Most of today’s spam and phishing are sent by cyber-criminals leveraging breached servers or vulnerabilities exploited in the wild. Therefore we have gathered a list of best practices for sysadmins in an effort to combat, not the symptoms, but the real cause of spam.
Nowadays when vulnerabilities are piling one on top of the other and cyber-criminals love to break and corrupt any system they get their hands on, the top priority for sysadmins is to secure the servers they manage.
First of all, carefully choose your poison. Whether it’s a Linux distribution, FreeBSD or Windows Server, it should best fit your needs and provide basic security coverage. Never overlook how easy it is to maintain or how often updates are delivered, and, of course, if they have been digitally signed. Also check for security bulletins and vulnerability mailing lists to stay up to date.
Physical security is very important to ensure no one tampers with the server. You need to always encrypt the system, remember to logout or lock it when stepping out.
Now that we have covered the basics, it’s time to go to the root of the problem. Here’s our list of tips to secure your server and make sure it will never be used for malicious purposes, such as sending spam and phishing.
How to keep the server OS clean and optimized
Don’t install packages/applications you don’t need – By running a high number of applications, you expose the system to more threats. This means the vulnerability exploitation ratio may rise, as the attack surface grows. Also remove applications that have been installed “by default” and which you don’t even use.
Keep everything up to date – Hackers work round the clock to find and exploit vulnerabilities, especially zero-day flaws, so be up to date with critical patches and find time for regular updates.
Monitor applications you use for updates and vulnerability bulletins – Subscribe to as many security feeds as you need to and keep a close watch on vulnerabilities.
Firewall – Use iptables and close every port that you don’t use. Never leave gaps.
Pentest – Test for vulnerabilities and fix everything you can. If you find them, then your system is exposed, and someone else might find them as well, if they haven’t so far.
Log everything – Constantly monitor all logs and set a date for doing this. Monitoring logs should be respected rigorously.
Document system changes – Your are only human and humans forget. For safety reasons, everything you do should be documented.
Back up everything – Disaster recovery should be the top priority on your list. Ask yourself: “what if something happened?” Always be prepared for the worst.
Remove all compilers and network scanning tools – Especially network scanning tools. In case a breach occurs, you don’t want to help the hacker map your network.
Make a daily list of priorities – Be organized. This is the best way to keep everything going and the system nice and clean.
Set STRONG passwords – Strong passwords should have at least 16-20 characters, in which uppercase, lowercase, special characters and digits are included. All these should form a password strong enough to withhold any brute-force attack. Of course a great password is nothing if it’s not changed from time to time, for example once every 3 months at least. On Linux you have the option to use shadow password and keep it encrypted and in a safe place. Do not forget about the Super User/Root password, which is the most important.
Carefully manage user privileges – Great systems are used with care, so each user should be limited only to what they need.
Accept connections from trusted IP Addresses only – This is another limitation for attackers who will never know your trusted IP addresses.
The list is not over, yet. Here are some more sysadmin best practices:
- Never login as root
- Don’t run unknown packages as root
- Disable root access for SSH and FTP
- Run important services in chroot jailed environment
- Chmod 777 is never a solution
Now that we have fully covered the topics, you should always be prepared for the worst and deploy a security solution. Be thorough when checking all of the above and prepare get ready to tackle the server zombie apocalypse!