7 Security Measures For Your Servers

A quick guide on a few Security Measures you should be considering from the start

Blue Light Tech

Configuring the best security practices before or when setting applications will prevent any negative occurrences in the future, and is therefore an important thing to consider from the start.

  1. SSH Keys
  2. Firewalls
  3. VPNs
  4. Public Key Infrastructure and SSL/TLS Encryption
  5. Service Auditing
  6. File Auditing
  7. Isolated Execution Environments

SSH Keys

It entails the creation of a private and public key before authentication. These are cryptographic keys used on an SSH server in place of password-based logins for authentication. The public key is shared with anyone while the private one is for the user and needs to be secret and secure. Placing the user’s public key in a special directory on the server is what brings about authentication and the client can connect without a password once details are verified.

How Do They Enhance Security?

SSH uses encrypted kind of authentication, though in the case of passwords, there are those capable of accessing servers maliciously. SSH keys have more bits of data compared to passwords, which adds much larger complexity for hackers to get past. Even modern computing power is not considered powerful enough to crack most ssh-keys.

How difficult is this to implement?

When generated on your machine, it only takes a few minutes to transfer the public key to the servers making it easy to set up. To access Unix or Linux server remotely, SSH keys are recommended.

Firewalls

These allow you to restrict access to every port to what is publicly available and they can either be hardware or software. Using these, you can completely block ports that are not in use, allow everyone access to public services, block access to internal services to the outside world and restrict private services according to specific criteria.

How difficult is this to implement?

Setting up a firewall should happen when changing services on your computer or during the initial set up. This only takes a few minutes and you could opt for CSF firewall, UFW firewall or iptables.

VPNs

These are private networks specifically available to particular users or servers only. It allows a way to create a secure connection between remote computers, and therefore keep a secure internal network, with a VPN login to then control these.

How do they enhance security?

By ensuring that a majority of the connections between servers and data sent is purely on a private network, you are instantly more secure than public. You then limit the amount of public connections possible, but still keep the same functionality for trusted computers via the VPN.

How difficult is this to implement?

Initialising a VPN requires a VPN service to be installed and configured, along with further configurations on applications which must communicate through the VPN. There are a few options out there, a common choice is OpenVPN.

Public Key Infrastructure and SSL/TLS Encryption

Also known as PKI,it is a system which creates, manages and validates certificates for communication encryption and individuals identification.

How do they enhance security?

The main use of Encryption like this is to prevent man-in-the-middle attacks, in which an intruder pretends to be one of your servers, and intercepts traffic. By using the encryption, each server identifies itself with the unique identifier, and therefore removes the possibility of an intruder imitating.

How difficult is this to implement?

PKI can involve a fair amount of administration and configuration, ensuring that all tickets are created, signed, and removed correctly. Wrongly configuring this can cause communication to be lost entirely, so it is an important job, and tends to be advised only once your setup is becoming large enough to warrant.

Service Auditing

This entails analyzing your systems, understanding attack surfaces available and locking down components in the best way possible. It helps in configuring firewall settings using information obtained.

How does it enhance security?

By having a full report of the security measures that are in place, and that are missing, from your infrastructure, you can then work on testing and improving them, and identifying areas that are potential weak spots. By doing so, the security of your system should improve, and if intrusions do occur, finding the weakness should be much easier due to your now structured knowledge.

How difficult is it to implement?

A basic check can be done using one command line, which will use the netstat command to test which services are listening on which ports (and therefore which ports are currently open to breaching) The command is :

sudo netstat -plunt

File Auditing

This detects authorized changes by comparing current system against file records and file characteristics of your system when it is in good shape. The IDS is basically software that monitors a network or system for any unauthorized activity.

How do they enhance security?

Many intruders will aim to remain silent in your server, in order to continue exploiting. The only true way to be sure that your filesystem is clean is by doing checks like this, ensuring that no binaries have been altered deep in the system and are unsafe.

How difficult is this to implement?

Implementing such a system can be quite intensive, due to the amount of work that must be done in informing the system about any changes you have made to the server which should not flag, and creating the bassline of the “safe” configuration may need to be done at regular intervals after system and program updates.

Isolated Execution Environments

This involves running individual components within their own dedicated space and this depends on the realities of your infrastructure and application requirements. In this case you can either configure services to operate in chroot environments/containers or separate discrete application components to their own servers.

How do they enhance security?

By isolating sections of the system, an intruder should be limited in what they can access once they are in, since each part of the system is separated out, and therefore further intrusions would be necessary for them to achieve anything. An example of this would be separating your web server and database server up, since then an intrusion into one does not instantly mean the entire system is taken.

How difficult is this to implement?

In many systems, isolating components can be simple, but it entirely depends on the structure of your project. Most, however, are able to be separated out onto different servers entirely, therefore making each section it’s own environment.

Conclusion

There is a need to include security features from the onset in line with the services and systems you are using. It needs to be one of your priorities rather than being implemented as an after-thought or after other areas have been addressed. Whatever you implement at first can then be improved, tweaked and upgraded as your system grows.


1 Comment


James - 04/11/2015 09:46:44

Interesting article to read, definitely some sections of security that I hadn't considered.