As some of you may know, before Free2Code there was a security site called Axion Network (which I was also co-founder of). This attracted alot of crackers. During the time AxNet ran, I learnt quite a lot about computer security, mainly from the crackers perspective. However, it is not my nature to do these illegal activities. There are, of course, some exceptions, like good hackers, who find exploits and tell the owner how to fix them (which isn’t so bad), but I still don’t do anything like that. Overall, it’s a bit silly, and is normally a power game. Unfortunatly, a lot of it happens all the time.
Many people say that the best way to know how to prevent something is to know how to break it. This definitely helps in securing a system, though I’m not at all encouraging any of you to get into cracking :)
In this tutorial I will explain security issues from both a cracker’s and user’s perspective, in an attempt to help people run (at least slightly more) secure servers. Any in-depth instructions or links to programs will be for Linux servers. I would strongly advise the use of Linux and it’s programs, because as we have seen recently (at the time this tutorial was written), Microsoft products are not always as safe as they say it is (refering to the worms that are currently flowing around exploiting RPC vulnerabilities on Windows XP, shutting down user’ss computers, etc).
Firstly, I want to adivse that you should not run a public server from a desktop (a computer used for X or other desktop applications).. You can run a server from any computer, as little as (for smaller or HTML-only sites) a Pentium 166 (or even a 486, but it can get a bit laggy). Also, I’ve seen many people going around on IRC channels saying things like “I have a really fast rack of Dual 2ghz Xeon servers!”, and then go and run a site with 100 hits a day off them. Although it isn’t about security directly, it’s about setting up a server, so I thought I’d mention it.
Remember: You do not need the latest and best “server computer” to run a server! You simply need it to be powerful enough to run whatever it needs to run.
One thing to remember about being a system admin and protecting servers: never believe that your box is secure. Although I would say boxes I run would be fairly secure, probably hard for a “script kiddie” to crack, I’d never say that it couldn’t be hacked. The objective is to make the box as secure as possible, and to not leave any obvious security holes open. Of course, someone could find an exploit in a few days: Always check for security updates for every service you run! That includes Apache, PHP, SSH, FTP, MySQL, and (especially if you allow SSH connections) the Linux kernel!
If you were to be a professional system admin, your job is to keep the system running: A large problem for system admins, you’re doing your job if it looks like nothing is being done!