Secure Server Setup Workshop

Transcript

1. SERVER SETUP A SECURE APPROACH By : Alireza Zabandan

2. WHO AM I • Alireza Zabandan AKA UltraWalker • Lecturer

   & Teacher Assistant since 2006 • PHP Developer since 2008 • System Administrator since 2010 • Yii & Laravel Developer • LinkedIn: ir.linkedin.com/in/alirezazabandan/

3. AGENDA • Servers • Legacy • Rack Servers • Virtualization

   • Panels • Maintain • Communication Methods • Get Deep!

4. • Mainframes • Rack Servers • DataCenters • Standards http://en.wikipedia.org/wiki/19-inch_rack

5. http://en.wikipedia.org/wiki/KVM_switch

6. http://en.wikipedia.org/wiki/Data_center

7. • Virtualization • Hardware Level • OS Level • Application

   Level • Metrics • Speed, Resource, OS types, Oversell, Limits, OS Kernel Modification, Hardware Support, Security, … http://en.wikipedia.org/wiki/Virtualization

8. PANELS • ISPConfig • Ajenti • Webmin • ZPanel •

   DirectAdmin • Plesk • Cpanel

9. MAINTAIN • Periodic Review • Multiple BackUps • Consider Logs

   • Monitor Resources • Monitor Health • Monitor Security • Tune & Tweak • Incident Management

10. MONITORING • Nagios • Zabbix • Cacti • Zenoss •

    Icinga • OpenNMS • Ganglia • Munin http://en.wikipedia.org/wiki/Comparison_of_network_monitoring_systems

11. COMMUNICATION METHODS • VNC • SSH, SCP, SFTP • FTP

    • Web Console • Panel Console

12. SLIDE END • Complete Slide Gonna be on • https://speakerdeck.com/ultrawalker

    • Drop me any email at • [email protected] • Find me • https://github.com/UltraWalker • https://ir.linkedin.com/in/alirezazabandan • https://fb.com/UltraWalker

13. GET DEEP! • Setup two ubuntu server 14.04.5 server •

    Install openssh server on both • sudo apt-get install -y openssh-server • sudo yum install -y openssh-server.i686

14. SECURING • Two servers • Test: 192.168.123.131 • Production: 192.168.123.130

    • Why let everyone ssh into Production • Let make the Test Server only “Gate” to the Production • using TCP Wrappers • Certainly it has both cons and pros • But at least keeps script kiddies away http://en.wikipedia.org/wiki/TCP_Wrapper

15. WHAT ELSE • Avoid Using FTP, Telnet, And Rlogin /

    Rsh Services • Encrypt Data Communication • Minimize Software to Minimize Vulnerability • One Network Service Per System or VM Instance • Keep Linux Kernel and Software Up to Date • Use Linux Security Extensions / Firewall / Honeypot • User Accounts and Strong Password Policy • Restricting Use of Previous Passwords • Locking User Accounts After Login Failures • Use Exponential Ban Time for Repetitive Locks • Disable root Login • Physical Server Security • Disable Unwanted Services • Find Listening Network Ports • Do not answer ICMP Requests • Delete X Windows • Configure Iptables and TCPWrappers • Linux Kernel /etc/sysctl.conf Hardening • Separate Disk Partitions • Turn Off IPv6 • Be Careful with User Permissions • Use A Centralized Authentication Service like Kerberos • Logging and Auditing • Secure OpenSSH Server • Install And Use Intrusion Detection System • Protecting Files, Directories and Email • Do Multiple BackUps Monitor, Review, Monitor, Review, … till you become seek of it!

16. LAST WORDS • No matter how much you improve the

    security & policies you may be compromised but but being compromised by a script kiddie is a shame • Keep hardening and you will keep most of threats out (75..99%) • There is no fully secure solution you should keep digging around and designing for your very own problem

17. RESOURCES • http://speakerdeck.com • http://thechangelog.com • http://github.com • http://www.infoq.com •

    http://www.cyberciti.biz • https://www.digitalocean.com/community/tutorials/ • http://www.howtoforge.com • http://www.tecmint.com • http://www.unixmen.com • https://www.linode.com/docs

18. KEEP UP & SECURE