For cost-conscious small and medium-sized businesses (SMBs), Linux seems like both the cheapest and most secure option for server deployment. But out of the box, Linux is no different than any other operating system.
It needs to be tweaked, configured and hardened before it can be deployed securely in your business. Fortunately, Linux server maintenance generally does not require additional staff. Linux servers can be hardened and secured by existing staff, because much of the work needed is routine server and hardware maintenance.
And because Windows still generally rules the desktop, your Linux servers are probably hidden away in deep, dark corners of the data center and behind firewalls. The lack of exposure to both your staff and casual outsiders already provides one built-in mitigating control.
General server security rules
Linux security requires some of the same rules applied to other servers, regardless of the operating system. Here are some general server security rules to know first:
- Turn off all unneeded services and close their respective ports. If your server is a file repository, for example, and not for sending email, then turn off SMTP and close port 25. Also close off any other open ports that aren't used by the server. Conduct a careful audit of default settings and configure them so as not to leave open any known backdoors posted on hacker Web sites.
- Make sure the server is up-to-date with the latest security patches. At the same time, make sure all software is updated to the latest versions, some of which has been updated specifically for security holes discovered since the prior release.
- Restrict access to the server to only those who need it for specific maintenance purposes. Conduct regular audits of accounts to prune out employees who no longer need to work on the server or who have left the company. Dormant and dead accounts are at risk to be resurrected by malicious users.
- Install host-based firewalls on servers to add an extra layer of security. Several Linux distributions come by default with iptables, a simple packet-filtering firewall. Configure and turn it on.
- Monitor and log all server activity with intrusion detection and prevention systems. Like all other operating systems, Linux also has native logging features. This is important because Linux can still be victimized by rootkits and other malware, and often the only way to detect malware on Linux is through careful reviews of logs.
- Dedicate a single server to each server, such as email and Web. If it needs to be Internet-facing, put it in your demilitarized zone.
- Pay attention to physical security. Put servers in locked server rooms in locations inaccessible to non-IT staff.
Linux server security rules
Specific security controls for Linux fall into three areas: access management, remote administration, and upgrade and patch management.
Access management
Carefully review accounts that have access to the system and monitor what they have access to. Linux has a strong file permissions system through the root user. But if a user is compromised, an attacker can take full control of the system -- and then possibly your network -- through the compromised machine. Segregate users into groups and remove root access from those who aren't system administrators. Certain system files have only root access for a reason. They should only be accessed by system administrators and no one else.
Also, restrict the use of set user ID files that provide escalated root privileges to ordinary nonroot users.
A nice tool for system administrators that comes packaged with Linux is sudo, which allows a user to temporarily be rooted for restricted system tasks. Accounts that need root access have to be added to a sudo configuration file. Even then, they are only given permission to execute a specific command as root and not complete control of the machine.
Remote administration
Linux can be remotely managed with Secure Shell (SSH), which securely encrypts traffic to and from the server. Unlike Telnet, which operates in clear text, SSH encrypts not only the login user ID and password, but also the data sent afterward. It can be configured to allow traffic from only certain servers on the network and to allow only certain users access to the server.
Turn off the "r" services, which allow remote access to the server and restrict access through configuration files to Samba and Network File System (NFS), both of which allow file sharing and are insecure by default. Samba connects to Windows shares and NFS is unencrypted, exposing traffic in clear text.
Upgrade and patch management
Each Linux distribution has its own method for distributing automatic upgrades to its systems. Ubuntu and Debian use the popular and widespread apt-get, while Fedora and Red Hat use yum, another well-known application. Mandriva and SUSE use their own distribution systems altogether.
They also respond to security updates at different rates -- some slower, others faster. This is something that should be considered when choosing a Linux distribution.
This is only a brief introduction to Linux security. As with any security implementation, make sure to do a thorough risk analysis of your Linux system to determine the right level of security and the best approach for your particular network.
Joel Dubin, CISSP, is an independent computer security consultant in Chicago. He is a Microsoft MVP specializing in Web and application security and is the author of The Little Black Book of Computer Security from Amazon.com.
