wordpress.com - 7 security measures to protect your servers | … · 2015-08-07 · your servers...
Post on 06-Aug-2020
1 Views
Preview:
TRANSCRIPT
!Sign UpLog In
Community Tutorials Questions Projects
By: Justin Ellingwood 176" # 8 Share Contents
7 Security Measures to Protectyour ServersMar 5, 2015 Security, Firewall, Networking, VPN
Introduction
When setting up infrastructure, getting your applications up and running will often be
your primary concern. However, making your applications to function correctly without
addressing the security needs of your infrastructure could have devastating
consequences down the line.
In this guide, we will talk about some basic security practices that are best to configure
before or as you set up your applications.
$ %
& Menu
7 Security Measures to Protect your Servers | DigitalOcean https://www.digitalocean.com/community/tutorials/7-securit...
1 of 15 19/11/15 17:27
SSH KeysSSH keys are a pair of cryptographic keys that can be used to authenticate to an SSH
server as an alternative to password-based logins. A private and public key pair are
created prior to authentication. The private key is kept secret and secure by the user,
while the public key can be shared with anyone.
To configure the SSH key authentication, you must place the user's public key on the
server in a special directory. When the user connects to the server, the server will ask
for proof that the client has the associated private key. The SSH client will use the
private key to respond in a way that proves ownership of the private key. The server
will then let the client connect without a password. To learn more about how SSH keys
work, check out our article here.
How Do They Enhance Security?
With SSH, any kind of authentication, including password authentication, is completely
encrypted. However, when password-based logins are allowed, malicious users can
repeatedly attempt to access the server. With modern computing power, it is possible
to gain entry to a server by automating these attempts and trying combination after
combination until the right password is found.
Setting up SSH key authentication allows you to disable password-based
authentication. SSH keys generally have many more bits of data than a password,
meaning that there are significantly more possible combinations that an attacker would
have to run through. Many SSH key algorithms are considered uncrackable by modern
computing hardware simply because they would require too much time to run throughSCROLL TO TOP
7 Security Measures to Protect your Servers | DigitalOcean https://www.digitalocean.com/community/tutorials/7-securit...
2 of 15 19/11/15 17:27
possible matches.
How Difficult is this to Implement?
SSH keys are very easy to set up and are the recommended way to log into any Linux
or Unix server environment remotely. A pair of SSH keys can be generated on your
machine and you can transfer the public key to your servers within a few minutes.
To learn about how to set up keys, follow this guide. If you still feel that you need
password authentication, consider implementing a solution like fail2ban on your
servers to limit password guesses.
FirewallsA firewall is a piece of software (or hardware) that controls what services are exposed
to the network. This means blocking or restricting access to every port except for those
that should be publicly available.
On a typical server, a number services may be running by default. These can be
categorized into the following groups:
Public services that can be accesses by anyone on the internet, often anonymously.
A good example of this is a web server that might allow access to your site.
Private services that should only be accessed by a select group of authorized
accounts or from certain locations. An example of this may be a database control
panel.SCROLL TO TOP
7 Security Measures to Protect your Servers | DigitalOcean https://www.digitalocean.com/community/tutorials/7-securit...
3 of 15 19/11/15 17:27
Internal services that should be accessible only from within the server itself, without
exposing the service to the outside world. For example, this may be a database that
only accepts local connections.
Firewalls can ensure that access to your software is restricted according to the
categories above. Public services can be left open and available to everyone and
private services can be restricted based on different criteria. Internal services can be
made completely inaccessible to the outside world. For ports that are not being used,
access is blocked entirely in most configurations.
How Do They Enhance Security?
Firewalls are an essential part of any server configuration. Even if your services
themselves implement security features or are restricted to the interfaces you'd like
them to run on, a firewall serves as an extra layer of protection.
A properly configured firewall will restrict access to everything except the specific
services you need to remain open. Exposing only a few pieces of software reduces the
attack surface of your server, limiting the components that are vulnerable to
exploitation.
How Difficult is this to Implement?
There are many firewalls available for Linux systems, some of which have a steeper
learning curve than others. In general though, setting up the firewall should only take a
few minutes and will only need to happen during your server's initial setup or when you
make changes in what services are offered on your computer.
A simple choice is the UFW firewall. Other options are to use iptables or the CSF
firewall.
