Part of your job as a System Administrator or Website administrator is to ensure the work you do is safe from attacks and vulnerabilities. Remember that movie where Michael Moore goes around in Canada trying to open doors because he heard that people there don't lock their doors? Do you remember what happened? It was true, many people simply didn't lock their doors and he waltzed right in to their living rooms. Michael Moore seems like a nice enough guy so it wasn't a big deal, but in the Internet people aren't that nice. In fact they're malicious, as many nice people as you know there are hundreds more literally out to get you, or rather, your webserver.
You're not in Canada
Leaving your server unprotected is like leaving your brand new car with your wallet on the dashboard in a crowded metropolitan city, like NY, Tokyo, Paris --someone is going to take it. People are looking for weaknesses and will take all you've got if you give them a chance.
Protect your server
Here are tips and advice to lock down your webserver and other stuff you might have running on it.
First things first. You have to address the underlying base first, the operating system. If your foundation is weak, it doesn't matter how strong your application is.
- Remove un-needed users. As you provision your server, you may find that you've created a user to test this, or that, if you don't need a user, check the user's home directory and make a backup of any files you need, then nuke that account. There isn't a maybe option here. You either need it or you don't.
- Establish a strong password for the remaining users. I know its convenient for you to create a user and give it the usual password you like; this isn't good. Instead of using a known password, use a strong password generator and change the passwords in any account that has login capabilities. Do NOT, I repeat do not write it down, email it or give it to someone else. Instead, use a password manager to save it safely and protect your password manager with a strong master password. LastPass for example allows you not only to lock your password database with a master password, but it also lets you lock down an individual record with one more prompt of your master password, just in case you forgot to log out or something when you go to get a cup of coffee and things like that.
- Remove the ability to login for system and application users. Apache, MySQL, Postfix, and other applications have or require their own username to run properly. Chances are these users don't actually need
- Update & configure SSH
. Linux distributions are getting smarter about shipping ssh configs with better settings than they did years ago, but it is still your responsibility to ensure the settings are properly configured for your environment. Furthermore, check for updates on a regular basis and stay on top of those.
- Do not share passwords
. It is easy to give someone your username and password to do something really quick, then forget about it. Presumably, you trust this person, but what if they happen to write down the password somewhere, or save somewhere where it is insecure to do so. You see, they could become the targets for someone to get your password.
- Configure your firewall to only allow exactly what is needed. Do I need to explain this one?
To expand on this, soon I'll post info about hardening Apache, MySQL, Tomcat, Linux, as well as WordPress, vBulletin, Wikis, maybe even Joomla and Drupal.
This is the first draft of a series of guides I'll be writing on how to lock down your stuff and hopefully make it more secure. Got a better way of doing things, why don't you send me an email or tell everyone in the comments below.
Photo by Rinaz, site seems to go up and down.