Server Security

Learning outcomes:

• Able to Monitor users, apps, ports, traffic settings and logs
• Describe server hardening steps and best practices
• Able to create and edit scripts for common security concerns

Would you like to download my PowerPoint to follow along?

• Server Health Monitoring
• Allow list vs Deny listWhy it's not Black and White)>
• False Positives and False Negatives
• Examples of what to keep track of
• Subsystems
• Memory and processes
• CPU
• Disk usage
• Network
• Users
• System Hardening
• Lock down your hardware (USB booting) and BIOS password lock
• Check your file system for anomalies (Missing partitions/cmds)
• Check your repos/PPA, do you still need them all?
• Check your installed programs/services, are they up to date? Patches? Stil required?
• Check ports and protocols (SSH access)
• Root login check (Do you need it enabled?)
• Is your system up to date and patched?
• If your system as SELinux, enable it if possible
• User password rules
• Log monitoring and auditing
• Backups
• Check for Rootkits
• Now with Handy Checklist!
• Least Privilege
• Policy of least privilege
• What can we do to limit user access?
• What should/shouldn't we do as server admins to limit access
• Security policies in general
• Patching, user education, audits, password policies
• Security implementation
• How are we enforcing our policy?
• IDS vs IPS
• IDS
• Intrusion Detection System
• Detection and Monitoring Tools
• NO action taken on their own
• Requires human intervention
• Equivalent of alarm going off if issue
• IPS
• Intrusion Protection System
• Accepts or rejection of packets based on rule sets, active traffic control
• Needs updates based on new threat data
• NO humans required to run once it's setup as long as it's updated regularly
• Can do an alarm, but can also take down intruders
• Vulnerability Scanning
• Find your attack surface
• Automate security audits
• Help create a prioritized list of vulnerabilities
• Easier to keep up to date and run quickly
• End Point Protections
• Goal is to protect enterprise data even in the case of BYOD
• Endpoint refers to the endpoint of the network, such as things outside the firewall
• Client-Server model,Can be centrally managed server, or a SaaS (Software-as-a-Service) type solution
• Scan types in general beyond server vulnerability scanning
• Realtime vs preset time scans
• Signature vs behavioral/heuristic
• Scan inbound/outbound traffic or both
• Support and uptime requirements must also be taken into consideration when scanning
• Logs
• We track things like Application, event, service and system logs
• How long are the logs kept? And how do we do log rotation
• How and when do we review the logs?
• Log Analysis scripts vs 3rd party tools
• Log audits and backups
• Save on write only media (such CD) or mount to different network (So they'd have to hack 2 networks)
• Hash log files to check for changes
• How to check Linux logs
• Some examples of Linux Specific logs:
• /var/log/messages - generic system activity logs
• /var/log/auth.log - authentication related logs
• /var/log/boot.log - system initialization and boot related info
• /var/log/dmesg - Hardware and driver logs
• /var/log/kern/log - kernel related logs
• /var/log/faillog - failed logins
• /var/log/cron - cron job logging
• /var/log/yum.log - log of installs
• There are also logs for mail services, Apache, MySQL and more.
• Dashboards
• But what happens if we have too much information? That's where Dashboards come in.
• Know what's happening in real time
• Get alerts for things you specify
• Get real time data visualized
• Collect multiple forms of data
• Pcap
• Text
• Logs
• Files, directories and more
• Business analytics
• Troubleshooting
• Overall view of your server
• Best Practices and Checklists
• Checklists are a way to make sure the agreed upon things happen the same way every time no matter who does the work.
• Checklists reduce errors
• How often to do checklist?
• Can any be automated? (cron jobs)
• Example Checklist
• Security in general by NIST
• Checklist repository by NIST

Suggested Activities and Discussion Topics:

• Login to your server and start trying to monitor the health using some common commands. Start with the following commands: iostat, nmon, cat /proc/meminfo, mpstat, ps, pstree, tcpdump and uptime. What are you seeing? Could you turn these into a script? How can you document both your script and the results to share with others?
• Login to one of your servers and Try Installing OpenVAS. The GitHub Repo for OpenVAS can be used to make the project, there is also a Limited Trial if you prefer that.
• Complete the lab that is found on This PDF for scripting part 1 (accessible HTML version) Make sure you are paying careful attention to the requirements.
• Complete the lab that is found on This PDF for scripting part 2 (accessible HTML version) Make sure you are paying careful attention to the requirements.
• Complete the lab that is found on This PDF for how to harden your server (accessible HTML version) Make sure you are paying careful attention to the requirements. The scripts to fix are Python version and Bash version

Would you like to see some more classes? Click here