wordpress.com - 7 security measures to protect your servers | … · 2015-08-07 · your servers...

!Sign UpLog In

Community Tutorials Questions Projects

By: Justin Ellingwood 176" # 8 Share Contents

7 Security Measures to Protectyour ServersMar 5, 2015 Security, Firewall, Networking, VPN

Introduction

When setting up infrastructure, getting your applications up and running will often be

your primary concern. However, making your applications to function correctly without

addressing the security needs of your infrastructure could have devastating

consequences down the line.

In this guide, we will talk about some basic security practices that are best to configure

before or as you set up your applications.

$ %

& Menu

7 Security Measures to Protect your Servers | DigitalOcean https://www.digitalocean.com/community/tutorials/7-securit...

1 of 15 19/11/15 17:27

SSH KeysSSH keys are a pair of cryptographic keys that can be used to authenticate to an SSH

server as an alternative to password-based logins. A private and public key pair are

created prior to authentication. The private key is kept secret and secure by the user,

while the public key can be shared with anyone.

To configure the SSH key authentication, you must place the user's public key on the

server in a special directory. When the user connects to the server, the server will ask

for proof that the client has the associated private key. The SSH client will use the

private key to respond in a way that proves ownership of the private key. The server

will then let the client connect without a password. To learn more about how SSH keys

work, check out our article here.

How Do They Enhance Security?

With SSH, any kind of authentication, including password authentication, is completely

encrypted. However, when password-based logins are allowed, malicious users can

repeatedly attempt to access the server. With modern computing power, it is possible

to gain entry to a server by automating these attempts and trying combination after

combination until the right password is found.

Setting up SSH key authentication allows you to disable password-based

authentication. SSH keys generally have many more bits of data than a password,

meaning that there are significantly more possible combinations that an attacker would

have to run through. Many SSH key algorithms are considered uncrackable by modern

computing hardware simply because they would require too much time to run throughSCROLL TO TOP


2 of 15 19/11/15 17:27

possible matches.

How Difficult is this to Implement?

SSH keys are very easy to set up and are the recommended way to log into any Linux

or Unix server environment remotely. A pair of SSH keys can be generated on your

machine and you can transfer the public key to your servers within a few minutes.

To learn about how to set up keys, follow this guide. If you still feel that you need

password authentication, consider implementing a solution like fail2ban on your

servers to limit password guesses.

FirewallsA firewall is a piece of software (or hardware) that controls what services are exposed

to the network. This means blocking or restricting access to every port except for those

that should be publicly available.

On a typical server, a number services may be running by default. These can be

categorized into the following groups:

Public services that can be accesses by anyone on the internet, often anonymously.

A good example of this is a web server that might allow access to your site.

Private services that should only be accessed by a select group of authorized

accounts or from certain locations. An example of this may be a database control

panel.SCROLL TO TOP


3 of 15 19/11/15 17:27

Internal services that should be accessible only from within the server itself, without

exposing the service to the outside world. For example, this may be a database that

only accepts local connections.

Firewalls can ensure that access to your software is restricted according to the

categories above. Public services can be left open and available to everyone and

private services can be restricted based on different criteria. Internal services can be

made completely inaccessible to the outside world. For ports that are not being used,

access is blocked entirely in most configurations.


Firewalls are an essential part of any server configuration. Even if your services

themselves implement security features or are restricted to the interfaces you'd like

them to run on, a firewall serves as an extra layer of protection.

A properly configured firewall will restrict access to everything except the specific

services you need to remain open. Exposing only a few pieces of software reduces the

attack surface of your server, limiting the components that are vulnerable to

exploitation.


There are many firewalls available for Linux systems, some of which have a steeper

learning curve than others. In general though, setting up the firewall should only take a

few minutes and will only need to happen during your server's initial setup or when you

make changes in what services are offered on your computer.

A simple choice is the UFW firewall. Other options are to use iptables or the CSF

firewall.

