Home > Security
> News & Services > Server Security
Server Security Tips
Operators of Unix workstations and servers -- as well as Windows
computers offering network services -- must keep security in
mind at all times when administering these systems. Attacks against
Unix and Windows network services have increased dramatically
in the recent past, and show no signs of abating.
The time to start thinking about system security is
before installing a new system. The CERT/CC has
written a checklist
of steps to improve system security on Unix hosts, from
initial installation to ongoing maintenance. The SANS Institute
offers a similar Top
Twenty List of Windows and Unix vulnerabilities. Checking
for these vulnerabilities can make significant inroads into
Windows servers, like Windows desktop systems,
can be affected by viruses and other hostile programs.
Worms -- virus-like programs that spread via network services
-- can attack servers with security
vulnerabilities. Check regularly for Microsoft
hotfixes and patches to Windows and Windows services.
Whenever you set up a server system, or a Unix workstation,
take care to disable any unneeded network services. Programs
such as Unix
lsof -i can help you identify currently
running services. Every service running is a potential avenue
of attack; by turning off those you don't need, you cut off attacks
before they happen.
On System V Unix systems and Linux systems, shut off
daemons in the startup scripts or by using tools that do this, such as
chkconfig. Startup scripts are usually found in
/etc/rc.d. Shut off individual inetd services by commenting them
/etc/inetd.conf. On recent Red Hat systems, edit xinetd
Whenever setting up a new server system, patch first,
then test, then open access. That is to say, don't open firewall holes for
a service (such as FTP or HTTP) before you have brought the daemon
up to date with the latest security fixes, and tested that those
fixes went into effect. First, install the updates and restart
the service if needed. Then test that the patches actually applied
-- for instance, connect to the server and check the version
number. Then set the server's security requirements (such as
disallowing anonymous access). Only finally should you put in
firewall rule requests, after the service is fully ready for
exposure to the outside world.
A commonly exploited service is the SMTP, or email,
Unix systems are often set up to run sendmail as a daemon, which
is usually unnecessary. Sendmail has a long history of vulnerabilities,
and older versions commonly allow "open relaying",
which lets spammers abuse your system to send spam to other sites.
Windows server systems may also have an SMTP server installed
unnecessarily, especially alongside the IIS Web server.
Every user account on your system needs a password -- and passwords
need to be complex enough to foil automated password guessing
programs! Use combinations of letters, numbers, and punctuation
symbols to make passwords harder to guess. If you have trouble
remembering compelex passwords, try using the initials of a phrase,
modified suitably: for instance, tWm|n-1R from Abraham Lincoln's "the
world may little note nor long remember", with | and 1 standing
in for the letter L.
Restrict access to network services with TCP Wrappers, xinetd,
or other access filtering utilities. Linux users should look
into Bastille Linux, a system for hardening Linux system security.
Web server administrators: Beware of "test" CGI scripts! Many Web servers, including versions of Microsoft IIS and some
Unix vendors' distributions of Apache, come with CGI scripts
intended to test or demonstrate the Web server features. Many
of these scripts are badly programmed and, if exposed to the
world, can provide attackers with easy access to your system.
Remove all sample and test CGI scripts before starting up your
Web server. The same goes for script demos in PHP or other script
Please use Secure Shell (SSH) rather than Telnet
or rlogin for remote login to Unix and Linux hosts. Telnet is
allows eavesdroppers to intercept your password. rlogin and rsh
are worse, allowing anyone who can forge packets to gain access
to trusting systems. Many current systems come with some form
of SSH installed; CIS recommends the OpenBSD Project's OpenSSH
server and client. OpenSSH client is installed by default
on Red Hat, Debian, and Mac OS X. Windows users can use OpenSSH
with the Cygwin Unix emulation environment.
When in doubt, ask CIS! We're here to help you and will happily
review your system for known security problems. CIS staff can
provide advice as well as hands-on assistance in improving the
security of your system. Contact the CIS support staff for your
computing platform for more information on securing your system.
Keep in mind -- securing your system can be a lot of work, but
the payoff in protection against attacks is well worth it. Just
as having insurance costs a little money but pays off by covering
large expenses in case of accident, securing your system may
cost time (and money) today, but prevents much greater costs
in the future.
- FirewallPolicy (available soon) -- if you are running a
server, you might want firewall ports open for it