VPNs and Private NetworkingPrivate networks are networks that are only available to certain servers or users. For
instance, in DigitalOcean, private networking is available in some regions as aSCROLL TO TOP
7 Security Measures to Protect your Servers | DigitalOcean https://www.digitalocean.com/community/tutorials/7-securit...
4 of 15 19/11/15 17:27
data-center wide network.
A VPN, or virtual private network, is a way to create secure connections between
remote computers and present the connection as if it were a local private network. This
provides a way to configure your services as if they were on a private network and
connect remote servers over secure connections.
How Do They Enhance Security?
Utilizing private instead of public networking for internal communication is almost
always preferable given the choice between the two. However, since other users within
the data center are able to access the same network, you still must implement
additional measures to secure communication between your servers.
Using a VPN is, effectively, a way to map out a private network that only your servers
can see. Communication will be fully private and secure. Other applications can be
configured to pass their traffic over the virtual interface that the VPN software exposes.
This way, only services that are meant to be consumable by clients on the public
internet need to be exposed on the public network.
How Difficult is this to Implement?
Utilizing private networks in a datacenter that has this capability is as simple as
enabling the interface during your server's creation and configuring your applications
and firewall to use the private network. Keep in mind that data center-wide private
networks share space with other servers that use the same network. SCROLL TO TOP
7 Security Measures to Protect your Servers | DigitalOcean https://www.digitalocean.com/community/tutorials/7-securit...
5 of 15 19/11/15 17:27
As for VPN, the initial setup is a bit more involved, but the increased security is worth it
for most use-cases. Each server on a VPN must be install and configure the shared
security and configuration data needed to establish the secure connection. After the
VPN is up and running, applications must be configured to use the VPN tunnel. To learn
about setting up a VPN to securely connect your infrastructure, check out our
OpenVPN tutorial.
Public Key Infrastructure and SSL/TLS EncryptionPublic key infrastructure, or PKI, refers to a system that is designed to create, manage,
and validate certificates for identifying individuals and encrypting communication. SSL
or TLS certificates can be used to authenticate different entities to one another. After
authentication, they can also be used to established encrypted communication.
How Do They Enhance Security?
Establishing a certificate authority and managing certificates for your servers allows
each entity within your infrastructure to validate the other members identity and
encrypt their traffic. This can prevent man-in-the-middle attacks where an attacker
imitates a server in your infrastructure to intercept traffic.
Each server can be configured to trust a centralized certificate authority. Afterwards,
any certificate that the authority signs can be implicitly trusted. If the applications and
protocols you are using to communicate support TLS/SSL encryption, this is a way of
encrypting your system without the overhead of a VPN tunnel (which also often uses
SSL internally).SCROLL TO TOP
7 Security Measures to Protect your Servers | DigitalOcean https://www.digitalocean.com/community/tutorials/7-securit...
6 of 15 19/11/15 17:27
How Difficult is this to Implement?
Configuring a certificate authority and setting up the rest of the public key
infrastructure can involve quite a bit of initial effort. Furthermore, managing certificates
can create an additional administration burden when new certificates need to be
created, signed, or revoked.
For many users, implementing a full-fledged public key infrastructure will make more
sense as their infrastructure needs grow. Securing communications between
components using VPN may be a good stop gap measure until you reach a point
where PKI is worth the extra administration costs.
Service AuditingUp until now, we have discussed some technology that you can implement to improve
your security. However, a big portion of security is analyzing your systems,
understanding the available attack surfaces, and locking down the components as best
as you can.
Service auditing is a process of discovering what services are running on the servers in
your infrastructure. Often, the default operating system is configured to run certain
services at boot. Installing additional software can sometimes pull in dependencies that
are also auto-started.
Service auditing is a way of knowing what services are running on your system, whichSCROLL TO TOP
7 Security Measures to Protect your Servers | DigitalOcean https://www.digitalocean.com/community/tutorials/7-securit...
7 of 15 19/11/15 17:27
ports they are using for communication, and what protocols are accepted. This
information can help you configure your firewall settings.
How Does It Enhance Security?
Servers start many processes for internal purposes and to handle external clients. Each
of these represents an expanded attack surface for malicious users. The more services
that you have running, the greater chance there is of a vulnerability existing in your
accessible software.
Once you have a good idea of what network services are running on your machine,
you can begin to analyze these services. Some questions that you will want to ask
yourself for each one are:
Should this service be running?
Is the service running on interfaces that it doesn't needs to? Should it be bound to a
single IP?
Are your firewall rules structured to allow legitimate traffic pass to this service?