VPNs and Private NetworkingPrivate networks are networks that are only available to certain servers or users. For

instance, in DigitalOcean, private networking is available in some regions as aSCROLL TO TOP


4 of 15 19/11/15 17:27

data-center wide network.

A VPN, or virtual private network, is a way to create secure connections between

remote computers and present the connection as if it were a local private network. This

provides a way to configure your services as if they were on a private network and

connect remote servers over secure connections.


Utilizing private instead of public networking for internal communication is almost

always preferable given the choice between the two. However, since other users within

the data center are able to access the same network, you still must implement

additional measures to secure communication between your servers.

Using a VPN is, effectively, a way to map out a private network that only your servers

can see. Communication will be fully private and secure. Other applications can be

configured to pass their traffic over the virtual interface that the VPN software exposes.

This way, only services that are meant to be consumable by clients on the public

internet need to be exposed on the public network.


Utilizing private networks in a datacenter that has this capability is as simple as

enabling the interface during your server's creation and configuring your applications

and firewall to use the private network. Keep in mind that data center-wide private

networks share space with other servers that use the same network. SCROLL TO TOP


5 of 15 19/11/15 17:27

As for VPN, the initial setup is a bit more involved, but the increased security is worth it

for most use-cases. Each server on a VPN must be install and configure the shared

security and configuration data needed to establish the secure connection. After the

VPN is up and running, applications must be configured to use the VPN tunnel. To learn

about setting up a VPN to securely connect your infrastructure, check out our

OpenVPN tutorial.

Public Key Infrastructure and SSL/TLS EncryptionPublic key infrastructure, or PKI, refers to a system that is designed to create, manage,

and validate certificates for identifying individuals and encrypting communication. SSL

or TLS certificates can be used to authenticate different entities to one another. After

authentication, they can also be used to established encrypted communication.


Establishing a certificate authority and managing certificates for your servers allows

each entity within your infrastructure to validate the other members identity and

encrypt their traffic. This can prevent man-in-the-middle attacks where an attacker

imitates a server in your infrastructure to intercept traffic.

Each server can be configured to trust a centralized certificate authority. Afterwards,

any certificate that the authority signs can be implicitly trusted. If the applications and

protocols you are using to communicate support TLS/SSL encryption, this is a way of

encrypting your system without the overhead of a VPN tunnel (which also often uses

SSL internally).SCROLL TO TOP


6 of 15 19/11/15 17:27


Configuring a certificate authority and setting up the rest of the public key

infrastructure can involve quite a bit of initial effort. Furthermore, managing certificates

can create an additional administration burden when new certificates need to be

created, signed, or revoked.

For many users, implementing a full-fledged public key infrastructure will make more

sense as their infrastructure needs grow. Securing communications between

components using VPN may be a good stop gap measure until you reach a point

where PKI is worth the extra administration costs.

Service AuditingUp until now, we have discussed some technology that you can implement to improve

your security. However, a big portion of security is analyzing your systems,

understanding the available attack surfaces, and locking down the components as best

as you can.

Service auditing is a process of discovering what services are running on the servers in

your infrastructure. Often, the default operating system is configured to run certain

services at boot. Installing additional software can sometimes pull in dependencies that

are also auto-started.

Service auditing is a way of knowing what services are running on your system, whichSCROLL TO TOP


7 of 15 19/11/15 17:27

ports they are using for communication, and what protocols are accepted. This

information can help you configure your firewall settings.

How Does It Enhance Security?

Servers start many processes for internal purposes and to handle external clients. Each

of these represents an expanded attack surface for malicious users. The more services

that you have running, the greater chance there is of a vulnerability existing in your

accessible software.

Once you have a good idea of what network services are running on your machine,

you can begin to analyze these services. Some questions that you will want to ask

yourself for each one are:

Should this service be running?

Is the service running on interfaces that it doesn't needs to? Should it be bound to a

single IP?

Are your firewall rules structured to allow legitimate traffic pass to this service?

