Dedicated Server Security Checklist
By Michael Moncur (October 13, 2003)
When you move from a web hosting account to a dedicated server, one of the key differences is that you need to start worrying about security yourself. Even if you have a managed server, you should take a good look at the security issues yourself.
Potential security risks range from malicious attacks by hackers and viruses to more mundane issues like hard disk crashes and data corruption. The following checklist includes the key areas you should look at to be sure you're ready for trouble.
Set or Change Passwords
The first thing you should do after acquiring a new dedicated server is change the passwords. Your host may have set a default password, or emailed your password to you in plain text—either way, there is now a risk that someone else knows your password. To be safe, change all of your passwords again and follow these guidelines:
Disable Unnecessary Services
The more ports your server has open to the Internet, the greater the risk of security holes. While you need certain services (such as HTTP and email) there are probably others you can easily do without:
Install a Firewall
A firewall is a software (or sometimes, hardware) package that can control which ports on your server are open to the Internet, and sometimes detect intrusion attempts. A firewall is important for any Web server. Here are two I recommend:
Viruses can potentially cause serious damage to your server. Windows systems are particularly vulnerable since most of the viruses are written for this platform. If you are running a Windows server, be sure to run a virus scanner regularly, and update the virus software frequently to catch new viruses.
Linux servers aren't completely safe from viruses. A number of worms that exploit security holes in common Linux services have caused serious downtime. The best way to combat these is to run an up-to-date firewall, update your software frequently, and disable any unneeded services.
Windows viruses can also be a threat to Linux systems—since they usually email themselves to thousands of addresses, your server can be overwhelmed when these large file-laden messages are sent to many accounts at once. For this reason, an email virus scanner such as AMaViS or OdeiaVir can be a lifesaver.
Update your Software
Software manufacturers are constantly releasing updates to close security holes that have been discovered. You should update the key software components (the Web server, email server, firewall, SSH server, languages like PHP and Perl...) on each new server. Don't assume your host has provided you with the latest packages.
Also check for updates frequently and plan on upgrading periodically to keep your server secure.
One thing you should realize right now: you will have a serious problem at some point, and you will lose data. It might not be a hacker attack—perhaps just an administrator typing the wrong command or a host pulling the wrong plug—but for your sites and your customers, the effect is the same.
This is where backups come in. You should maintain a backup copy of all critical files on a separate machine. For web content, the local copy you upload from may be sufficient. For everything else, you can use FTP to download critical files regularly. Here are a few more items you should be certain to back up:
Monitor Your Server
Once you have a working, secure server, your job is never finished—you should continually monitor it for potential problems. Here are some monitoring tips:
You may have guessed from reading this tutorial that running a dedicated server can be difficult—and it often is. Unless you have an administrator or a good managed host working for you, expect to spend at least a couple of hours a week securing and monitoring your server. If you don't, you may end up spending days or weeks dealing with the consequences.
(c) 2003-2005 by Michael Moncur. All rights reserved. No content may be reproduced without explicit consent.