Posts Tagged ‘Linux server’

Tips on keeping your Ubuntu Linux server secure

April 7th, 2010

s a system administrator, one of your chief tasks is dealing with server security. If your server is connected to the Internet, for security purposes, it’s in a war zone. If it’s only an internal server, you still need to deal with (accidentally) malicious users, disgruntled employees and the guy in accounting who really wants to read the boss’s secretary’s e-mail.

In general, Ubuntu Server is a very secure platform. The Ubuntu Security Team, the team that produces all official security updates, has one of the best turnaround times in the industry. Ubuntu ships with a no open ports policy, meaning that after you install the machine — be it an Ubuntu desktop or a server — no applications will be accepting connections from the Internet by default. Like Ubuntu desktops, Ubuntu Server uses the sudo mechanism for system administration, eschewing the root account. And finally, security updates are guaranteed for at least 18 months after each release (five years for some releases, like Dapper), and are free.

In this section, we want to take a look at filesystem security, system resource limits, dealing with logs and finally some network security. But Linux security is a difficult and expansive topic; remember that we’re giving you a crash course here, and leaving a lot of things out — to be a good administrator, you’ll want to learn more.

User Account Administration

Many aspects of user administration on Linux systems are consistent across distributions. Debian provides some convenience tools, such as the useradd command, to make things easier for you. But since Ubuntu fully inherits Debian’s user administration model, we won’t go into detail about it here. Instead, let us refer you to the O’Reilly Web site for the basics. After reading that page, you’ll have full knowledge of the standard model, and we can briefly talk about the Ubuntu difference: sudo.

Ubuntu doesn’t enable the root, or administrator, account by default. There is a great deal of security benefit to this approach and incredibly few downsides, all of which are documented at the man pages for sudo_root.

The user that you add during installation is the one who, by default, is placed into the admin group and may use sudo to perform system administration tasks. After adding new users to the system, you may add them to the admin group like this:

$ sudo adduser username admin

Simply use deluser in place of adduser in the above command to remove a user from the group.

One thing to keep in mind is that sudo isn’t just a workaround for giving people root access. It can also handle fine-grain permissions, such as saying, “allow this user to execute only these three commands with superuser privileges.”

Documentation about specifying these permissions is available in the “sudoers” man page, which can be a bit daunting — feel free to skip close to the end of it, until you reach the EXAMPLES section. It should take you maybe 10 or 15 minutes to grok it, and it covers a vast majority of the situations for which you’ll want sudo. When y

3 comments »

Posted in Linux Server Tips, Linux sever

Tags:

Tips on basic Linux server security

April 5th, 2010

If you just put your Apache web server online, and are thinking into making the first step in your system security, this brief article will help you do that. By having your own server, you must understand the responsibility behind it. While the web server itself (Apache in this example) is not a big security problem (at least not the software package itself), there are a few things you should take care on your system.

Passwords

I presume you know that having a password like ‘Mom’ or ‘girlfriend’ is not a good start for securing your system. I usually prefer passwords with both numerican and alphatbetical characters, plus some extra symbols. This is a good password: ILik3-PeN_gu1nS. Passwords should be complicated as there are a lot of ways someone can get your encrypted password. When we are talking about Linux systems with a webserver, the first thing that comes to my mind are all those numerous buggy CGI scripts that make you get /etc/passwd file from the attacked system. When that is done, a copy of Crack or John The Ripper can be used for cracking the password. Always remember: a good password is harder to crack. If you use some basic word for a password, a good wordlist will make the cracker software spit your en-encrypted password on the screen in no-time.

File transfer and remote logins

Think what software packages should run on your system, and remove the ones that you don’t need. If you are thinking about transfering files from and to your system shut the FTPd down. There is far more secure way that does the same – SCP. By quickly checking the man pages for SCP, we get: “scp copies files between hosts on a network. It uses ssh for data transfer, and uses the same authentication and provides the same security as ssh. Unlike rcp, scp will ask for passwords or passphrases if they are needed for authentication.”

2 comments »

Posted in Linux Server Tips

Tags:

PHP Freelancer