Lock up your servers!
Hackers are a fact of life these days. Anyone who’s managed a server will know that the box will inevitably be probed, and logins attempted, on a daily basis. For example, on just one server we manage – which sits behind a firewall with only a very limited number of ports open – we’ve seen dozens of different login attempts from unauthorised sources over the last couple of days alone, including one sustained attempt to log in via SSH more than 2,500 times, and this is absolutely typical. So much so that these days we don’t even bother notifying the system administrator of the machine from which the logins were attempted. Gone are those days when we’d email administrators to warn them that their own machines may be compromised.
Many of these hacking attempts aren’t directly initiated by a person, but are far more likely to be the result of automated software that randomly picks machines and attempts to hack them via well-known existing security holes. Any successful break-in will be reported by the software to whoever set it going, and that person will then access the machine manually themselves. And, the chances are that he (almost never she) isn’t some uber-hacker with an encyclopaedic knowledge of Linux, or whatever operating system you’re running, but is far more likely to be some script kiddie who’s following the instructions – which are regrettably readily available on the net – to perform his break-in. The noble hacker has been displaced by the spotty 14-year-old with no social skills and far too much spare time.
So how do you ensure that these spotty little ‘Erberts don’t get access to your valuable data? Well, there are, of course, open-source tools available that will enable you to check your defences, monitor your system and warn you of any intrusions. But, before we look at these in detail, we’d be remiss not to point out that, first and foremost, you should ensure your border firewall blocks access to as much traffic as possible. If your people need to log in to machines remotely, open port 22 and make them use SSH to do so; if you have web servers, open ports 80 and 443 (for http and https); if you have email servers, open port 25 for SMTP and 110 for POP3 (or 143 if you’re using IMAP); but close down everything else.
Your firewall is your first line of defence, and there’s no excuse for leaving it open. Even if you’re renting a server from a hosting company rather than running the entire operation yourself, chances are the company will have a set of firewall rules you can configure – and there’s no excuse for not doing so.
Okay, so you’ve set up your server and firewall and you’re using yum, up2date or the like to ensure you have the latest versions of all the software (remember: you’re far more likely to be hit through a recently discovered vulnerability than an old one, so keep any externally accessible programs such as the SSH daemon and your web server completely up to date). Now you should check that your machine really is as invulnerable as you think it is, and there’s a good range of software to help you with this. We’ve chosen a few that we’ve used with success, but do spend time using your favourite search engine to find the one that best suits you.
The first product we’ll look at is Nessus Vulnerability Scanner, an extremely fully featured package, which – like many on the market – comes in both free and paid-for versions. In fact, the basic software always comes free, and what you pay for is a subscription to a vulnerability database, with updates for the latest vulnerabilities. (The updates are available for free too, but delayed by seven days to non-paying customers – an annual feed currently costs $1,200.)