1. Remove unnecessary services and applications
Most of the servers today do not provide a wide range of services. For instance, when hosting your website you will not need much more than your web application server and database instance. However, this is often not the case. Important aspect of server security is auditing what is and what should be on your server. This simple check can drastically reduce your server vulnerabilities, simply by removing software and services you do not need.
Some of the services you can safely remove, especially if you do not use them – phpmyadmin, GUI interfaces, rcpbind and many, many more.
Depending on the type of containment you choose, isolating your applications can be relatively simple. By packaging your individual components in containers, you can quickly achieve some measure of isolation.
2. Permissions and privileges
One of the most confusing things about UNIX web servers is permissions and priviledges. Linux and UNIX operating systems treat file access differently then Windows, so for a newcomer it might seem very complicated at the beginning. Most of the time, however, you will find that it is much more stramlined and logical process then it seems at the beginning.
Essentially every file belongs to a user and a group, and has read, write and execute priviledges. You want that content on your server has the right permissions for the applications that do use them to access, but not for unauthorized users, or other applications. Sometimes, when the architecture of the application itself does not take care of it, you will be left only with options of containerizing them, but this is rarely the case.
The only exception to the rule is root. Root user has unlimited access to all parts of the system, and can easily step over any other permission. On the other hand, only root user can access files created and owned by root, so in a sense, it is the hardest security level UNIX operating system will offer by default.
3. SSH keys
SSH keys are a pair of cryptographic keys that can be used to authenticate to your server as an alternative to password-based authentification. A private and public key pair are created prior to authentication. The private key is kept secret and secure by the user, while the public key can be shared with anyone.
With SSH, any kind of authentication, including password authentication, is completely encrypted. However, when password-based logins are allowed, malicious users can repeatedly attempt to access the server. With modern computing power, it is possible to gain entry to a server by automating these attempts and trying combination after combination until the right password is found.
Setting up SSH key authentication allows you to disable password-based authentication. SSH keys generally have many more bits of data than a password, meaning that there are significantly more possible combinations that an attacker would have to run through. Many SSH key algorithms are considered uncrackable by modern computing hardware simply because they would require too much time to run through possible matches.
A firewall is a piece of software (or hardware) that controls what services are exposed to the network. This means blocking or restricting access to every port except for those that should be publicly available.
Firewalls can ensure that access to your software is restricted. Public services can be left open and available to everyone and private services can be restricted based on different criteria. Internal services can be made completely inaccessible to the outside world. For ports that are not being used, access is blocked entirely in most configurations.
Firewalls are an essential part of any server configuration. Even if your services themselves implement security features or are restricted to the interfaces you’d like them to run on, a firewall serves as an extra layer of protection.
A properly configured firewall will restrict access to everything except the specific services you need to remain open. Exposing only a few pieces of software reduces the attack surface of your server, limiting the components that are vulnerable to exploitation.
5. Keep software updated
Keeping your server software up to date is the single most important task for protecting your system. You will quickly notice that Linux and UNIX systems release different security-oriented updates if not daily, then at least on a weekly basis.
Server software is mostly built by combining a range of components, called packages. Different pieces of software, or even whole systems, depend on these different components, and both interact and interface with them in order to provide different services to the end-user. For instance, a software downloading pictures will most likely depend on a system tool for downloading data (wget of curl). It will be written in a way that will utilise the wget library by calling it from command line, but not by directly including it in its own code. This means that wget can always be updated independently from the software using it. This is indeed the most common scenario. By installing a package A, it will almost always have a range of packages it depends on, that will need to be installed as well. Keeping all these components up to date and secure is the most vital task of any server administrator.
The strategies outlined above are only some of the enhancements you can make to improve the security of your systems. It is important to recognize that, while it’s better late than never, security measures decrease in their effectiveness the longer you wait to implement them. Security cannot be an afterthought and must be implemented from the start alongside the services and applications you are providing.
Ideaspool is a software company founded in 2009 and based in Maastricht , The Netherlands. We deliver high availability software solutions for eCommerce, mCommerce and more. Our passion and expertise lies in heavy automation and optimization techniques, that bring and enhance value of online products and services.