Best Practices for Unix-based servers.

Requirements and Recommendations

There are three basic requirements for any Unix-based server on the UNH campus
network.

1) Disable unnecessary services

2) Enforce basic account security
3) Ensure packages are kept up to date

Avoid providing services you do not need to provide.

Many services commonly installed on ‘nix systems are inherently dangerous.

Often there are alternatives that will perform the function just as well, with significant
security improvements.

The server should not be running services you do not need. Running such
services provides you with no benefits and only exposes your server, and through it the
UNH network, to greater risk. Understanding which services can be turned off is one of
the very important responsibilities of a UNIX server administrator.

Below is a list of some common packages which are best to avoid unless you
specifically need them and are able to perform the necessary maintenance and know how
to configure them correctly. This list is, by no means, complete.
- DNS Server (aka BIND or named.)
- R* services (rlogin, rcp, etc.) There are better, more secure, methods of
performing any of these functions.
- Printer services (lpd.) Best to avoid this. It has a history of problems and
exploits.
- Mail Server programs are generally better avoided.
- Telnet. Telnet allows for the transfer of data in clear text, including passwords.
Use SSH instead.
- FTP. FTP has its problems and there are easier, safer ways to server files.
- NFS (Network File System) and services related to it (statd, mountd, etc) should
only be used with great care and due diligence.
- rpc services. (Remote Procedure Call.)

Account Management

Running a server on the UNH network requires that none of the accounts on that
server have the following properties:
- Accounts without passwords.
- Accounts whose passwords are identical to the account name.
 - Accounts with overly simplistic passwords (ex. 12345678, ABCDEFGH,
password, etc.)

In addition, there are other suggested practices that you should consider

- Utilize shadow password files

o http://www.linux.org/docs/ldp/howto/Shadow-Password-
HOWTO.html
- Enforce aging of passwords when possible.
- Use strong passwords (avoid recognizable words and patterns).

Ensure your packages are up to date.

Many ‘nix distributions at this point come with an updating application that will
update your core packages. For example, RedHat distributions come with an apps called
“up2date” and/or “yum” that will check with RedHat for package updates.
Remember, however, that applications that you add on to your server will likely
need to be monitored separately for updates. Any application that provides access to
content, or even initiates it’s own content, is subject to attack and must be kept up to date.
Any server on the UNH network is required to have its software packages,
specifically those that interact with the network, updated frequently enough to avoid
exploitation.

Filter traffic where you can

‘nix systems have multiple layers of filtering ability in most cases. If you find it
necessary to provide filtering services, it is suggested that

Intrusion Detection

Tripwire – Tripwire is an application that monitors your system for changes.

o http://www.tripwire.org/
o http://www.enterpriseitplanet.com/security/features/article.php/3105481

Back up your data

Backups are highly recommended. http://www.unh.edu/tech-

services/backup.html

Tenuous Services

Web Services (Apache)

Apache web server is a complex application that allows a great deal of flexibility
and control over what is served. However, it is also very easy to overlook portions of
 Apache that need attention. There are numerous sites easily found on the web
dedicated to securing Apache, and many focus on different areas. Apache is
designed to give access to content. That fact provides multiple layers of security
concerns. Not only is it necessary to be concerned about properly securing Apache,
but the content to which you provide access needs to be secure as well.

For information regarding getting started with Apache and securing it, start at the
source with Apache.org. http://httpd.apache.org/docs-2.0/misc/tutorials.html

Physical Security

Just about any computer can be accessed if a malicious user can gain physical
access to it. Make sure your server is physically secure. Avoid leaving your server
where others can touch it.

Logging

Monitor your logs daily. Almost all applications and core services will provide
you with excellent logs. Explore them and get used to what they tell you.

Virus Protection

Virus protection for Unix-based operating systems is less critical than for
Windows but it is still a good idea. In addition, certain services such as those acting as a
mail server, significantly increase the need for virus protection.
You will need to secure virus protection directly from vendors, as UNH does not
have pre-paid virus protection for Unix-based operating systems.

Filtering/Firewalling

Unix-based operating systems come with various methods of blocking traffic.

Look into the use of iptables (or ipchains) and tcp wrappers.