<newbie-esque question>OK, at risk of being flamed as a 'newbie FrontPage designer', does anyone have any useful tips on server security? I've just got a racklocation box which should be set up tomorrow and want to make sure it's not too vulnerable.
Thanks for any help you can give - it's much appreciated :)
</newbie-esque question>

PS: DreamWeaver kicks FP's ass, but there's no substitute for a good ol' text editor ;)

First of all, it is (nearly) impossible to make a server invulnerable.
The hint is to keep updated about exploits and software updates.
Don't install any software you don't need is another one.

However I prefer the following resources:
http://www.redhat.com/
http://www.securiteam.com/unixfocus/

If anyone knows better ressources, feel free to post :)

Using a firewall is also a good thing. But it isn't simple at all. There are some docs out there. Best Way to loook for them is a search engine.
"ipchains" is your friend.


[Edited by Keen on 02-20-2001 at 11:26 AM]

Thanks for the links. I know you can't make a server inpenetrable, just wondered if there was anything I could do to cover my back a bit better.

Here is my number one tip for an easy way to make your server more secure:

Turn off all services you don't use. And, I mean all.

In most systems, this includes editing /etc/inetd.conf and turning off everything you don't absolutely need. Also, edit your startup scripts and turn off any daemons you don't need.

That will take out a lot of real or potential security holes right there.

Also, if you're going to have users logging into the machine via shell, seek out and destroy any executables that are setuid and don't need to be. (Mount is a good example. Nobody but root needs to mount or unmount filesystems, but mount is typically setuid so non-root users can do so under limited circumstances. Huh?)

Good luck with your server.

Thanks for the advice :)

There is a free guide titled Securing and Optimizing Linux Red Hat Edition - A Hands on Guide (you can also order the print edition from http://www.amazon.com).

http://www.linuxdoc.org/LDP/solrhe/Securing-Optimizing-Linux-RH-Edition-v1.3/index.html

Also subscribe to bugtraq and just keep an eye out basically.

You want security? Here's what you need to do:
1. Disconnect all the cables from the machine.
2. Encase the machine in a concrete block.
3. Drop said concrete block into the middle of the ocean in an undisclosed location.

More seriously, there are some steps you can take to make your system more secure without making it unusable.

First, get a real operating system. Even the most zealous of Linux advocates admit that RedHat has a long history of security holes. Mandrake or Debian should be ok, but I'd stick to FreeBSD or (ideally) OpenBSD if you're serious about security.

Second, never allow plaintext passwords. This means disabling telnet, but also restricting POP3 to secure authentication methods. You'd be amazed how many people think they are being secure by using SSH when they are sending their password in plaintext to a POP3 server every ten minutes. (This also means disabling FTP; make sure you explain to people that they can use SSH to transfer their files).

Third, disable unnecessary services. This should have already been done for you as part of the OS installation, but there is no reason for you to have finger, RPC, NFS, or any other similar services running. You need SSH, HTTP, and probably SMTP and POP3 ports open; you shouldn't need anything else.

Fourth, install a packet filter. Personally I recommend IPFW, but ipfilter is also good. Block packets destined for ports where you don't have services bound; this will make it harder for someone to install a backdoor once they have already gained access.

Fifth, look at replacing sendmail and bind. Both have a long history of security holes, and there are secure alternatives. Sendmail can be replaced by qmail, postfix, or exim depending upon your preferences; there are a number of bind alternatives but I'd recommend djbdns (written by the author of qmail).

Sixth, if you're running a BSD system, look at running at positive securelevel. This will make it much harder for an attacker to cover their tracks even if they break root. It also makes it harder to patch security holes, but with public-key cryptography (ie, PGP) it is possible to use signed code to perform system upgrades/changes after rebooting during the initialization process. Without securelevel, you can never know if someone has broken root and covered their tracks; with securelevel (set up properly) you will know.

Finally, even after you've set up Fort Server, you should be subscribed to at very least BugTraq and the security mailing list for your particular OS.

Originally posted by cperciva
You want security? Here's what you need to do:
1. Disconnect all the cables from the machine.
2. Encase the machine in a concrete block.
3. Drop said concrete block into the middle of the ocean in an undisclosed location.

This is according to the FBI director right? :)



Third, disable unnecessary services. This should have already been done for you as part of the OS installation, but there is no reason for you to have finger, RPC, NFS, or any other similar services running. You need SSH, HTTP, and probably SMTP and POP3 ports open; you shouldn't need anything else.


I would suggest, close all services on install. And then put them on as you go on editing your system. Its much easier to keep track on things this way.


Fifth, look at replacing sendmail and bind. Both have a long history of security holes, and there are secure alternatives. Sendmail can be replaced by qmail, postfix, or exim depending upon your preferences; there are a number of bind alternatives but I'd recommend djbdns (written by the author of qmail).


Qmail is just easier to install and easier to secure. If you know what you are doing, sendmail is the best. You can make it more secure then qmail to.


