Category Archives: Software

Many Different Flavors of Linux: A Look at Distros & How They Taste

 

English: Pentubuntu, the different Linux Distr...
Pentubuntu, the different Linux Distribution

When you look at servers, one of the most important decisions you need to make is the operating system. Typically that means choosing between Windows and Linux. However, you may choose to use a dedicated server (a server you control, with a hosting company or on your own) or co-location (using a hosting company’s data center to store your server in an ultra-secure environment). In that case, you will have a wide variety of types of Linux you can potentially explore. The same is true of your PC desktop.

Linux has all these options to choose from because it is an open-source (freely available source code) version of UNIX. UNIX, then, is the real base operating system. Linux became an incredibly popular version of UNIX, the standard for use by high-tech folks and many companies around the globe. Due to its widespread adoption and the fact that it is open source and can be manipulated as desired, a widespread array of versions has proliferated.

Perhaps the best part of Linux flavors is, in fact, not how they operate or feel but how they taste. Probably the most ridiculous comment Bill Gates ever made was when he complained that “all species of Linux taste like chicken.” He then explained that Windows tasted “like a warm blueberry muffin at one moment, like crisp roast duck the next.” Granted, he was a little inebriated when he made these comments, and it’s also possible it wasn’t him. Some guy who looked like Gates definitely said this, though.
Continue reading Many Different Flavors of Linux: A Look at Distros & How They Taste

Firewalls 101: Hardware, Software & Web Application Firewalls – Part 3

Web Applications in Real Life
Web Applications in Real Life

Okay everyone… As we are learning in this series, it turns out what our grandparents have been telling us since we were born (first conveyed to us via crudely hand-drawn pictures and a primal, baby-rattle version of Morse code) is accurate. You really can never get enough information about firewalls. For that reason, we are discussing them at length: first firewalls in general; then distinctions between hardware and software firewalls; and finally, in this post, Web application firewalls (WAFs).

The primary articles cited for this series are from the Michigan Cyber Initiative (“Hardware Firewall vs. Software Firewall”); Open Web Application Security Project (“Best Practices: Use of Web Application Firewalls”); PCWorld (“What You Should
Continue reading Firewalls 101: Hardware, Software & Web Application Firewalls – Part 3

Firewalls 101: Hardware, Software & Web Application Firewalls

 

SVG version of Image:DMZ network diagram 2 fir...
DMZ network diagram 2 firewalls

Firewalls: We all know they are vital for Internet security, but what are their basic purposes and flavors? This series serves as a basic beginner’s guide to firewalls of the three major types: hardware, software, and web application (WAFs).

For this three-part series, we will look at information from several different sources. The primary ones will be “Hardware Firewall vs. Software Firewall,” from the Michigan Cyber Initiative; “Best Practices: Use of Web Application Firewalls,” from the Open Web Application Security Project (OWASP); and “What You Should

Know About Firewalls,” by Michael Desmond for PCWorld. This first part will focus on firewalls generally. The second part will target the differences between hardware and software firewalls; and web application firewalls will be explored in-depth in the third installment.
Continue reading Firewalls 101: Hardware, Software & Web Application Firewalls

What is server hardening? Advice for Linux, Windows & NSA Datamine Servers – Part 3 (Windows)

Windows Home Server screenshot
Windows Home Server screenshot

Well, here we all are (except for my cousin Steve, who had to go to his tuba lesson), taking a final look at server hardening in our final segment of this series. Considering the series as a ham sandwich, we’ve looked at the topic generally (top bread), as well as basic techniques that can be used to improve security on Linux systems (just ham… we’ve run out of vegetables). Today we look at Windows servers (bottom bread, which many sandwich enthusiasts believe is the best part).

Note that some concepts related to server security are of use to anyone interacting with a server; but generally speaking, they are of particular use to those with dedicated and VPS accounts. Both of those types of hosting environments allow you system administrative responsibilities that you cannot access through a shared account. That system access means you can change default settings and implement policies that are otherwise under the auspices of the hosting company.

We’re actually looking at three types of servers. In addition to Windows and Linux, we are also reviewing the NSA Datamine server. That server allows you to quickly and efficiently transfer all of your information into the federal government database so that you can know, once and for all, if you are a threat to the social order. If that’s the case, millions of microscopic, lightly humming insectile nanobots come directly to your location, get into flying carpet formation, and spirit you away to a safe location.

