Newbie's Guide to Dedicated Server Security
 

In light of the TMM/NATS mess that has recently unfolded, I think something like this is needed. So I am gonna start it and people can add on below with their knowledge. Trolls, please, I'm gonna ask nicely. Go to another thread and troll there. Use my name and start some shit, but do it in a new thread. Thanks in advance.

Disclaimer: This is general information and it is being provided for free. Consult an experienced professional before you undertake any of this on your own if you do not know what you are doing. I will not be held responsible in any way for damages that result to your server as a result of your reliance on these instructions. You should not run commands unless you know what they are going to do anyway.

OK, all of this assumes you are running on a LAMP (Linux, Apache, MySQL, PHP) server. If you are running Microsoft Windows IIS box, thats a MAJOR security hole in and of itself and you need to move your stuff to another box.

1. Disable and Remove Telnet and FTP.

Both of these services are outdated, exceptionally old and prone to attack. Additionally, they are no longer useful because of the exploits and they are big targets for hackers who will try and gain access to your server. FTP has been replaced by SFTP and Telnet replaced by SSH - both are MUCH more secure.

1a. Disable and Remove Unused Packages and Programs.

If there is software running or sitting on your box that you do not use - get rid of it - now! Software that you are not using is a huge security risk. Because you are not using it, you are likely not paying attention to it, either. That means you are not updating it and THAT means that any exploits discovered will not be patched. If you don't run any scripts that require PHP, remove it. Removing unused software reduces the possible places an exploit could be.

1b. Microsoft Front Page Extensions.

If you do not use Microsoft Frontpage, your server does not need Frontpage extensions - remove them. They are a terrible security risk whether you need them or not. If you use Frontpage, consider removing the extensions anyway and publishing manually.

1c. Remove "Pine"

Pine is a command line mail program that is poorly written that has had exploits in it and very few people use it. If you do not use it, uninstall it.

2. Make Absolutely Certain that PHP, phpMyAdmin, MySQL and Apache are Updated.

These are where most attempts to hack your box come from. Especially PHP. Software like phpBB, phpNuke and phpMyAdmin that rely on PHP/MySQL are notorious for containing zero day exploits that are taken advantage of to gain elevated privileges on a server. They are also huge targets. If you are running this software, you need to be very aware of your server's security status and you need to patch your box and the software itself religiously. WordPress also has had some security issues crop up from time to time, so you need to make sure you stay up to date with your updates there as well.

2a. Consider Removing Apache and Going to lighthttpd.

Lighthttpd uses less resources than Apache and is more scalable and also to a degree, more secure. Wikipedia runs lighthttpd. However, some of the scripts you have on your box may REQUIRE Apache, so you need to think about this carefully. If you have done tons of hacks through .htaccess or rely on Apache re-write rules extensively a switch to lighthttpd may be a huge pain in the ass. If you are a novice, do not make this decision on your own. Consult someone who knows what they are doing and save yourself alot of hassles.

3. Disable Plaintext Logins for Root.

If you SSH with the userid of "root" and then type a password to become root, this is bad. Even if you use IPsec rules and such, your box can be compromised. The root user is always a target for password cracking by brute force. Instead, set it up so that you have to use an SSH key (4096 bits recommend, 2048 bits minimum) to access this user account. Using a key makes it almost impossible to brute force the password. A general guide on how to do this can be found here.

4. Services DO NOT Get to Run as Root

SSH into your server. Type "top" at the command prompt and strike enter. See the image below. This is from one of my servers at OC3 Networks.

http://i19.tinypic.com/85v0daf.jpg

Look at the columns in the red boxes. Note that the results of top (and other commands, for that matter) may look a little different based on the type of Linux you are running. The example is from FreeBSD. This tells you what is running on your server and the resources being used by each item. The left column in a red box is the username running the item and the right most red box is the actual program that is running. On a properly secured box, services (apache, exim, courior, php, mysql, ruby on rails, etc) do not run as root.

If you notice on my box, lighthttpd, php and some other items run as the user "www". Courier - my mail transfer agent - runs as "courier". MySQL runs as "mysql". My IRC bot runs as "eggdrop". Ruby on Rails runs as "ruby". The list goes on and on.

The reason for this is a user account cannot do alot of things on the server that root can do. Root can do anything, root is god. It cant delete the hard drive, it cant run most utilities and it cant delete other user's files or directories. It cannot even change or view (most of) them. If one of these services got hacked, the hackers would not have administrative privileges on the server and while they might be able to make a mess of that software, their ability to damage things is confined to a single user.

Some things have to run as root, so you may still see root in the left box. But you should not see things running as root like the services I mentioned above. Apache does not run as root on a properly configured box. If you do see a bunch of stuff running as root, your box is very vulnerable - its a time bomb waiting to go off. Get professional help right away.

Most webhosts when they deploy a box set everything up to run as root. This is very, very bad. It means that if anyone gets into your box by pretty much any means, your ass belongs to them. I cannot recall how OC3 had the default install of this box setup when I got it from them.