Are your firewall rules blocking traffic that is not legitimate?

Do you have a method of receiving security alerts about vulnerabilities for each of

these services?

This type of service audit should be standard practice when configuring any new

server in your infrastructure.


Doing a basic service audit is incredibly simple. You can find out which services are

listening to ports on each interface by using the netstat command. A simple

example that shows the program name, PID, and addresses being used for listening for

TCP and UDP traffic is:

sudo netstat -plunt SCROLL TO TOP


8 of 15 19/11/15 17:27

You will see output that looks like this:

Active Internet connections (only servers)

Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program

tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 887/sshd

tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 919/nginx

tcp6 0 0 :::22 :::* LISTEN 887/sshd

tcp6 0 0 :::80 :::* LISTEN 919/nginx

The main columns you need to stay attention to are Proto , Local Address , and

PID/Program name . If the address is 0.0.0.0 , then the service is accepting

connections on all interfaces.

File Auditing and Intrusion Detection SystemsFile auditing is the process of comparing the current system against a record of the

files and file characteristics of your system when it is a known-good state. This is used

to detect changes to the system that may have been authorized.

An intrusion detection system, or IDS, is a piece of software that monitors a system or

network for unauthorized activity. Many host-based IDS implementations use file

auditing as a method of checking whether the system has changed.


Similar to the above service-level auditing, if you are serious about ensuring a secure

system, it is very useful to be able to perform file-level audits of your system. This canSCROLL TO TOP


9 of 15 19/11/15 17:27

be done periodically by the administrator or as part of an automated processes in an

IDS.

These strategies are some of the only ways to be absolutely sure that your filesystem

has not been altered by some user or process. For many reasons, intruders often wish

to remain hidden so that they can continue to exploit the server for an extended period

of time. They might replace binaries with compromised versions. Doing an audit of the

filesystem will tell you if any of the files have been altered, allowing you to be confident

in the integrity of your server environment.


Implementing an IDS or conducting file audits can be quite an intensive process. The

initial configuration involves telling the auditing system about any non-standard

changes you've made to the server and defining paths that should be excluded to

create a baseline reading.

It also makes day-to-day operations more involved. It complicates updating procedures

as you will need to re-check the system prior to running updates and then recreate the

baseline after running the update to catch changes to the software versions. You will

also need to offload the reports to another location so that an intruder cannot alter the

audit to cover their tracks.

While this may increase your administration load, being able to check your system

against a known-good copy is one of the only ways of ensuring that files have not been

altered without your knowledge. Some popular file auditing / intrusion detection

systems are Tripwire and Aide.

Isolated Execution EnvironmentsIsolating execution environments refers to any method in which individual components

are run within their own dedicated space.

SCROLL TO TOP


10 of 15 19/11/15 17:27

This can mean separating out your discrete application components to their own

servers or may refer to configuring your services to operate in chroot environments

or containers. The level of isolation depends heavily on your application's requirements

and the realities of your infrastructure.


Isolating your processes into individual execution environments increases your ability

to isolate any security problems that may arise. Similar to how bulkheads and

compartments can help contain hull breaches in ships, separating your individual

components can limit the access that an intruder has to other pieces of your

infrastructure.


Depending on the type of containment you choose, isolating your applications can be

relatively simple. By packaging your individual components in containers, you can

quickly achieve some measure of isolation, but note that Docker does not consider its

containerization a security feature.

Setting up a chroot environment for each piece can provide some level of isolation

as well, but this also is not foolproof method of isolation as there are often ways of

breaking out of a chroot environment. Moving components to dedicated machines is

the best level of isolation, and in many cases may be the easiest, but may cost more for

the additional machines.

ConclusionThe strategies outlined above are only some of the enhancements you can make to

improve the security of your systems. It is important to recognize that, while it's better

late than never, security measures decrease in their effectiveness the longer you waitSCROLL TO TOP


11 of 15 19/11/15 17:27

to implement them. Security cannot be an afterthought and must be implemented from

the start alongside the services and applications you are providing.