We are reviewing thoughts from three primary sources for this series: “Host Hardening,” by Cybernet Security; “25 Hardening Security Tips for Linux Servers,” by Ravi Saive for TecMint.com; and “Baseline Server Hardening,” by Microsoft’s TechNet. Unfortunately, none of these articles focuses on the NSA server. That information had to come to me in a densely encoded daydream.

How to Harden Your Windows Server

Prior to getting into specifics for server hardening, Microsoft outlines four baseline installation rules – essentially prerequisites for a secure server:

  • The initial installation of the OS and any additional applications all arise from legitimate and credible sources.
  • The server should only be on reliable networks while both installation and hardening are underway.
  • The initial installation contains the most up-to-date service packs and any other security-related system updates.
  • Following completion of base installation, you follow the same procedures on all additional servers.

Again, that careful OS and software implementation lays the groundwork for a server they can be reasonably hardened. Also, if you’re going to eat a popsicle while hardening the server, don’t give bites to it, even if it says it really likes cherry flavor. Servers cannot harden while experiencing brain freeze.

  1. Group Policy Templates – Microsoft covers these templates in a specific section of its recommended guidelines. Though policies for the group can help protect the server in some ways, you also need to change security templates. In other words, these are two different levels to allow hardening that must be combined to be reasonably effective.
  2. Partitions – NTFS should always be used in place of any file allocation table (FAT) partitions. Simply put, NTFS gives you access to security parameters you don’t have with FAT. You can use Convert to change any FAT systems to NTFS. If you do convert, you want to open Fixacls to change the ACLs (access control lists). Otherwise, all users will have access to that portion of the system by default. It’s like a salad bar without a sneeze guard.
  3. Passwords – You can use extremely lengthy passwords in Windows environments, upwards of 100 characters. Go long and strong: combinations of symbols, letters, numbers, and – if you want to get really fancy – ASCII device control characters. Note that the usable ASCII ones will not print and can be created by using “Alt” combined with various digit combinations. Specifically, Microsoft recommends passwords never be eight characters or less and that one of the first seven should be a symbol or ASCII. Finally, differentiate your passwords for each machine.
  4. Renaming – This technique is so basic that it almost seems silly. However, renaming your Administrator account can be incredibly helpful because it’s the general focus for infiltrations. Then create a new account, call that one Administrator, and limit its rights. That new faux-Administrator account can have a lengthy and intricate password. Don’t worry about getting into that account often. It’s just a decoy for anyone trying to get into the system. Apply this method throughout your system, on all individual devices. Also, the real Administrator account should have a different name on every server. If that seems to be going too far for everyday use, at least differentiate the passwords, even if not the names. Similarly, if you have any sons, it’s acceptable to name each of them George Foreman so long as they each have different keys to your heart.

Conclusion & Continuation

That should give you a basic sense of Windows server hardening. Here are additional details if you want to explore the topic further.

In closing out our server hardening trilogy, here is information on our dedicated, VPS, and colocation services.

By Kent Roberts

What is server hardening? Advice for Linux, Windows & NSA Datamine Servers – Part 2 (Linux)

English: Screenshot of Alpine via SSH on a Deb...
Screenshot of Alpine via SSH on a Debian Server

Hello friends and neighbors. This post, as it turns out, is the follow-up to our groundbreaking, skybreaking article on server hardening; it also is the prequel to our final post on Windows server hardening. This post, the meat of the sandwich (ham, in this case), is on how to harden Linux servers.

Server hardening is a simple concept, and it’s crucial to initiate if you want safety for your website. Essentially, simiarly to the experience of an end-user on a client machine, when you use a server, the systems are not built (their default settings) for high-end security. They’re built, rather, for features. In essence, the Internet is optimized for usability/freedom over administration/security. Securing a system, then, is a matter of revoking freedoms or modifying expectations in order to ensure a secure experience for the system and for all users.

We aren’t only concerned with Windows and Linux servers though. Actually, the NSA Datamine server is one of the most secure options out there. Everyone is thrilled by this server. It’s been called “bootserverlicious” by P. Diddy and “P.-Diddy-riffic” by a worldwide consortium of boot servers.

