CIS

CIS Home > Security > News & Services > Server Security Tips

Server Security Tips

Operators of Unix workstations and servers -- as well as Windows computers offering network services -- must keep security in mind at all times when administering these systems. Attacks against Unix and Windows network services have increased dramatically in the recent past, and show no signs of abating.

The time to start thinking about system security is before installing a new system. The CERT/CC has written a checklist of steps to improve system security on Unix hosts, from initial installation to ongoing maintenance. The SANS Institute offers a similar Top Twenty List of Windows and Unix vulnerabilities. Checking for these vulnerabilities can make significant inroads into preventing successful attacks.

Windows servers, like Windows desktop systems, can be affected by viruses and other hostile programs. Worms -- virus-like programs that spread via network services -- can attack servers with security vulnerabilities. Check regularly for Microsoft hotfixes and patches to Windows and Windows services.

Whenever you set up a server system, or a Unix workstation, take care to disable any unneeded network services. Programs such as Unix netstat and lsof -i can help you identify currently running services. Every service running is a potential avenue of attack; by turning off those you don't need, you cut off attacks before they happen.

On System V Unix systems and Linux systems, shut off daemons in the startup scripts or by using tools that do this, such as chkconfig. Startup scripts are usually found in /etc/init.d or /etc/rc.d. Shut off individual inetd services by commenting them out in /etc/inetd.conf. On recent Red Hat systems, edit xinetd scripts in /etc/xinetd.d.

Whenever setting up a new server system, patch first, then test, then open access. That is to say, don't open firewall holes for a service (such as FTP or HTTP) before you have brought the daemon up to date with the latest security fixes, and tested that those fixes went into effect. First, install the updates and restart the service if needed. Then test that the patches actually applied -- for instance, connect to the server and check the version number. Then set the server's security requirements (such as disallowing anonymous access). Only finally should you put in firewall rule requests, after the service is fully ready for exposure to the outside world.

A commonly exploited service is the SMTP, or email, server. Unix systems are often set up to run sendmail as a daemon, which is usually unnecessary. Sendmail has a long history of vulnerabilities, and older versions commonly allow "open relaying", which lets spammers abuse your system to send spam to other sites. Windows server systems may also have an SMTP server installed unnecessarily, especially alongside the IIS Web server.

Every user account on your system needs a password -- and passwords need to be complex enough to foil automated password guessing programs! Use combinations of letters, numbers, and punctuation symbols to make passwords harder to guess. If you have trouble remembering compelex passwords, try using the initials of a phrase, modified suitably: for instance, tWm|n-1R from Abraham Lincoln's "the world may little note nor long remember", with | and 1 standing in for the letter L.

Restrict access to network services with TCP Wrappers, xinetd, or other access filtering utilities. Linux users should look into Bastille Linux, a system for hardening Linux system security.

Web server administrators: Beware of "test" CGI scripts! Many Web servers, including versions of Microsoft IIS and some Unix vendors' distributions of Apache, come with CGI scripts intended to test or demonstrate the Web server features. Many of these scripts are badly programmed and, if exposed to the world, can provide attackers with easy access to your system. Remove all sample and test CGI scripts before starting up your Web server. The same goes for script demos in PHP or other script languages.

Please use Secure Shell (SSH) rather than Telnet or rlogin for remote login to Unix and Linux hosts. Telnet is unencrypted and allows eavesdroppers to intercept your password. rlogin and rsh are worse, allowing anyone who can forge packets to gain access to trusting systems. Many current systems come with some form of SSH installed; CIS recommends the OpenBSD Project's OpenSSH server and client. OpenSSH client is installed by default on Red Hat, Debian, and Mac OS X. Windows users can use OpenSSH with the Cygwin Unix emulation environment.

When in doubt, ask CIS! We're here to help you and will happily review your system for known security problems. CIS staff can provide advice as well as hands-on assistance in improving the security of your system. Contact the CIS support staff for your computing platform for more information on securing your system.

Keep in mind -- securing your system can be a lot of work, but the payoff in protection against attacks is well worth it. Just as having insurance costs a little money but pays off by covering large expenses in case of accident, securing your system may cost time (and money) today, but prevents much greater costs in the future.