Before I start please note this is not a comprehensive tutorial on Server Security it is just my observations on what is most effective. Reading this will not make you an expert in server security and you should still do all your own research. Server Security is also not a fixed skill and needs to continuously updated as hackers do not stop learning either.
I have been managing the security for several thousand hosting accounts spread over many servers for 11 years now and have learnt what is most effective in that time. It has now been 4 years since a successful attack has been made on one of the servers I manage. In the bad old days when I first started there were regular security holes in major daemons such as BIND (Named) which could be remotely escalated to root. This meant the hacker could take over the entire server as root and the damage they did could be dramatic. These days that is extremely rare and is handled much better. However application bugs are on the rise with more hobbyist php programmers writing seriously bad code and just uploading it to live servers. Here are my top tips that should keep you safe from the vast majority of these problems.
Always, Always Always install updates. Its very easy to do and can save you loads of grief. For example under Centos (as root) just type “yum update”
- Install mod_security. This has been the single most important security tool I have seen and has prevented many millions of attacks on servers I manage.
- Never delete a rule in mod_security. You can disable it for certain locations (urls) but never delete it server wide. Always investigate why the rule is being tripped and research it properly.
- Don’t have devel tools installed on a live server. Installing GCC on a live server for example puts so much power into a hackers hands should they gain limited access.
- Ensure you have a firewall installed. This will not protect you from any attacks these days as the attackers tend to use php application exploits the most. But it does prevent them using your server as an IRC server should they gain access to an account on your server. This on its own is a good enough reason to install a firewall and block all incoming ports except the ones you need.
- Disable Shell access to everyone except yourself. No other users need an SSH account except the guy managing the server.
- Move SSH to an different port. Not a biggy in itself but it does save your logs getting filled with failed SSH messages allowing you to read the log much easier.
- Read the php.ini file headers and use the most secure default settings. for example display_errors = Off and if you are using an older version of php then register_globals = off is essential. If some of your software won’t work with this turned off. It’s time to upgrade the software or move to another package.
- create a new superuser in MySQL and remove the root user, ensure that there is no remote access to your mysql server and only allow from localhost.
These are not the only steps you need to take but they are the top ones that come to mind when setting up a new server.