To get a sense of server hardening on any of the major OSs, we are looking at three sources: “Host Hardening,” by Cybernet Security; “25 Hardening Security Tips for Linux Servers,” by Ravi Saive for TecMint.com (good info, though the language is a little rough); and “Baseline Server Hardening,” by Microsoft’s TechNet. Each of these posts broadens our horizons and is lactose- and gluten-free so that it doesn’t distract from the extra-cheese, thick-crust pizza we’re inhaling.

How to Harden Your Linux Server without Having to Think

No one ever wants to have to think. Let’s not do it, then. Let’s refuse to think, and just feel our way to a hardened server. Don’t call me “baby,” though, please, because that’s disrespectful, sugar. Anyway, the Linux server: here are approaches you can use specific to that OS.

1.    Non-Virtual Worlds: Go into BIOS. Disallow any boot operations from outside entitites: DVD drive or anything else that’s connected to the server. You should also have a password set up for BIOS. GRUB should be password-enabled as well. Your password should be “moonsovermyhammy123987”; I recommend tattooing it on your lower back for safekeeping.

2.    Partitioning as a Standard: Think (no, don’t!) of how a virtual environment or virtual server is constructed. Division into smaller parts is an essential security concept. Any additional pieces of the system will require their own security parameters and challenges. That means you want a streamlined system, of course, like a digestive tract without all the intestines and stuff; but it also means you want everything divided into disparate sections. Any app from an outside source should be installed via options as follows:

/

/boot

/usr

/var

/home

/tmp

/opt

3.    Packet Policies: Along the same line, you don’t want anything unnecessary. That’s the case with anything you’re doing online. Let’s face it: the web is essentially insecure. It’s like a dinosaur with a new outfit that she’s afraid to show off to her other dinosaur friends … sort of.

Here’s the command to check:

# /sbin/chkconfig –list |grep ‘3:on’

And here’s the command to disable:

# chkconfig serviceName off

Finally, you want to use yum, apt-get, or a similar program to show you what’s on the system; that way you can get rid of whatever you don’t need. Here are the command lines for those two services:

# yum -y remove package-name

# sudo apt-get remove package-name

4.    Netstat Protocol: Using the command line netstat, you see what ports are being used and what services are accessible through them. Once you’ve done that, use chkconfig to turn off anything that’s not serving a reasonable function, such as a service that’s just counting over and over again to a billion but won’t tell you why. See below and this netstat-geared article for more specifics.

# netstat -tulpn

5.    SSH: You want to use secure shell (SSH), but you also want it configured properly to maximize your security. SSH is the secure, cryptographic replacement for telnet, rlogin, and other earlier protocols that sent all data (passwords included) as “plain text” (no “scramble” prior to transfer, basically).

You typically don’t want to communicate via SSH as the root user. Sudo allows you to use SSH. See /etc/sudoers for specifics; you can customize them using visudo, available via VI editor.

Finally, switch the port for SSH from 22 to a larger number, and change the settings so that it’s not possible for all account holders to tunnel in through Secure Shell. Here are the file and three specific adjustments:

# vi /etc/ssh/sshd_config

  1. PermitRootLogin no
  2. AllowUsers username
  3. Protocol 2

Conclusion & Continuation

All right. Basic explication: Done. Linux: Done (well, it’s significantly more complex than discussed above; see here for further details). Windows: Next.

Finally, I assume if you’re reading this article, you might want to take a gander, or even a poke, at our dedicated servers, VPS hosting, or colocation.

By Kent Roberts

What is server hardening? Advice for Linux, Windows & NSA Datamine Servers

 

Servers designed for Linux

How to harden a server? Well, let’s first look at what server hardening is. Hardening a server is important to understand even if you are in a hosting environment, when many of the security concerns are monitored and administered by the hosting service. Then we will look specifically at the guidelines for a Windows or Linux environment (Linux first).

Throughout, we will review requirements for an NSA Datamine server. These exciting new servers directly transfer all of your information to the federal government, including your pants size and favorite kind of saltwater taffy. (Your favorite flavor is blueberry, per requirements set forth by the NSA establishing “favorites” protocol for over 8000 different consumer products … oh, obviously, your favorite server is the NSA Datamine server.)

