APLawrence.com -  Resources for Unix and Linux Systems, Bloggers and the self-employed

Are your Servers Secure?


© December 2005 Blessen Cherian
https://redhat.com/docs/manuals/linux/RHL-9-Manual/ref-guide/ch-tripwire.html from /Security/servers_secure.html odd

by Blessen Cherian, Sr. Software engineer & Member, Executive Team, Bobcares.com

Are your servers secure? In a word, No. No Server on the Internet is 100% secure. This doesn't mean that you are helpless. You can take measures to avoid hacks, but you cannot avoid them completely. This is like a house when the windows and doors are open then the probability of a thief coming in is high, but if the doors and windows are closed and locked the probability of being robbed is less, but still not nil.

1 What is Information Security?

For our purposes, Information Security is the method we use to protect sensitive data from unauthorized users.

2 Why do we need Information Security?

A lot of sensitive information passes through the Internet, such as credit card data, mission critical server passwords, and important files. There is always a chance of some one viewing and/or modifying the data while it is in transmission. There are countless horror stories of what happens when an outsider gets someone's credit card or financial information. He or she can use it in any way they like and could even destroy you and your business by taking or destroying all your assets. As we all know "An ounce of prevention beats a pound of cure," so to avoid such critical situations, it is advisable to have a good security policy and security implementation.

3 Security Framework

The following illustrates the framework needed to implement a functioning security implementation:

       [ Risk Analysis ]   [ Business Requirements ]

                         |

                [ Security Policy ]

                         |

       [ Security Service, Mechanisms, and Objects ]

                         |

[ Security Management, Monitoring, Detection and Response ]
 

This framework shows the basic steps in the life cycle of securing a system. "Risk Analysis" deals with the risk associated with the data in the server to be secured. "Business Requirements" is the study which deals with the actual requirements for conducting business. These two components cover the business aspects of the security implementation.

The "Security Policy" covers 8 specific areas of the security implementation, and is discussed in more detail in section 4 below. "Security Service, Mechanisms and Objects" is actually the implementation part of security. "Security Management, Monitoring, Detection and Response" is the operational face of security, where we cover the specifics of how we find a security breach, and how we react if a breach is found.

4 Security Policy

The Security Policy is a document which addresses the following areas:


5 Types of Information Security

There are 2 types of security. (1) Physical security / Host Security and (2) Network security. Each of these sections has 3 parts:


5.1 Host Security / Physical Security

Host Security / Physical Security means securing the server from unauthorized access. For that we can password protect the box with such steps as setting up a BIOS password, placing the computer box in a locked room where only authorized users have access, applying OS security patches, and checking logs on regular basis for any intrusion and attacks. In Host security we check and correct the permissions on all OS related files.

5.2 Network security

Network security is one of the most important aspects of overall security. As I mentioned earlier, no machine connected to the Internet is completely secure, so security administrators and server owners need to be alert, and make sure that they are informed of all new bugs and exploits that are discovered. Failure to keep up with these may leave you at the mercy of some script kiddy.

5.3 Which operating system is the most secure?

Every OS has its own pros and cons. There are ways to make Windows more secure, but the implementation is quite costly. Linux is stable and reasonably secure, but many companies perceive it as having little vendor support. My vote for the best OS for security purposes goes to FreeBSD, another free Unix-like OS, but not many people are aware of its existence.

6. Is a firewall the final solution to the Network Security problem?

No, a firewall is just a part of the security implementation. Again, we will use the example of a house. In a house all the windows and doors can be closed but if the lock on the front door of the house is so bad that someone can put just any key-like thing in and open it, then what is the use of the house being all closed up? Similarly, if we have a strong firewall policy, it will restrict unauthorized access, but if the software running on the box is outdated or full of bugs then crackers can use it to intrude into the server and gain root access. This shows that a firewall is not the final solution. A planned security implementation is the only real quality solution to this issue.

7 Security is a continuous process

Continuing security is a on-going process. Security administrators can only conduct their work on the basis of the alerts and bug fixes released up to the date of securing, so in order to accommodate all of the fixes for the latest bugs, security work has to be done on a regular basis.

8 Does Security implementation create overhead and/or reduce performance?

Yes, Security implementation creates a small amount of overhead, but it need not reduce overall performance drastically. In order to take care of such things, a well done security implementation has an optimization section where the security administration gives priority to both performance and security. While securing any software, we should secure it in such a way that it provides maximum performance.

9 Security Audits - What Should be Checked

A security audit is a part of security implementation where we try to find out the vulnerabilities of the system and suggest actions to improve the security. In a normal audit, the points below should be checked, and a report with the results of that audit should be created.


