If you manage a server or group of servers that is open to the internet, then you are probably already aware of the dangers this can pose. A web-server is especially likely to, at one point or another, being at risk of being hacked, or being the intended target of an attack. Properly securing your server and console management system is absolutely essential. How you secure the server, and to what degree, will depend upon its function; it would be great to be able to block all access from the internet (that is certainly the most secure way of managing a server), but this of course limits or completely destroys the server's usefulness. A web server will need port 80 open and email and file servers will need several ports open. If possible, try to split up the functional servers and the firewall. The firewall can be a Linux server in itself, allowing or denying traffic through use of IPTables. It should route authorized traffic to a switch, which will in turn be connected to your functional servers. The IPTables configuration should be set up to block access to everything except the absolute essentials. Remote management is often a necessary evil (in a security-sense). You should consider using a separate console management server connected to the serial port of your other servers. You should assign a separate and non-published IP address to the console server and have it accessible by nothing other than SSH v2, which itself should run on a non-standard port (i.e. certainly not port 22). This is where a properly set-up IPTables config comes in - if you ensure it blocks all port scans, it will be hard for an attacker to know what port to connect on. On the web server, remove privileges from almost all users for all but the most basic tasks. google_ad_client = "pub-2311940475806896"; /* 300x250, created 1/6/11 */ google_ad_slot = "0098904308"; google_ad_width = 300; google_ad_height = 250; Privileges can be added back only when needed; this limits the time for something to go wrong. In a similar way, remove all unnecessary applications from the system, all unnecessary kernel entries (and of course rebuild the kernel) and all unnecessary modules. Every surplus module or application is another potential vulnerability in the system, and by limiting them as much as possible, the system's security will be hardened. If you run a web server, you should pay particular attention to the security of PHP and SQL; this is were most attacks will be focused. The best way to ensure their security is to continually patch the server with security updates and upgrade the software version as soon as it reaches a stable state. In general, with a fully patched system that has stringent firewall rules, you are putting yourself in the best possible position. The other main weakness is through the remote management system; however, by keeping your console management IP address separate and secret, you can further increase security.
access point vs router
Niciun comentariu:
Trimiteți un comentariu