This post is meant for Linux newbies.
So you finally decide to set up a Linux machine to serve the glorious content you have created. Your Linux machine may seem invincible behind the safety of your home or corporate router’s firewall, but once it becomes a publicly accessible server, it becomes highly vulnerable to hackers, DoS bots, and spammers. If you are managing a VPS, or if have your own machine or VM exposed to the Internet through port forwarding, it becomes your responsibility to keep the machine secure and updated. A compromised machine is not only bad for your own business, but it can also become a device for hackers to launch other attacks.
Typical server uses include
- publishing a website/app
- ftp server
- ssh server
Common ways to compromise a server are
- exploiting a 0-day or other unpatched security vulnerability
- crash it with a Denial of Service attack
- brute force password cracking
I’ll just dump the basic practices I follow in hopes that it may some day help another uninformed soul. Since I’m no security expert, please take everything with a grain of salt.
Keep Everything Updated
This advice often falls on deaf ears. Outdated software is not only deficient in terms of features, it is also full of security holes that can be exploited by hackers.
On most Linux distros, updating software is as simple as
sudo apt-get update && sudo apt-get upgrade
or Red Hat style:
sudo yum update && sudo yum upgrade
Sometimes packages need you to a ‘dist-upgrade’ instead of ‘upgrade’, which should be fine most of the time.
Software updates always carry the risk of breaking things. I have run into servers running five year old versions of Apache, PHP, Perl, etc just to avoid the discomfort of dealing with broken dependencies. Most times these machines are located on private isolated networks so the threat is somewhat mitigated, but this is an absolute no-no on a publicly accessible server.
If you are extremely worried about updates breaking your server, you can choose to do the updates manually on a regular basis so that you can carefully examine what is being updated and what effects each update may have. But this is generally going overboard, as most software developers are careful about what they release and would never want to break millions of machines on the Internet. For everyone else, I recommend some automated way of patching your machines. The simplest way I know of is to create a cron job to do this regularly:
Edit the crontab file for the root user:
sudo crontab -e
(Choose your desired editor if prompted and) Add the following statement to update your system daily at midnight:
0 0 * * * apt-get update && apt-get -y dist-upgrade
(assumes a Debian type system).
Even with the most up-to-date software, expert hackers can still find holes that are not known publicly yet and get inside a system. But if those kind of guys are after you, then you shouldn’t be managing your server security yourself.
TO BE CONTINUED..