To understand your basic role in a hosting situation as a client, cPanel is a good model to do so. You may know that the other major control panel (essentially the platform through which you manage your hosting account), Plesk, has one entry point for any type of user, with special privileges if your login is that of a system admin (rather than webmaster/site-owner) user.

cPanel, on the other hand, has two distinct logins, one for cPanel and one for WHM (directly tied to the CP). With cPanel, you’re logging into the server but can’t completely interact with it: it’s the webmaster side (in a way, the “client side” of the server). WHM, in contrast, gives you full access to administrate and manage the server. Essentially, the hosting company controls the WHM side of cPanel. That’s only accessible to you if you control the server.

The NSA Datamine server is designed for you to only get in at certain points. Primarily, routine maintenance is being performed. Every hour of your use is followed by approximately 16 hours of routine maintenance, strengthening the muscles of the server while you watch television and take lots of naps (as advised by the NSA).

Back to cPanel/WHM: Of course, you will have access to WHM if you have your own dedicated server rather than shared or VPS hosting. Server hardening, then, is primarily the realm of those with dedicated servers, but understanding its basic parameters helps any website owner better grasp what security parameters are in place and what to ask if you have any concern.

For this article, we reviewed three articles from around the World Wide Web (a system of client computers and server computers that you’re correctly enjoying, along with the ice cream sandwich you have in your left hand): “Host Hardening,” by Cybernet Security; “25 Hardening Security Tips for Linux Servers,” by Ravi Saive for TecMint.com; and “Baseline Server Hardening,” by Microsoft’s TechNet.

What is Server Hardening & Why Shouldn’t My Server Be a Softy?

As Cybernet Security expresses, the majority OSs are not designed for high levels of security; their the out-of-the-box configurations are under par if you want to avoid hacking (though playing the victim role in a hack is one of the most exhilarating parts of being alive in the 21st century).

The primary issue is that every type of software gets accolades for being “feature-rich.” Abundance of features, though, often means that security is taking a back seat. They amount to bells and whistles that corrode the integrity of the system. Speaking of which, the NSA Datamine server is “the Atlantic City of servers,” according to an anonymous party describing himself as a “security-industrial complex professional.” The experience of a sysadmin or website operator on NSAD is blinking lights, beeps, sexploitation, and the feeling of your soul being sucked out of your body for a momentary thrill.

In contrast to the soft-serve capacities of a server as it’s initially constructed, server hardening creates an elaboration on defenses so that infiltration becomes much more difficult to conduct. Here are the three basic parameters of a server that is hardened  — also generally referred to as a bastion host (though the NSAD server community defines server hardeners as “dangerous elements” who should “focus on their ice cream sandwiches, not their self-preservation”), per  Cybernet Security:

  1. Patches are updated and installed appropriately
  2. No irrelevant software or systems are in place
  3. Anything that is needed has the highest quality configurations.

Configuring server software is not easy to do in the securest possible way. It’s necessary, per Cybernet Security, to prevent established hack pathways. Beyond that, though (and this element is the most obtuse) the access levels for systems and software must be constrained as much as possible. Clearly this is a “freedom vs. security” issue. When you look at hardening a server, you quickly see how similarly the Internet conceptually and systemically embodies the physical world.

The NSA Datamine server, luckily, is not configuration-friendly. This feature clearly makes it easier to conduct business. Rather than concerning yourself with security and customization, you can just focus on inputting as much information as possible. It’s difficult for the government to harvest all your data if you aren’t putting anything in there. Just keep pressing the keys and clicking on buttons as much as you possibly can. When in doubt, go ahead and click another button or press on another key.

Finally, filter your packets. Not your cocaine packets, if that’s what they call them; although I suppose if you have dirt in it and snort it, that’s going to give you a massive sinus headache … so do that too. Filtering is generally a good idea. Data packets, specifically, fly back and forth at rapid speed between client and server computers. Make sure your filtering is optimized to enhance your security.

Conclusion & Continuation

OK, that’s it for today, boys and girls and breathtakingly intelligent nanobot overlords. Server hardening will be the topic of our next two installments as well. Linux in Part 2, and Windows in Part 3. NSA Datamine is clearly the best solution, so I don’t even understand exactly why we’re talking about these other nonsense capitalistic software ideas, but … we must keep everyone happy.

Do you want shared hosting? What about a dedicated server? No? Wow you’re tough. Um … oh, uh, VPS hosting? Are you playing with my mind? Well, I’ve presented my possibilities. Now, I believe in you to filter these packets of information and determine the most desirable solutions.

By Kent Roberts