10 How to know if you are being hacked?

To find out if your box is compromised or not, follow these steps. These are the steps which I used to do and will be handy in most of the situations.

10.1 Check your box to see if your performance has degraded or if your machine is being over used.

For that, use the commands

vmstat
Displays information about memory, cpu and disk.

Ex: bash# vmstat 1 4 (where 1 is delay and 4 is count)
mpstat
Displays statistics about cpu utilization. This will help us to see if your cpu is over worked or not.

Ex: bash# mpstat 1 4 (where 1 is delay and 4 is count)
iostat
This command displays statistics about the disk system.

Useful options:

-d - Gives the device utilization report.

-k - Display statistics in kilobytes per second.

Ex: bash# iostat -dk 1 4 (where 1 is delay and 4 is count)
sar
Displays overall system performance.

10.2 Check to see if your server has any hidden processes running.

ps
Displays the status of all known processes.
lsof
List all open files. In Linux everything is considered a file, so you will be able to see almost all of the activity on your system with this command.

10.3 Use Intrusion Detection Tools


10.4 Check your machine's uptime.

If the uptime is less than it should be, this can mean that your machine's resources are being used by someone. Linux doesn't crash or reboot under normal conditions because it is such a stable OS. If your machine has been rebooted try to find out the actual reason behind it.

10.5 Determine what your unknown processes are and what they are doing.

Use commands like the following to take apart unknown programs

readelf
This command will display what the executable's program is performing.
ldd
This command will show the details of libraries used by a executable.
string
This command will display the strings in the binary.
strace
This command will display the system calls a program makes as it runs.

11 Hardening Methodology


12 Summary

Now lets conclude by covering the main steps by which a hosting server can be secured.

12.1 Determine the business requirements and risk factors which are applicable to this system

12.2 Devise a security policy with the above data in mind. Get management's approval and signoff on this security policy.

12.3 On approval of the policy, do a security audit on any existing systems to determine the current vulnerabilities and submit a report regarding this to the management.

The report should also cover the methods needed to improve existing security. A quick checklist:


12.4 Implement the security policy

12.4.1 Correct all known existing software vulnerabilities either by applying patches or by upgrading the software.

12.4.2 Implement host security



chmod -R 700 /etc/rc.d/init.d/*

Use rpm -Va to find out if an rpm is modified

12.4.3 Implement Network security


Examples of these: gpasswd, wall, and traceroute


Links: https://rfxnetworks.com/ and yolinux.com/TUTORIALS/LinuxTutorialIptablesNetworkGateway.html (link dead, sorry)


Links: www.cs.tut.fi/rammer/aide.html (link dead, sorry) and redhat.com/docs/manuals/linux/RHL-9-Manual/ref-guide/ch-tripwire.html (link dead, sorry)


Link: https://linux.cudeso.be/linuxdoc/sxid.php

12.5 Testing phase

Use tools like nessus, nikto, and nmap to do a penetration test and see how well your server is secured. Also do a stress test.

Security is of utmost importance to a server, compromising security is compromising the server itself. Hence, an understanding of the same is a prerequisite to server ownership and administration.

Bio

Blessen Cherian works as Executive team member in Bobcares.com

He is an Engineer in Computer Science, is passionate about Linux security and looks forward to grow in that field.


Got something to add? Send me email.





(OLDER)    <- More Stuff -> (NEWER)    (NEWEST)   

Printer Friendly Version

->
-> Are your Servers Secure?


Inexpensive and informative Apple related e-books:

Take Control of Apple Mail, Third Edition

Photos for Mac: A Take Control Crash Course

iOS 8: A Take Control Crash Course

Take Control of Automating Your Mac

Take Control of iCloud, Fifth Edition




More Articles by © Blessen Cherian




Printer Friendly Version

Have you tried Searching this site?

This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more.

Contact us


Printer Friendly Version





As soon as an Analytical Engine exists, it will necessarily guide the future course of the science. Whenever any result is sought by its aid, the question will then arise — by what course of calculation can these results be arrived at by the machine in the shortest time? (Charles Babbage)




Linux posts

Troubleshooting posts


This post tagged:

Security



Unix/Linux Consultants

Skills Tests

Unix/Linux Book Reviews

My Unix/Linux Troubleshooting Book

This site runs on Linode





SCO Unix Sales, Support, & Service

Phone:  707-SCO-UNIX (707-726-8649Toll Free: 833-SCO-UNIX (833-726-8649)
www.SCOsales.com