Data or application security is one of the major headaches faced as a system Administrator. In my blog am trying to share a few points which make a server less vulnerable to a hack.
- Remove all unwanted Software: remove/disable all unnecessary services or package installed in the server, you can remove unnecessary package from your server using yum or even rpm -e commands. To configure yum locally in your machine read this link
- Keep the Kernel and Software up to date: Make sure you are running on the latest kernel available and all the software packages you are using are the latest one. if you using yum, the latest update can be obtained by giving #yum update(redhat based systems) and #apt-get update (debian based systems), in the terminal.
- Encrypt communication in and out of the server: Encrypt the data send in and out of the server using password or user/machine certificates, It is recommended not to use simple FTP, telnet, rlogin etc, because these protocol communications can be easily captured by a network sniffing tool. Suggested methods of communication are through scp, ssh etc.
- SeLinux: strongly recommend using SELinux which provides a flexible Mandatory Access Control (MAC). Under standard Linux Discretionary Access Control (DAC), an application or process running as a user (UID or SUID) has the user’s permissions to objects such as files, sockets, and other processes. Running a MAC kernel protects the system from malicious or flawed applications that can damage or destroy the system. See the official Redhat documentation which explains SELinux configuration.
- User accounts and Strong password Policy: Enforce strong password creation across the network, set password aging and force user to change their passwords at regular intervals, restrict usage of the same password again and again, enable locking user accounts after continuous login failures.
- Disable root login: Never ever login as root user. You should use sudo to execute root level commands as and when required. sudo does greatly enhances the security of the system without sharing root password with other users and admins. sudo provides simple auditing and tracking features too.
- Find and block/ close all unwanted listening ports:Use iptables to close open ports or stop all unwanted network services using above service and chkconfig commands.
- And last and important, Physical Server Security: Protect access to physical server and even disable booting from USB, CD/DVD’s. Set BIOS and GRUB loader passwords. And if possible, make sure all productions servers can be kept isolated and locked.