176" Heart SubscribeShare$

Author:Justin Ellingwood

Spin up an SSD cloud server in under a minute.Simple setup. Full root access. Straightforward pricing.

Related Tutorials

How To Protect your Linux Server Against the GHOST Vulnerability

How to Protect your Server Against the Shellshock Bash Vulnerability

How to Protect your Server Against the Heartbleed OpenSSL Vulnerability

How To Install TrueCrypt (CLI) On Linux SCROLL TO TOP


12 of 15 19/11/15 17:27

How To Use WPScan to Test for Vulnerable Plugins and Themes in Wordpress

8 Comments

Log In to Comment

laurence0521 March 11, 2015

While these are all fairly obvious if you've ever worked in industry, this is a greatintroduction to those who have not. Well written!

3"

MChorfa March 20, 2015

It would be really nice if there were an [end to end configuration] example withCoreOS and Docker and all the security already setup. Hope @digitalocean willproduce one :)

3"

Lee March 20, 2015

Thanks for this, interesting read, will adopt some of these.

"

cube March 21, 2015

In the section, "File Auditing and Intrusion Detection Systems", you say that IDS isdifficult to admin. I am using a backup tool called the Barebones Encrypted File

SCROLL TO TOP


13 of 15 19/11/15 17:27

Storage System as a lightweight IDS. It creates incremental backups and sends mean e-mail with the list of changed files. It doesn't stop changes from happening butsimply reports them. If I need to roll back for any reason, I've got 31 days worth ofincrementals to work with. I've used it on a few occasions that had nothing to dowith system intrusion and more to do with administrator stupidity. Over the years ofadministrating Linux boxes, I've learned the hard way that backing up everythingunder /etc on a regular basis is extremely important. Getting extra mileage as anIDS is icing on the cake.

"

chadbuie March 22, 2015

Thanks for the insight there. I recently had a droplet go down for somereason, I'm overwhelmed with all the things that can go wrong. At timesvery drowning; literally.

"

steve588264 April 2, 2015

Intrusion Detection is not hard. Install OSSEC. While there are some good changesone should make to the configuration files for maximum effect, it works very wellstraight out of the box.

http://www.ossec.net/

1"

jellingwood April 2, 2015

@steve588264: While initial set up is one factor, the primary reason thatthat intrusion detection is difficult to administer is not related to installationor configuration. Intrusion detection systems, at their core, are responsiblefor detecting any changes on the system and reporting back.

If you are doing routine maintenance on your servers (and if you have asignificant number of servers), you will have to deal with one of twoscenarios. First, you could suffer through alerts and whitelisting changes onevery security update. Or you could juggle the process of running a scan tocatch any anomalous changes on the current filesystem, turning your IDSsystem off, updating the system, and then rebuilding the database to markthe new system as a clean slate.

The OSSEC docs themselves state that there is no easy way around this. Ifyou are managing significant infrastructure, this administrative overheadcan get unwieldy.

That being said, it's definitely worth seeking out the software that you findSCROLL TO TOP


14 of 15 19/11/15 17:27

'Copyright © 2015 DigitalOcean™ Inc.

Community Tutorials Questions Projects Tags RSS (

Terms, Privacy, & Copyright Security Report a Bug Get Paid to Write

This work is licensed under a CreativeCommons Attribution-NonCommercial-ShareAlike 4.0 International License.

easiest to manage. If OSSEC is easier than the alternatives, that would be asignificant advantage.

1"

Remik April 11, 2015

portsentry available in debian repos is worth mentioning too. works similar tofail2ban almost out of the box.

root@droplet ~> grep portsentry /var/log/syslog* | grep Host | uniq | sort | wc -l109

"

SCROLL TO TOP


15 of 15 19/11/15 17:27

wordpress.com - 7 security measures to protect your servers | … · 2015-08-07 · your servers...

Documents