Are your firewall rules blocking traffic that is not legitimate?
Do you have a method of receiving security alerts about vulnerabilities for each of
these services?
This type of service audit should be standard practice when configuring any new
server in your infrastructure.
How Difficult is this to Implement?
Doing a basic service audit is incredibly simple. You can find out which services are
listening to ports on each interface by using the netstat command. A simple
example that shows the program name, PID, and addresses being used for listening for
TCP and UDP traffic is:
sudo netstat -plunt SCROLL TO TOP
7 Security Measures to Protect your Servers | DigitalOcean https://www.digitalocean.com/community/tutorials/7-securit...
8 of 15 19/11/15 17:27
You will see output that looks like this:
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 887/sshd
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 919/nginx
tcp6 0 0 :::22 :::* LISTEN 887/sshd
tcp6 0 0 :::80 :::* LISTEN 919/nginx
The main columns you need to stay attention to are Proto , Local Address , and
PID/Program name . If the address is 0.0.0.0 , then the service is accepting
connections on all interfaces.
File Auditing and Intrusion Detection SystemsFile auditing is the process of comparing the current system against a record of the
files and file characteristics of your system when it is a known-good state. This is used
to detect changes to the system that may have been authorized.
An intrusion detection system, or IDS, is a piece of software that monitors a system or
network for unauthorized activity. Many host-based IDS implementations use file
auditing as a method of checking whether the system has changed.
How Do They Enhance Security?
Similar to the above service-level auditing, if you are serious about ensuring a secure
system, it is very useful to be able to perform file-level audits of your system. This canSCROLL TO TOP
7 Security Measures to Protect your Servers | DigitalOcean https://www.digitalocean.com/community/tutorials/7-securit...
9 of 15 19/11/15 17:27
be done periodically by the administrator or as part of an automated processes in an
IDS.
These strategies are some of the only ways to be absolutely sure that your filesystem
has not been altered by some user or process. For many reasons, intruders often wish
to remain hidden so that they can continue to exploit the server for an extended period
of time. They might replace binaries with compromised versions. Doing an audit of the
filesystem will tell you if any of the files have been altered, allowing you to be confident
in the integrity of your server environment.
How Difficult is this to Implement?
Implementing an IDS or conducting file audits can be quite an intensive process. The
initial configuration involves telling the auditing system about any non-standard
changes you've made to the server and defining paths that should be excluded to
create a baseline reading.
It also makes day-to-day operations more involved. It complicates updating procedures
as you will need to re-check the system prior to running updates and then recreate the
baseline after running the update to catch changes to the software versions. You will
also need to offload the reports to another location so that an intruder cannot alter the
audit to cover their tracks.
While this may increase your administration load, being able to check your system
against a known-good copy is one of the only ways of ensuring that files have not been
altered without your knowledge. Some popular file auditing / intrusion detection
systems are Tripwire and Aide.
Isolated Execution EnvironmentsIsolating execution environments refers to any method in which individual components
are run within their own dedicated space.
SCROLL TO TOP
7 Security Measures to Protect your Servers | DigitalOcean https://www.digitalocean.com/community/tutorials/7-securit...
10 of 15 19/11/15 17:27
This can mean separating out your discrete application components to their own
servers or may refer to configuring your services to operate in chroot environments
or containers. The level of isolation depends heavily on your application's requirements
and the realities of your infrastructure.
How Do They Enhance Security?
Isolating your processes into individual execution environments increases your ability
to isolate any security problems that may arise. Similar to how bulkheads and
compartments can help contain hull breaches in ships, separating your individual
components can limit the access that an intruder has to other pieces of your
infrastructure.
How Difficult is this to Implement?
Depending on the type of containment you choose, isolating your applications can be
relatively simple. By packaging your individual components in containers, you can
quickly achieve some measure of isolation, but note that Docker does not consider its
containerization a security feature.
Setting up a chroot environment for each piece can provide some level of isolation
as well, but this also is not foolproof method of isolation as there are often ways of
breaking out of a chroot environment. Moving components to dedicated machines is
the best level of isolation, and in many cases may be the easiest, but may cost more for
the additional machines.
ConclusionThe strategies outlined above are only some of the enhancements you can make to
improve the security of your systems. It is important to recognize that, while it's better
late than never, security measures decrease in their effectiveness the longer you waitSCROLL TO TOP
7 Security Measures to Protect your Servers | DigitalOcean https://www.digitalocean.com/community/tutorials/7-securit...
11 of 15 19/11/15 17:27
to implement them. Security cannot be an afterthought and must be implemented from
the start alongside the services and applications you are providing.