Note: you can type "ps -aux" and hit enter to get most of the same info formatted in a different manner, that may be more helpful to you. Try it and see which way you prefer to get the info.

5. You Should Sign into Every Server you Own at Least Once a Week and Watch Things.

You should go on every box you have every week and spend at least a half an hour each one doing nothing but checking disk space, network usage and so on.

• Run "last" to see who was on the box last and where they came from. Look for people you do not know.
• Run netstat and watch your traffic live for a few minutes. See what is being accessed and make sure they are files you recognize and that should be there. Look for excessive usage and files that you do not recognize.
• Check disk usage by any users and look at what they are storing on your server. You are responsible for your server and what is on it and you have every right to dig through their home directories. I do it all the time and yes, one time I did find a hosting customer storing CP. Needless to say, that customer does not have a relationship with me any longer and I spent quite a bit of time dealing with the authorities. Do note that you need to disclose the fact that you may monitor activity on your network to the users, putting a notice on /etc/motd is a good place to do this.
• Excessive disk usage may indicate improper activity. Find out what is being stored.
• Run "top" and "ps -aux" and see what is running. You should recognize the services running. Look into stuff that you do not recognize.
• Tail the logs of your main sites and see whats going on. Use grep to filter stuff. In the case below, I was watching my traffic from digg.com in real time. See below for an example of usage.

tail -f /usr/local/www/domains/path/to/domain/files/domain.com/logs/lighttpd.access.log | grep digg

6. Uninstall and Remove Zend Optimizer if Possible

Zend itself is not per say a security risk in and of itself - sort of. Zend allows PHP scripts to run in an encrypted manner where you cannot see exactly what the script is doing. And this is a security risk. If someone gets control of your PHP installation, they can run their bad scripts encrypted as well, and you will not be able to see what the scripts are doing. Personally, I refuse to use, buy or install software that requires Zend Optimizer for this reason. Zend claims that is speeds up PHP, I have seen no convincing evidence of this - ever. Script authors claim they use Zend to keep their work from being stolen. I tend to poo on this explanation and believe instead the authors of scripts don't want me to know what they are doing on my box. After all, lawsuits are for re coving damages from stolen work and breach of contract.

7. Know Your Box.

Know where things live on your box. Know how much bandwidth, memory and CPU your box normally uses. Know when major cron jobs run (i.e. awstats) and know what constitutes ordinary usage and extraordinary usage. Investigate extraordinary usage until you find out why its going on. Did you get listed in Wikipedia? Someone blog you? You in the news? Campaign going well on AdWords? Or did someone move in without being invited? Proper investigation and follow up will let you know which and will likely help you refine your techniques to make them even better.

(cont'd below)

(cont'd below)

8. If Your Box is Compromised.

If your box is compromised, your only immediate concern should be protecting the data and the evidence it may contain as to who is responsible. You should not be on GFY or anywhere else freaking out, you should be taking actions to stop the breach from going further and then looking what happened, who did it and how. You should notify your customers of your issue because it is the right thing to do and because the laws of almost 40 states require you to do so.

Turn the box OFF by issuing shutdown commands and contact your host immediately to make arrangements to get the server shipped, the hard drive shipped or whatever else needs to happen. Do not leave a compromised box online or reachable for any reason - ever. Do your investigation locally without the server online. Leaving a hacked box online may subject the data to further or additional compromise and your box could be used as a launching pad for attacks on other boxes in your data center or outside of it.

HAHAHAHA. You're clueless.

Nice post, don't know if you've mentioned it, but it's also important that you don't run your cronjobs as root. I always did that in the past and as one of my servers had a firewall problem recently I was able to break into my own server as I just had to rewrite and upload a little script that got executed as root every few minutes. So I've seen for the first time how easy it could be to break into a server. Always run cronjobs as a normal user if possible, not as root.

OK, I'll bite. Tell me how servers are secured then - since you know so much.

Good addition. I did not have that in there. Was trying to avoid writing a book about the whole thing.

Agreed.

This 'guide' is half-assed and contains minimal useful information.

good post ..

There's nothing to bite on. People that do security are payed alot of money for what they know.

To answer you, what you wrote up there, is like saying "You have to lock your front door when you leave house". Anyone that knows anything on setting up servers knows all that (so that would bring all the techs at any hosting company). However, that is not the way security is breached, and that is not the thing hackers look for, or how they keep access to servers. All of that, and 100 other things you can go google right now on "how to secure a server" will do you jack shit on protecting the server. All it will do however is give you a false sense of security. Same as when hosting techs boast about this and that certificate they have in setting up servers.

sad to say there are hosting companies that are out there that don't take care of the simple things

but anyways, give the original poster a break, the thread is titled "NEWBIES guide to dedicated server security"... it is a start

I love this place. Its free information - good information at that - and yet people still bitch about it.

Clearly enough people around here DON'T KNOW that stuff or we wouldn't have so many issues with this shit. Most hacking can be stopped with simple fixes. Most hackers are actually script kiddies who look for exploits in software that people didn't bother to patch because they were too god damned ignorant or lazy. If someone wants in, they are getting in no matter what.

