Benden.us
📓

Server Security HOW-TO


Server Security HOW-TO

In this article I cover how to securely configure your general purpose web server running on Linux, FreeBSD, Solaris, OS X, or any UNIX-clone operating system. While the topics presented do not all apply to a Windows environment, many of the techniques are still applicable to a Windows server environment.

This article focuses on network security predominately. This article does not cover physical security or local console access security.

In addition to this article, the documentation available at NSA security configuration guides provides additional information relating to each of the operating systems.

OS Installation

When installing the operating system, be certain to properly dedicate separate partitions to /tmp, /var/tmp, and other partitions to adequately protect the system.

Partitions

For all UNIX-like systems, the /tmp folder should be mounted as noexec,nosuid,nodev. Simply enforcing this will eliminate a many of threats via HTTP by denying the ability to execute a shell script from the temporary partition.

NOTE: Some operating systems are known to partially function with a properly mounted /tmp partition. For these operating systems, simple modifications to certain files will enable the /tmp partition to be mounted appropriately.

SSH

To ensure the highest level of protection, only enable version 2 of the protocol. Additionally, use RSA keys (of at least 4096 bits) for root access and set PermitRootLogin to be set to without-password. Be certain that no DSA keys are in use.

Next, use a tool such as DenyHosts or Fail2Ban to mitigate against dictionary attacks or brute-force cracking attempts.

IP Addressing

It is best practice to use two IP addresses per machine, minimum. The primary IP address assigned is used for all services available on the machine, while the second IP address is assigned to SSH access and nothing else. With this configuration, crackers can try their best to crack the publicly facing IP address (which would be best to be firewalled) all they want. A firewall rule should exist to permit acceptable IP address ranges access to the SSH port on the secondary IP address.

Firewall

Ensure that the host firewall is enabled with a default policy of DENY. Only permit the traffic that is known to be acceptable to this machine, nothing else. This helps to ensure that rouge programs running are not able to serve random ports. Additionally, only acceptable ICMP requests should be accepted.

Refer to any number of firewall best practices guides or books on the subject to learn how to configure your firewall available to you.

User account set-up

Ensure that user accounts created are assigned the /bin/false shell, unless they are permitted SSH access. If they are permitted SSH access, then consider using one of many restricted shells to only allow SFTP for instance.

Be sure to create each user as a unique ID number and a unique group ID number. This helps to secure each user from one another. Use shared groups where appropriately needed.

HTTPS Thoughts

If you are offering HTTPS protocol, be aware of a number of vulnerabilities present in the protocol. The most recent vulnerability is the POODLE exploit in SSL version 3.0. The safest thing to do is to disable both version 2.0 and 3.0 of SSL and offer a safe list of OpenSSL ciphers. The currently recommended list of ciphers is:

"ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM"

As an example, here is a sample LigHTTPd configuration for secure HTTPS serving:

$SERVER["socket"] == ":443" {
  ssl.engine = "enable"
  ssl.pemfile = "/etc/ssl/secure.pem"
  ssl.ca-file = "/etc/ssl/gd_bundle.crt"
  ssl.use-sslv2 = "disable"
  ssl.use-sslv3 = "disable"
  ssl.cipher-list = "ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM"
  server.document-root = server_root + "/https-docs"
  accesslog.filename = log_root + "/https-access_log"
}

While this is not the best possible configuration for LigHTTPd, it is an acceptable configuration for the widest support of browsers and other command-line web browsing tools.

Final Thoughts

While this document does not cover the exact steps to follow, it does cover the general concepts necessary for a secured server to exist on the Internet. Following these guidelines are highly recommended. Please be certain to read any and all information you can on securing a server as having an unsecured computer does no one any good; however, it offers bad people an opportunity to misuse your server for their own purposes.

comments powered by Disqus