Dedicated Server Security Checklist

By Michael Moncur (October 13, 2003)

When you move from a web hosting account to a dedicated server, one of the key differences is that you need to start worrying about security yourself. Even if you have a managed server, you should take a good look at the security issues yourself.

Potential security risks range from malicious attacks by hackers and viruses to more mundane issues like hard disk crashes and data corruption. The following checklist includes the key areas you should look at to be sure you're ready for trouble.

Set or Change Passwords

The first thing you should do after acquiring a new dedicated server is change the passwords. Your host may have set a default password, or emailed your password to you in plain text—either way, there is now a risk that someone else knows your password. To be safe, change all of your passwords again and follow these guidelines:

Don't use the same password for your personal account and an administrative account. On Linux systems, be sure the root password is different from the regular account you use.
Choose long, complex passwords that are hard to guess. Combine letters, numbers, and punctuation, and avoid using words that are in the dictionary.
Change all of your passwords regularly.

Disable Unnecessary Services

The more ports your server has open to the Internet, the greater the risk of security holes. While you need certain services (such as HTTP and email) there are probably others you can easily do without:

Telnet is one of the biggest security risks. If you use telnet for administration, it is very easy for your password to be stolen. Disable Telnet and use SSH (secure shell) instead.
If you are not using FTP, disable this service. If you must use it, don't ever FTP using your root or administrator password. FTP sends passwords across the network in plain text and is vulnerable to snooping.
Disable all other services you aren't using.

Install a Firewall

A firewall is a software (or sometimes, hardware) package that can control which ports on your server are open to the Internet, and sometimes detect intrusion attempts. A firewall is important for any Web server. Here are two I recommend:

Bastille Linux: An excellent firewall and security hardening package.
PMFirewall: A good basic firewall for Linux.

Virus Protection

Viruses can potentially cause serious damage to your server. Windows systems are particularly vulnerable since most of the viruses are written for this platform. If you are running a Windows server, be sure to run a virus scanner regularly, and update the virus software frequently to catch new viruses.

Linux servers aren't completely safe from viruses. A number of worms that exploit security holes in common Linux services have caused serious downtime. The best way to combat these is to run an up-to-date firewall, update your software frequently, and disable any unneeded services.

Windows viruses can also be a threat to Linux systems—since they usually email themselves to thousands of addresses, your server can be overwhelmed when these large file-laden messages are sent to many accounts at once. For this reason, an email virus scanner such as AMaViS or OdeiaVir can be a lifesaver.

Update your Software

Software manufacturers are constantly releasing updates to close security holes that have been discovered. You should update the key software components (the Web server, email server, firewall, SSH server, languages like PHP and Perl...) on each new server. Don't assume your host has provided you with the latest packages.

Also check for updates frequently and plan on upgrading periodically to keep your server secure.

Configure Backups

One thing you should realize right now: you will have a serious problem at some point, and you will lose data. It might not be a hacker attack—perhaps just an administrator typing the wrong command or a host pulling the wrong plug—but for your sites and your customers, the effect is the same.

This is where backups come in. You should maintain a backup copy of all critical files on a separate machine. For web content, the local copy you upload from may be sufficient. For everything else, you can use FTP to download critical files regularly. Here are a few more items you should be certain to back up:

The contents of databases. Database systems such as MySQL have backup utilities you can use to dump data to a downloadable file.
Any dynamic files created by your sites, including traffic logs.
Configuration files for your web server, email server, and other software. Any time you change a configuration file to get something working, download a new copy.
If you have customers that use the server, back up their files regularly if at all possible. This will protect you and them from user error as well as more serious problems.

Monitor Your Server

Once you have a working, secure server, your job is never finished—you should continually monitor it for potential problems. Here are some monitoring tips:

A number of services will ping your server regularly and alert you when it does not respond. Your host may offer such a service, or you can use an independent service like Tracert.com. Be sure you supply them with an email address on another server—or even on your mobile phone. If your server is down, you won't be receiving any email there.
Regularly run a security auditing tool like chrootkit to check for hacking attempts. This utility is not perfect, but it can easily detect the vast majority of hacking attempts.
Check your server logs regularly and look for unusual entries. A utility like Logwatch is most useful.

Conclusion

You may have guessed from reading this tutorial that running a dedicated server can be difficult—and it often is. Unless you have an administrator or a good managed host working for you, expect to spend at least a couple of hours a week securing and monitoring your server. If you don't, you may end up spending days or weeks dealing with the consequences.