Finally, even after you've set up Fort Server, you should be subscribed to at very least BugTraq and the security mailing list for your particular OS.

A must for any sys admin.

I recommend you to visit http://www.cert.org/ often.
They have a lot of newest artikel about security.
Also, a good NOC usually contact their dedicated/colo customer if they find a new security bug as well as give them an advice how to fix this.

Originally posted by kunal
Qmail is just easier to install and easier to secure. If you know what you are doing, sendmail is the best. You can make it more secure then qmail to.
[/B]

I disagree. Sendmail and BIND should be considered insecure for the same reason as Pine: After you've found (and patched) 50 security holes, you don't have to find the 51st to believe it is there.

Sendmail and BIND both suffer from insecure design (there is no reason why they should be permanently running as root), as well as sloppy pre-security-audits coding. In contrast, qmail runs as root only when absolutely necessary and casts off its additional priviledges as soon as possible; further, qmail was written in an era when security was considered an integral part of software design.

There are no currently known exploits in the most recent versions of Sendmail, BIND, qmail, or djbdns. But I'd bet a large sum of money that security holes will be found in sendmail and bind before in qmail and djbdns -- and in fact the author of qmail and djbdns has offered a prize of $1000 to the first person to demonstrate a security hole... a prize which has gone unclaimed for years.

Sendmail is better and worse. Its better because, its more vastly used, and better documented. I had a tough time finding docs on qmail.


Though I agree, qmail was written in an era when security was considered an integral part of software design. and Sendmail was not.

O and one more thing, just cause something has been talked about, doesnt mean it doesnt exist :)

I read the information on all those links above, and learned several things. One gets a very balanced view of the strengths and weaknesses of both sendmail and qmail by reading all that is referenced.

I've also spoken with people who know a great deal about sercurity in regards to a number of programs many servers use.

Sendmail has not had any exploits in a couple of years. I believe the last one was a vulnerability in BIND. Similarly, one of the articles referenced above alludes to a similar problem in the past with qmail. That reward is for a qmail exploit in qmail, not through other programs.

There are no easy answers. A principle I read on http;//securityportal.com applies with these programs and many others. The author was commenting on the fact that exploits were discovered faster in Linux than Solaris. They were also fixed faster. See http://securityportal.com/cover/coverstory20001016.html

Many of the security experts I spoke with considered speed to closing the vulnerability more inmportant than how many were reported. If you ignore outdated reputations of older programs from their early days, it makes sense. Sendmail for instance, is presently at 8.9.x while qmail is at 1.03

I'm not defending or suggesting either program, merely suggesting that people look at the entire picture, not one small part of it.

[Edited by Duster on 02-21-2001 at 02:26 AM]

I think Duster summed up everything I wanted to say. He put in a much better way :)

Originally posted by Duster
The author was commenting on the fact that exploits were discovered faster in Linux than Solaris. They were also fixed faster. ... Many of the security experts I spoke with considered speed to closing the vulnerability more inmportant than how many were reported.

Which is exactly why we should all be using OpenBSD, right? After all, when a new security hole is found in linux, the response from the OpenBSD camp tends to be something line "oh yeah, that one, we fixed that six months ago. Oh, and you should also do something about the bug on line 542 as well".

However much people might dislike Theo's attitude at times, you have to admit that proactive security audits have a tremendous advantage.

Non sequitur.

Here are some excepts from that article:

"Well, there is another side to this. While the bulk of the cracker research is going toward Linux/FreeBSD, there's a whole heck of a lot of research going into the other side of the battle, Linux Security. The work going on there is pretty impressive. Let's take a look."

"OK, so Linux has an advantage over other operating systems: Tons of research! Let's look at another: Faster patches."

"We've seen a great deal of evidence for Linux's speed in releasing patches, compared with the other vendors. A SecurityPortal study <http://securityportal.com/cover/coverstory20000117.html> showed that Red Hat was much, much faster than other major vendors, including Sun, in responding to security vulnerabilities. This speed comes from the open source nature of the operating system, which permits anyone to propose fixes to bugs, along with the sheer number of programmers working on it. While Red Hat's average response time was 11 days, Sun took a whopping 3 months, on average! This time difference is incredible! "

"OK, so I'm going to keep working in Linux. I'm going to keep recommending it to my fellow security-conscious IT types. This is despite the downsides: Linux is being pounded on by a number of crackers. Those with capability to create exploits have more access to Linux boxes, because of the popular nature of the Intel x86 hardware. If you're not deploying Linux security solutions, or actively trying to patch your servers, maybe it isn't the operating system for you! Then again, maybe you shouldn't be administering boxes. On the other hand, you're reading SecurityPortal 2. Chances are good that you care and put time into your site security. And if you want an operating system with the capability to be more secure than any Unix or Windows platform currently out, Linux should be your bet. It takes time and effort, but you can make it extremely secure."