There is no such thing as a secure server, but it is almost always possible to make a server more secure than it currently is. By following the recommended steps for a more secure server regularly it is possible to run a server that is sufficiently secure to make break ins very much less likely. Most server compromises are carried out by people who want to break into any server with the least amount of effort expended – so the simplest attacks are tried against many servers.
Of course, if you are managing a server that is likely to be specifically targeted – perhaps you have valuable research data that an aggressive foreign government (yes they do break into servers) wants to get hold of, then you have to go a good deal further than the steps in this blog posting.
And if you are involved in with a server and are unsure as to who manages it, then ask. The least secure servers out there are those where two groups each assume the other is managing the server with the result that it doesn’t get managed.
Install Operating System Patches
Operating system patches are fixes for a broken operating system. Sometimes these include security fixes, and sometimes do not, but there is great value in applying them regularly. There is a risk associated with patching servers, but there is also a risk associated with not patching servers. And the total risk is reduced by scheduling the risky activity for a particular time; which can be done with operating system patches, but it is difficult to get an attacker to only attack at specified times!
In many cases, automatic patching is perfectly suitable and should be the default option. Any other patching policy should be documented.
Update “Layered Products”
In some cases, servers can perform all of their required functions with just operating system software installed, but in others it is necessary to install software from other sources. For the want of a better term, these will be referred to as “layered products”, which can include (but are not limited to) :-
- Added database engines such as Oracle.
- Stacks of web infrastructure services such as XAMPP.
- Web applications such as WordPress, Joomla, or Drupal. It includes not only the main service, but also support applications such as PhpMyAdmin.
- Commercially supported server based applications.
It is important that these are regularly checked for updates, and any updates applied. This can be as simple as a few clicks for something like WordPress, but could involve considerable effort. Ideally updates should be applied as soon as they are released, but that is rarely possible in practice.
However where applying updates is as simple as the updates for WordPress, there is no excuse for not applying updates on at least a weekly basis.
Follow Best Practice Configuration Guidelines
Installing something, and then getting it running is not the end of the job for a professionally run service. It is also necessary to follow best practice in the configuration of the service. These obviously are different for different services, but for servers themselves include :-
- Disable all unnecessary network services. It may not be insecure now but it could be in the future.
- Ensure all privileged accounts have strong passwords.
- Consider installing a firewall to block any network connections except to permitted services.
- Limit access to administrative interfaces so they cannot be used from outside the University – for example, limit access to PhpMyAdmin to inside the University.