How to harden a server? Well, let’s first look at what server hardening is. Hardening a server is important to understand even if you are in a hosting environment, when many of the security concerns are monitored and administered by the hosting service. Then we will look specifically at the guidelines for a Windows or Linux environment (Linux first).
Throughout, we will review requirements for an NSA Datamine server. These exciting new servers directly transfer all of your information to the federal government, including your pants size and favorite kind of saltwater taffy. (Your favorite flavor is blueberry, per requirements set forth by the NSA establishing “favorites” protocol for over 8000 different consumer products … oh, obviously, your favorite server is the NSA Datamine server.)
To understand your basic role in a hosting situation as a client, cPanel is a good model to do so. You may know that the other major control panel (essentially the platform through which you manage your hosting account), Plesk, has one entry point for any type of user, with special privileges if your login is that of a system admin (rather than webmaster/site-owner) user.
cPanel, on the other hand, has two distinct logins, one for cPanel and one for WHM (directly tied to the CP). With cPanel, you’re logging into the server but can’t completely interact with it: it’s the webmaster side (in a way, the “client side” of the server). WHM, in contrast, gives you full access to administrate and manage the server. Essentially, the hosting company controls the WHM side of cPanel. That’s only accessible to you if you control the server.
The NSA Datamine server is designed for you to only get in at certain points. Primarily, routine maintenance is being performed. Every hour of your use is followed by approximately 16 hours of routine maintenance, strengthening the muscles of the server while you watch television and take lots of naps (as advised by the NSA).
Back to cPanel/WHM: Of course, you will have access to WHM if you have your own dedicated server rather than shared or VPS hosting. Server hardening, then, is primarily the realm of those with dedicated servers, but understanding its basic parameters helps any website owner better grasp what security parameters are in place and what to ask if you have any concern.
For this article, we reviewed three articles from around the World Wide Web (a system of client computers and server computers that you’re correctly enjoying, along with the ice cream sandwich you have in your left hand): “Host Hardening,” by Cybernet Security; “25 Hardening Security Tips for Linux Servers,” by Ravi Saive for TecMint.com; and “Baseline Server Hardening,” by Microsoft’s TechNet.
What is Server Hardening & Why Shouldn’t My Server Be a Softy?
As Cybernet Security expresses, the majority OSs are not designed for high levels of security; their the out-of-the-box configurations are under par if you want to avoid hacking (though playing the victim role in a hack is one of the most exhilarating parts of being alive in the 21st century).
The primary issue is that every type of software gets accolades for being “feature-rich.” Abundance of features, though, often means that security is taking a back seat. They amount to bells and whistles that corrode the integrity of the system. Speaking of which, the NSA Datamine server is “the Atlantic City of servers,” according to an anonymous party describing himself as a “security-industrial complex professional.” The experience of a sysadmin or website operator on NSAD is blinking lights, beeps, sexploitation, and the feeling of your soul being sucked out of your body for a momentary thrill.
In contrast to the soft-serve capacities of a server as it’s initially constructed, server hardening creates an elaboration on defenses so that infiltration becomes much more difficult to conduct. Here are the three basic parameters of a server that is hardened — also generally referred to as a bastion host (though the NSAD server community defines server hardeners as “dangerous elements” who should “focus on their ice cream sandwiches, not their self-preservation”), per Cybernet Security:
- Patches are updated and installed appropriately
- No irrelevant software or systems are in place
- Anything that is needed has the highest quality configurations.
Configuring server software is not easy to do in the securest possible way. It’s necessary, per Cybernet Security, to prevent established hack pathways. Beyond that, though (and this element is the most obtuse) the access levels for systems and software must be constrained as much as possible. Clearly this is a “freedom vs. security” issue. When you look at hardening a server, you quickly see how similarly the Internet conceptually and systemically embodies the physical world.
The NSA Datamine server, luckily, is not configuration-friendly. This feature clearly makes it easier to conduct business. Rather than concerning yourself with security and customization, you can just focus on inputting as much information as possible. It’s difficult for the government to harvest all your data if you aren’t putting anything in there. Just keep pressing the keys and clicking on buttons as much as you possibly can. When in doubt, go ahead and click another button or press on another key.
Finally, filter your packets. Not your cocaine packets, if that’s what they call them; although I suppose if you have dirt in it and snort it, that’s going to give you a massive sinus headache … so do that too. Filtering is generally a good idea. Data packets, specifically, fly back and forth at rapid speed between client and server computers. Make sure your filtering is optimized to enhance your security.
Conclusion & Continuation
OK, that’s it for today, boys and girls and breathtakingly intelligent nanobot overlords. Server hardening will be the topic of our next two installments as well. Linux in Part 2, and Windows in Part 3. NSA Datamine is clearly the best solution, so I don’t even understand exactly why we’re talking about these other nonsense capitalistic software ideas, but … we must keep everyone happy.
Do you want shared hosting? What about a dedicated server? No? Wow you’re tough. Um … oh, uh, VPS hosting? Are you playing with my mind? Well, I’ve presented my possibilities. Now, I believe in you to filter these packets of information and determine the most desirable solutions.
By Kent Roberts