Any tips on securing a server?

R. Mattes rm at mh-freiburg.de
Wed Jan 19 01:39:18 UTC 2005


Jeff Waugh wrote:

><quote who="Ben Hodgson">
>
>  
>
>>I have set up an internet server running qpopper, exim, webmin, apache and
>>ProFTPd and have finished configuring the servers themselves. Now i'm
>>trying to move onto security and protecting the machine from potential
>>attacks.
>>    
>>
Well, if you're really after security i think you should get a few good 
books
about server administration and security (yes, a few. This isn't easy 
ground).
While a bit outdated i liked L. Stein's book about web security and the 
Spafford-
Garfinkel security book  by O'Reilly. I'd stay away from anything that 
has the
word "Hacker" or "Hacking"  in its title :-)

Subscibe to the security mailing lists, esp. to the Debian Security 
Anoncements
at debian-security-announce at lists.debian.org and, of course, the 
ubuntu-security-announce
mailing list.

Try to keep as vew services running as possible.  Ask yourself several 
times whether
a given service can't be left out or substituted with a more secure service.
Why FTP? For download-heavy sites use HTTP and a secure upload protocol like
scp or sftp (there are enough good and free Win/Mac clients out there. 
Insisting on
ftp in the 21 centry is so, oh, old-fashioned :-)
Or use rsync with pub/private keys  - nice because it'll save you bandwidth!
Why POP? Imap over an (encrypted) tunnel might be better etc.
Keep the number of login accounts as low as possible. Even so you might 
be very
security aware some of your users might not  (and "lend" passwords to 
friends etc.).
A single sloppy user might open up a carefully crafted fortess :-/
Security isn't a one-time thing - allways keep an eye on your 
logfiles/system activity
(io-stat etc.). Keep reading and monitoring, test your open ports (scan 
then regulary
and be curious whenever an unexpected port/network connection shows up [use
nmap and netstat, sometimes tcpdump to a file and examine it with ethereal.
Compile your own kernel. Dissable loadable module support! You'll hardly 
ever
change the core hardware of your server  but Joe Cracker will be glad to 
hide all
his tracks with a small kernel module (kernel modules are _scarry_! The 
can give an
intruder  absolute stealth mode [nota bene: it's harder with 2.6 kernels 
but i wouldn't
take any chances).

 Just my 0.03 $

  RalfD
 

>First thing is to choose security supported packages in Ubuntu main, such as
>dovecot (to replace qpopper), vsftpd (to replace proftpd) and apache2 (to
>replace apache, in case you've installed 1.3). We do support exim, but don't
>support webmin. :-)
>  
>
Hmm , could you enlighten us about the problems with Apache 1.3.n? I don't
really see any problems security wise (as opposed to proftp - one 
eternal source
of problems ...)

>- Jeff
>
>  
>





More information about the ubuntu-users mailing list