ready to use. Then just edit your httpd.conf file to use mod_gzip and you should be set to go (check out their site for mod_gzip configuration in httpd.conf).

Hope that helps. :)

Originally posted by gagsplus
What are the best security measures you can do to prevent unauthorized attacks on your server. Like I have a Red Hat 7 server

The best security measure you could take would be to stop using Red Hat.

Originally posted by cperciva


The best security measure you could take would be to stop using Red Hat.

Maybe Windows instead?? lol :D

What are the best security measures you can do to prevent unauthorized attacks on your server.


1. Don't hook it up to the internet....
2. Don't turn it on.....

3) Cover in 6ft of concrete

thanks for being so professional guys, I really appreciate all your help. Makes me glad that you did not send me offers to host with you for those of you who are hosting.

I think security is a very important feature with the internet. I just love to read these hosts who fail their customers with not having any backups for like 3 weeks or whatever. Perhaps some hosts should not worry about having someone represent them on this board and working on having their own security.

All your responses have almost driven me away from this forum. I realize your trying to be funny, but you could have least given some real suggestions.

I think your problem is that you asked a very broad question -- one which cannot be usefully answered in less than a few thousand words. It's as if you asked "how can I best protect myself from being the victim of a terrorist attack?"... there are as many different methods of terrorism as there are terrorists in the world, and asking for the "best methods" is asking for the impossible.

If you are running a dns server, ours were hacked because of bind, when we ran bind in a CHROOT it stopped the hackers (even though people can break out of chroot) there are howtos on sites like linux.com for that :)

I was being serious, and so was cperciva. :) I'd root for FreeBSD, OpenBSD, or Slackware Linux myself. They are known for being more secure "out of the box."

Visit www.cert.org for updates on security risks. They also have a step by step guide for recovering from a compromise. Very useful.

One of the best things to do is to shut down every service that does not need to be running. EG in a hosting environment you only really need POP3 to be running in the xinetd.

Good advise above is to kill telnet and go for SSH.

SSH into your box and run up2date

You will then be advised of all the latest advisories by redhat.


Theres more but I am busy :)

never trust default distro services :)

Fix the permissions. I don't know under linux, but under freebsd, it is possible to read to much config files and to run to much programs than what a standard webhosting server require.

/etc
/bin
/sbin
/usr/bin
/usr/sbin
/usr/local/bin
/usr/local/sbin

are places you should check. Cut your user's access to all unneeded files. You could also prevent them to use the telnet/ssh client, if you don't want your users to use your server to hack other people, which would put you into troubles. Also disable access to compilers if you don't want them to compile their own client.

Be really careful with CGI scripts. The way most people run scripts is not secure (In my opinion). Use suEXEC or CGIWRAP.

Put limit on resources that can be used by your users (it is pretty easy with CGIWRAP).

Use "option IncludesNoExec", and ask your users to use the <#virtual> command instead.

If you have PHP, make sure you run it either in safe mode or as a CGI through a wrapper (suEXEC/cgiwrap).

Linux might not be the best OS. I think the only advantage of linux is hardware and software compatibility. I use FreeBSD for servers and linux as workstation. For a server, you won't have troubles find compatible parts and software under FreeBSD. No need to change OS right now, but in the future you should concider it :)

Also, don't run Sendmail/BIND, they are obsolete in my opinion. Look at http://cr.yp.to for excellent software (qmail, tinyDNS).

and this is only a beginning :)

Take care with firewall: You can easily lock yourself out if the server is colocated/dedicated. Also, I configured a firewall under freeBSD for one of my server before shipping it to the NOC and they never got it running on their network. They charged me $300 for re-installing a system I spent months tweaking. (But I consider this is because of unqualified techs, used to the windows way of thing (doesn't work? re-install). Unix is not supposed to be like that).