176" Heart SubscribeShare$
Author:Justin Ellingwood
Spin up an SSD cloud server in under a minute.Simple setup. Full root access. Straightforward pricing.
Related Tutorials
How To Protect your Linux Server Against the GHOST Vulnerability
How to Protect your Server Against the Shellshock Bash Vulnerability
How to Protect your Server Against the Heartbleed OpenSSL Vulnerability
How To Install TrueCrypt (CLI) On Linux SCROLL TO TOP
7 Security Measures to Protect your Servers | DigitalOcean https://www.digitalocean.com/community/tutorials/7-securit...
12 of 15 19/11/15 17:27
How To Use WPScan to Test for Vulnerable Plugins and Themes in Wordpress
8 Comments
Log In to Comment
laurence0521 March 11, 2015
While these are all fairly obvious if you've ever worked in industry, this is a greatintroduction to those who have not. Well written!
3"
MChorfa March 20, 2015
It would be really nice if there were an [end to end configuration] example withCoreOS and Docker and all the security already setup. Hope @digitalocean willproduce one :)
3"
Lee March 20, 2015
Thanks for this, interesting read, will adopt some of these.
"
cube March 21, 2015
In the section, "File Auditing and Intrusion Detection Systems", you say that IDS isdifficult to admin. I am using a backup tool called the Barebones Encrypted File
SCROLL TO TOP
7 Security Measures to Protect your Servers | DigitalOcean https://www.digitalocean.com/community/tutorials/7-securit...
13 of 15 19/11/15 17:27
Storage System as a lightweight IDS. It creates incremental backups and sends mean e-mail with the list of changed files. It doesn't stop changes from happening butsimply reports them. If I need to roll back for any reason, I've got 31 days worth ofincrementals to work with. I've used it on a few occasions that had nothing to dowith system intrusion and more to do with administrator stupidity. Over the years ofadministrating Linux boxes, I've learned the hard way that backing up everythingunder /etc on a regular basis is extremely important. Getting extra mileage as anIDS is icing on the cake.
"
chadbuie March 22, 2015
Thanks for the insight there. I recently had a droplet go down for somereason, I'm overwhelmed with all the things that can go wrong. At timesvery drowning; literally.
"
steve588264 April 2, 2015
Intrusion Detection is not hard. Install OSSEC. While there are some good changesone should make to the configuration files for maximum effect, it works very wellstraight out of the box.
http://www.ossec.net/
1"
jellingwood April 2, 2015
@steve588264: While initial set up is one factor, the primary reason thatthat intrusion detection is difficult to administer is not related to installationor configuration. Intrusion detection systems, at their core, are responsiblefor detecting any changes on the system and reporting back.
If you are doing routine maintenance on your servers (and if you have asignificant number of servers), you will have to deal with one of twoscenarios. First, you could suffer through alerts and whitelisting changes onevery security update. Or you could juggle the process of running a scan tocatch any anomalous changes on the current filesystem, turning your IDSsystem off, updating the system, and then rebuilding the database to markthe new system as a clean slate.
The OSSEC docs themselves state that there is no easy way around this. Ifyou are managing significant infrastructure, this administrative overheadcan get unwieldy.
That being said, it's definitely worth seeking out the software that you findSCROLL TO TOP
7 Security Measures to Protect your Servers | DigitalOcean https://www.digitalocean.com/community/tutorials/7-securit...
14 of 15 19/11/15 17:27
'Copyright © 2015 DigitalOcean™ Inc.
Community Tutorials Questions Projects Tags RSS (
Terms, Privacy, & Copyright Security Report a Bug Get Paid to Write
This work is licensed under a CreativeCommons Attribution-NonCommercial-ShareAlike 4.0 International License.
easiest to manage. If OSSEC is easier than the alternatives, that would be asignificant advantage.
1"
Remik April 11, 2015
portsentry available in debian repos is worth mentioning too. works similar tofail2ban almost out of the box.
root@droplet ~> grep portsentry /var/log/syslog* | grep Host | uniq | sort | wc -l109
"
SCROLL TO TOP
7 Security Measures to Protect your Servers | DigitalOcean https://www.digitalocean.com/community/tutorials/7-securit...
15 of 15 19/11/15 17:27
top related