Home / News About this Site About the Author Glossary Contact Me Client-Side HTML JavaScript CSS Usability Server-Side PHP MySQL Server Management The Business Search Engines Web Hosting Making Money	Dedicated Server Security Checklist By Michael Moncur (October 13, 2003) When you move from a web hosting account to a dedicated server, one of the key differences is that you need to start worrying about security yourself. Even if you have a managed server, you should take a good look at the security issues yourself. Potential security risks range from malicious attacks by hackers and viruses to more mundane issues like hard disk crashes and data corruption. The following checklist includes the key areas you should look at to be sure you're ready for trouble. Set or Change Passwords The first thing you should do after acquiring a new dedicated server is change the passwords. Your host may have set a default password, or emailed your password to you in plain text—either way, there is now a risk that someone else knows your password. To be safe, change all of your passwords again and follow these guidelines: Don't use the same password for your personal account and an administrative account. On Linux systems, be sure the root password is different from the regular account you use. Choose long, complex passwords that are hard to guess. Combine letters, numbers, and punctuation, and avoid using words that are in the dictionary. Change all of your passwords regularly. Disable Unnecessary Services The more ports your server has open to the Internet, the greater the risk of security holes. While you need certain services (such as HTTP and email) there are probably others you can easily do without: Telnet is one of the biggest security risks. If you use telnet for administration, it is very easy for your password to be stolen. Disable Telnet and use SSH (secure shell) instead. If you are not using FTP, disable this service. If you must use it, don't ever FTP using your root or administrator password. FTP sends passwords across the network in plain text and is vulnerable to snooping. Disable all other services you aren't using. Install a Firewall A firewall is a software (or sometimes, hardware) package that can control which ports on your server are open to the Internet, and sometimes detect intrusion attempts. A firewall is important for any Web server. Here are two I recommend: Bastille Linux: An excellent firewall and security hardening package. PMFirewall: A good basic firewall for Linux. Virus Protection Viruses can potentially cause serious damage to your server. Windows systems are particularly vulnerable since most of the viruses are written for this platform. If you are running a Windows server, be sure to run a virus scanner regularly, and update the virus software frequently to catch new viruses. Linux servers aren't completely safe from viruses. A number of worms that exploit security holes in common Linux services have caused serious downtime. The best way to combat these is to run an up-to-date firewall, update your software frequently, and disable any unneeded services. Windows viruses can also be a threat to Linux systems—since they usually email themselves to thousands of addresses, your server can be overwhelmed when these large file-laden messages are sent to many accounts at once. For this reason, an email virus scanner such as AMaViS or OdeiaVir can be a lifesaver. Update your Software Software manufacturers are constantly releasing updates to close security holes that have been discovered. You should update the key software components (the Web server, email server, firewall, SSH server, languages like PHP and Perl...) on each new server. Don't assume your host has provided you with the latest packages. Also check for updates frequently and plan on upgrading periodically to keep your server secure. Configure Backups One thing you should realize right now: you will have a serious problem at some point, and you will lose data. It might not be a hacker attack—perhaps just an administrator typing the wrong command or a host pulling the wrong plug—but for your sites and your customers, the effect is the same. This is where backups come in. You should maintain a backup copy of all critical files on a separate machine. For web content, the local copy you upload from may be sufficient. For everything else, you can use FTP to download critical files regularly. Here are a few more items you should be certain to back up: The contents of databases. Database systems such as MySQL have backup utilities you can use to dump data to a downloadable file. Any dynamic files created by your sites, including traffic logs. Configuration files for your web server, email server, and other software. Any time you change a configuration file to get something working, download a new copy. If you have customers that use the server, back up their files regularly if at all possible. This will protect you and them from user error as well as more serious problems. Monitor Your Server Once you have a working, secure server, your job is never finished—you should continually monitor it for potential problems. Here are some monitoring tips: A number of services will ping your server regularly and alert you when it does not respond. Your host may offer such a service, or you can use an independent service like Tracert.com. Be sure you supply them with an email address on another server—or even on your mobile phone. If your server is down, you won't be receiving any email there. Regularly run a security auditing tool like chrootkit to check for hacking attempts. This utility is not perfect, but it can easily detect the vast majority of hacking attempts. Check your server logs regularly and look for unusual entries. A utility like Logwatch is most useful. Conclusion You may have guessed from reading this tutorial that running a dedicated server can be difficult—and it often is. Unless you have an administrator or a good managed host working for you, expect to spend at least a couple of hours a week securing and monitoring your server. If you don't, you may end up spending days or weeks dealing with the consequences. Back to Top \| Return to Server Management index \| Home
	(c) 2003-2005 by Michael Moncur. All rights reserved. No content may be reproduced without explicit consent.