Best Practices for Unix-based servers
Shared by: zwj23860
Best Practices for Unix-based servers. Requirements and Recommendations There are three basic requirements for any Unix-based server on the UNH campus network. 1) Disable unnecessary services 2) Enforce basic account security 3) Ensure packages are kept up to date Avoid providing services you do not need to provide. Many services commonly installed on ‘nix systems are inherently dangerous. Often there are alternatives that will perform the function just as well, with significant security improvements. The server should not be running services you do not need. Running such services provides you with no benefits and only exposes your server, and through it the UNH network, to greater risk. Understanding which services can be turned off is one of the very important responsibilities of a UNIX server administrator. Below is a list of some common packages which are best to avoid unless you specifically need them and are able to perform the necessary maintenance and know how to configure them correctly. This list is, by no means, complete. - DNS Server (aka BIND or named.) - R* services (rlogin, rcp, etc.) There are better, more secure, methods of performing any of these functions. - Printer services (lpd.) Best to avoid this. It has a history of problems and exploits. - Mail Server programs are generally better avoided. - Telnet. Telnet allows for the transfer of data in clear text, including passwords. Use SSH instead. - FTP. FTP has its problems and there are easier, safer ways to server files. - NFS (Network File System) and services related to it (statd, mountd, etc) should only be used with great care and due diligence. - rpc services. (Remote Procedure Call.) Account Management Running a server on the UNH network requires that none of the accounts on that server have the following properties: - Accounts without passwords. - Accounts whose passwords are identical to the account name. - Accounts with overly simplistic passwords (ex. 12345678, ABCDEFGH, password, etc.) In addition, there are other suggested practices that you should consider - Utilize shadow password files o http://www.linux.org/docs/ldp/howto/Shadow-Password- HOWTO.html - Enforce aging of passwords when possible. - Use strong passwords (avoid recognizable words and patterns). Ensure your packages are up to date. Many ‘nix distributions at this point come with an updating application that will update your core packages. For example, RedHat distributions come with an apps called “up2date” and/or “yum” that will check with RedHat for package updates. Remember, however, that applications that you add on to your server will likely need to be monitored separately for updates. Any application that provides access to content, or even initiates it’s own content, is subject to attack and must be kept up to date. Any server on the UNH network is required to have its software packages, specifically those that interact with the network, updated frequently enough to avoid exploitation. Filter traffic where you can ‘nix systems have multiple layers of filtering ability in most cases. If you find it necessary to provide filtering services, it is suggested that Intrusion Detection Tripwire – Tripwire is an application that monitors your system for changes. o http://www.tripwire.org/ o http://www.enterpriseitplanet.com/security/features/article.php/3105481 Back up your data Backups are highly recommended. http://www.unh.edu/tech- services/backup.html Tenuous Services Web Services (Apache) Apache web server is a complex application that allows a great deal of flexibility and control over what is served. However, it is also very easy to overlook portions of Apache that need attention. There are numerous sites easily found on the web dedicated to securing Apache, and many focus on different areas. Apache is designed to give access to content. That fact provides multiple layers of security concerns. Not only is it necessary to be concerned about properly securing Apache, but the content to which you provide access needs to be secure as well. For information regarding getting started with Apache and securing it, start at the source with Apache.org. http://httpd.apache.org/docs-2.0/misc/tutorials.html Physical Security Just about any computer can be accessed if a malicious user can gain physical access to it. Make sure your server is physically secure. Avoid leaving your server where others can touch it. Logging Monitor your logs daily. Almost all applications and core services will provide you with excellent logs. Explore them and get used to what they tell you. Virus Protection Virus protection for Unix-based operating systems is less critical than for Windows but it is still a good idea. In addition, certain services such as those acting as a mail server, significantly increase the need for virus protection. You will need to secure virus protection directly from vendors, as UNH does not have pre-paid virus protection for Unix-based operating systems. Filtering/Firewalling Unix-based operating systems come with various methods of blocking traffic. Look into the use of iptables (or ipchains) and tcp wrappers.