I never said the guide was complete and in fact I said it was intended to be a post where other people came and added onto it with their two cents and eventually we DO have a complete guide because most people (unlike you) don't know everything. Yes, security professionals know alot of good info. No one here hires them for the most part. Again, otherwise we wouldn't be here in the first place.

Checking some of this stuff will help people figure out if there is a problem sometimes and may help them stop something from continuing on. But you know everything it looks like, so write your own damn guide and put mine to shame. I'm willing to accept defeat if it actually happens.

I have gotten servers put up by hosts with kernels almost older than me, everything setup running as root and the initial root PW of 1234 or something goofy. Many hosts are not quite as skilled at setting things up as they tell their customers come sales time.

I had a similar dispute with one guy here before also that offered such advice. It's not about giving a break or not, it's about the false sense of security, that i feel is far worse then if someone didn't have things outlined in the above text. With false sense of security, you feel nothing can touch you, even when you show people proof, they just repeat steps above and think "OK, check, all is good", or forward it to people that wrote them the above steps thinking they can fix the shit, when they can't. I feel that's far worse.

So add something useful or shut up.

nice post, thanks

I somewhat answered your post in my previous one.

Well having screenshots does make it more credible.... :)

Not in this industry.

who did you steal this info from?

Dbmbass keith kimmel trying to make friends here after he lost any respect he had left this week. Fucking scumbag.

How about you leave this place dude. I dont understand why you keep coming back. Is gfy the only place where people actually talk to you maybe?

Maybe you should learn how to conjugate the word "pay"! The past tense of the word isn't spelled "payed" rather it's "paid"! Dumb azz!!

I do think the title of the thread was: NEWBIE'S GUIDE

Attention... even negative attention, is still attention. And clearly if he had parents that gave a shit about him, he wouldn't be here right now trying to blow up the board with this NATS/TMM thing... sad really...

Hahaha. So that's the best you can do?

a) Newbies don't setup servers, hosting companies do, as in, not newbies.
b) If he knows how to setup his own server, he's past "newbie" stage.
c) False sense of security.

While I might not agree 100% with minusonebit, no one contributed to this thread and just said that he was wrong instead. Maybe you should post something credible so we can take you seriously.

You'd be surprised to see the knowledge of some of the "hosting companies".

A lot of linux distros and panels are completely wysiwyg and user friendly for the noobs since a couple of years.

There's no such thing as security. You can do stuff that will make you less vulnerable and minimize your chances of being compromised, but you can't ever be 100% safe ANYWAYS. Better tweak a couple of things than being wide open IMO.

I've replied enough why what he wrote is bad. Go google "how to secure a server" and you'll find even more great advices then what he outlined. That however, will serve you a big fat 0 in the real world when it comes to security.

I'm sure lots of people learned how to close their front door with this one.

Hiring a security expert is not for everyone, and basic stepts should be taken either way.

We might have a misunderstanding here... I don't totally disagree with you. I'm just saying that instead of just saying that he is wrong and why, why don't you post a link to your more relevant information.

Of course you can't teach security in one day(1st step is to learn to progam so it's a pretty long road) and noobs usually don't have a budget to get a security consultant/audit but in my opinion some is better than nothing.

I never said the info he posted here is bad either (as in what he said shouldn't be done, tho there are some questionable advices). I question his posting/motives/end result. As i wrote above, you'll have newbies go through that list "check, check, done that, have that..." and think "cool, i did all that, i'm secure". And to repeat myself, most of those things you'll already have setup on the server, and third point is that hackers don't even look for those things to get inside, and compromissed servers that are breached in ways he wrote above are maybe 1 in 1000. So this just seemed like a publicity stunt (100th time, google for "how to secure a server") with bad end results to me. Thus the original reply.

I understand your point and agree with your last post. However google for "how to secure a server" doesn't give much relevant results. Anyways, I'm not here to argue so I'll wish you a good evening and a Merry Christmas.

Something as sensible as that will never get considered here. Just the way this place is. One person contributed to the thread with something useful. If this was truly a worthless post, it would have been shot up on the other forums I copied and pasted it to as well.

Here are some replies from other forums where this was put up:

"Very good collection of hints, minusonebit!"
"wow...that is good to know,thank you dude"
"thanks for sharing"
"Now that is what I call best post of the year 2007. Thanks for sharing knowledge."

Now, some might be tempted to argue that GFY has an unusually high number of smart people posting here and that explains why all the other boards haven't shot it up yet. I won't even go there, other than to say this place is the ultimate toilet of intelligence and that such an argument would render its maker insane in the eyes of many. :1orglaugh

Not every forum is like this place. GFY has one of the highest per capita concentrations of trolls I have ever encountered online anywhere. Those serious about making money in adult - or online at all - would be wise to find some of the other forums and post on or read them them. Then they will see that what alot of the bigger players utter here on a regular basis in somewhat sarcastic overtones is true: that this place - for the most part - is where you come when you need to take a shit.

GFY is a mix of everything, but this is also definitly the online place where the most business gets done in adult.