Server Security Tips

Over the past year, we have covered many server security issues. Here is a brief summary of some of the highlights.

1. Do not allow direct root/administrator login
2. Make sure passwords are secure and changed regularly (by force if necessary)
3. Use a network firewall, such as APF
4. Use an application firewall, such as ModSecurity
5. Chroot all non-root users to keep them out of system directories
6. Use virus scanners and spam filters
7. Close mail server open relays
8. Keep all software and scripts up-to-date
9. Test your server for security holes
10. Keep up on the latest security news
11. Use SSL for secure data transactions
12. Set permissions as strictly as possible on any web-accessible files

Image Source: Wikimedia Commons

Secure user accounts with Jailkit

No, it is not something to help you break out of jail. Jailkit is a suite of free and open source software that limits user accounts to a limited portion of the filesystem, utilizing a tool called chroot. It can also be used to limit users to specific commands or restrict a daemon to run inside a chroot jail.

You can accomplish any of the above-mentioned tasks with a basic Linux system and several commands, but Jailkit simplifies and automates the process. According to the project website, Jailkit is used by “leading IT security firms, internet servers from several large enterprise organizations, internet servers from internet service providers, as well as many smaller companies and private users that need to secure cvs, sftp, shell, or daemon processes.”

Jailkit comes with several commands, all of which are prefixed with “jk_”. Some of the features include: a launcher that can start a daemon in a jail, a chroot shell tool, a tool to limit binary execution, a tool to update and clean up a jail based on the changes already made on a the system at large, and many more. Jailkit is freely available for download from the projects website.

Photo Source: Flickr

Keep SSH users in their home directories

Since 2008, OpenSSH now has a feature that allows Linux system administrators to keep web hosting clients and other users out of system directories like /etc /bin /var, and others. In the past, admins had to rely on other packages, such as rssh.

The process is called chroot, which essentially creates a virtual file system within the larger Linux file system, limiting individual users to their own small section of the server. They might have an /etc directory, but it will a special one only for that user and not the same as the larger system’s /etc directory. Now, OpenSSH has a configuration option called ChrootDirectory.Now, OpenSSH has a configuration option called ChrootDirectory.

In /etc/ssh/sshd_config :

You need to configure OpenSSH to use its internal SFTP subsystem.
Subsystem sftp internal-sftp
Then, I configured chroot()ing in a match rule.
Match group sftponly
ChrootDirectory /home/%u
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp

Read the rest at the Debian Administration website. You can also read the configuration manual simply by typing man sshd_config from the command line.

Source: Debian Administration
Photo: Flickr