How can I secure my servers?

February 7, 2011 at 19:08:10
Specs: CentOS
I am currenly involved in a group at school that has the task of setting up and configuring a network. We need to run DNS, Web, Mail, and FTP. In April we are taking them to the competition where there will be one team of users and a team of hackers. We currently have CentOS 5.5 and Webmin installed on the systems. What would be some suggestions for making these systems as secure as possible? We are also running shorewall firewall.

I would really appreciate any suggestions!


See More: How can I secure my servers?

Report •

#1
February 8, 2011 at 00:32:55
Turn off all services that you don't use. Don't use the "inetd" daemon. Make sure that you have installed all the latest patches. Examine your firewall configuration to ensure that you are only allowing in the protocols that you require. Make sure that you have set strong passwords on all accounts. Do not allow remote root access. Examine all logs at regular intervals.

If I were doing this I would use FreeBSD as the OS and run all external services in a "jail"; that way, even if one of the services is compromised the main OS isn't. In a commercial setting I would run a separate server in a DMZ for external services with access from internal machines being NATed.

If the hackers are any good they will almost certainly still find some chinks in your system.


Report •

#2
February 8, 2011 at 03:55:48
Just one more thought. You could run another copy of CentOS on your server, using VirtualBox, and run all external services on that VM. That way your main OS is inacessible from the outside world (or can be if you firewall it correctly). Should the VM be compromised it would be much easier to restore it using a saved image of its hard disk. (This is, in essence, the same as setting up a jail in FreeBSD.)

Report •

#3
February 8, 2011 at 11:11:01
I have used those suggestions except for jailing the users. The group last year did that and was docked points because it was not practical for business use. I setup proftpd and set the user shell to /nologin and restricted them to the home directories.

Also, good thought about doing a VM, but I don't think the competition will allow that. We are going to use a filesystem backup and config file backups through webmin.


Report •

Related Solutions

#4
February 8, 2011 at 12:33:38
I wasn't thinking of jailing users as such, just individual processes - for example the DNS server. But it does sound as if even that might be against the rules of the competition, so perhaps best avoided. Otherwise, I can't think of much more that you can do.

If you were starting from scratch I would suggest that you consider another OS. In particular, OpenBSD has a reputation for being one of the most secure operating systems around.

Anyway, good luck with the competition. IT sounds kinda fun and a great way to learn about security.


Report •

#5
February 8, 2011 at 12:39:32
Run OpenBSD.

It will get hacked since you have applications that are full of holes.

"The era of big government is over," said Clinton 1996


Report •

#6
February 10, 2011 at 14:07:48
Thanks for the tips!


Report •

#7
February 11, 2011 at 11:32:35
I have a strange issue with the ProFTPD. I can access it internally just fine, but outside the router I do not get a directory listing. I have port 21 forwarded on the router already and open in shorewall. What am I missing? SSH works just fine externally on port 22.


Report •

Ask Question