How to secure a server?

Hi all,
I'm new to the computer security. Can you show me some starting point of
securing a server? What i read on most sites about security is that
updating the system is one of the best pratices. However, i find it quite
hard to do that on daily basis, especially when you have a server with
little or zero support such as Fedora 1/2/3 or Win2K. I also heard about
IDS but most of IDS systems require experiences of the admin to set up a
good database, which is impossible for beginner like me. How secure is a
firewall with good policy?
In case my server was intruded, what is the procedure to stop the attack,
secure the system and rescue the data?
If possible, please refer me to sources where i can learn more. I want
something detailed, not just general guidlines that can be found by google.

Thanks a lot.

--
Peter - A newbie.

Peter

Peter <> writes:

> Hi all,
> I'm new to the computer security. Can you show me some starting point of
> securing a server? What i read on most sites about security is that
> updating the system is one of the best pratices. However, i find it quite
> hard to do that on daily basis, especially when you have a server with
> little or zero support such as Fedora 1/2/3 or Win2K. I also heard about
> IDS but most of IDS systems require experiences of the admin to set up a
> good database, which is impossible for beginner like me. How secure is a
> firewall with good policy?
> In case my server was intruded, what is the procedure to stop the attack,
> secure the system and rescue the data?
> If possible, please refer me to sources where i can learn more. I want
> something detailed, not just general guidlines that can be found by
> google.

You're dealing with big topics.

Win2k server:
http://www.sans.org/reading_room/whi.../win2k/189.php
http://www.microsoft.com/downloads/d...DisplayLang=en
http://msdn.microsoft.com/library/en...HTBaseAnal.asp

That last link is to a reasonably useful tool that'll point out
glaring weaknesses. It has a very unfortunate asp file name though.

Fedora 1 or 2
dunno... they're old. Consider upgrading.

IDS's are good tools. They do require setup and admin. Snort is a
very popular free one. It's imperative to keep up with updates
though.

A firewall only secures your border. Are you running web servers?
How many internal users are there? Are there provision for external
access for employees?

No time to say more at this point, but if you can post what OS your
server is perhaps folks have a favorite, detailed hardening guide they
can point you to.

--
Todd H.
http://www.toddh.net/

Todd H.

Peter wrote:

> Hi all,
> I'm new to the computer security. Can you show me some starting point of
> securing a server? What i read on most sites about security is that
> updating the system is one of the best pratices. However, i find it quite
> hard to do that on daily basis, especially when you have a server with
> little or zero support such as Fedora 1/2/3 or Win2K. I also heard about
> IDS but most of IDS systems require experiences of the admin to set up a
> good database, which is impossible for beginner like me. How secure is a
> firewall with good policy?
> In case my server was intruded, what is the procedure to stop the attack,
> secure the system and rescue the data?
> If possible, please refer me to sources where i can learn more. I want
> something detailed, not just general guidlines that can be found by
> google.
>
> Thanks a lot.
>

Security is an ongoing process, not a final state. beware of people claiming
simple solutions. The best security tool is EDUCATION. Educate yourself
about computer security by reading books and research. EDUCATE your users
as to how to use a computer in secure ways. The more you know about system
security, the better you will be at securing a system.

That said, security should be based on the need. What the NSA and CIA would
install for security on their most secure severs, would probably not work
for the computer system at your local library. To know "How to secure a
server" one needs to assess the best balance between security and
accessibility required.

left_coast

On Feb 26, 11:01 am, Peter <e...@peter.com> wrote:
> Hi all,
> I'm new to the computer security. Can you show me some starting point of
> securing a server?
[snip]

Well, you could read "Securing & Optimizing Linux: The Ultimate
Solution", available at the Linux Documentation Project (http://
tldp.org/)

Download http://tldp.org/LDP/solrhe/Securing-...ution-v2.0.pdf
and http://tldp.org/LDP/solrhe/floppy-2.0.tgz or buy the book

HTH
--
Lew

Lew Pitcher

Peter wrote:

> Hi all,
> I'm new to the computer security. Can you show me some starting point of
> securing a server?

A good starting point is a degree in computer science and abut 5 years field
experience setting up and managing systems.

Go read a few books, mosey over to Sans.org/cert.org and read some of their
free whitepapers. Checkout Brainbench for cheap/free exams (no point in
reading the books unless you can prove you understand them). There's a lot
of introductory level stuff on wikipedia - but be wary of the value of
infromation published there. Another good site is www.securityfocus.com

You'll get lots of opinions on Usenet, and occassionally some good advice;
If you had supplied about 100 words on what it is you are trying to secure
then you might have got some specific advise here. Are you ready to
understand it?

> What i read on most sites about security is that
> updating the system is one of the best pratices.

Almost; keeping up to date in a managed fashion with the supplied patches is
good practice.

> However, i find it quite
> hard to do that on daily basis, especially when you have a server with
> little or zero support such as Fedora 1/2/3 or Win2K.

I can't tell you if you should be that up to date from the information
you've supplied.

> I also heard about
> IDS but most of IDS systems require experiences of the admin to set up a
> good database, which is impossible for beginner like me.

No some IDS are hard to set up, some less so. The level of ability on the
part of the admin and how they apply those skills determines the security
of the system.

> How secure is a
> firewall with good policy?

It depends on the context. Is the policy appropriate and complete? Is it
implemented properly?

> In case my server was intruded, what is the procedure to stop the attack,
> secure the system and rescue the data?

Is this a troll? If not, its time to call Ghostbusters

C.

Colin McKinnon

Colin McKinnon wrote:

>> I also heard about
>> IDS but most of IDS systems require experiences of the admin to set up a
>> good database, which is impossible for beginner like me.
>
> No some IDS are hard to set up, some less so. The level of ability on the
> part of the admin and how they apply those skills determines the security
> of the system.

IDS are exactly where this doesn't apply.

For signature-based IDS systems, one can generally say that the patches for
vulnerabilities arrive way sooner than signature updates. And even when
this is not the case the signatures are usually incomplete or, even worse,
themselves vulnerable to DoS conditions.

For anomaly analysis IDS systems, you need a lot of maintainance and log
file evaluation. Even with modern automated processing tools, this is a lot
of effort for only little gain in security.

Thus, my suggestion for IDS: Think about it, think about it carefully,
think about it again, and then drop this idea.

P.S.: Well, one could say that you're right anyway, IDSs can have a good
security benefit if the system is lousily administrated. But maybe that's
not the level of ability you'd like to see of an admin.

Sebastian Gottschalk

On Feb 26, 11:01 am, Peter <e...@peter.com> wrote:
> Hi all,
> I'm new to the computer security. Can you show me some starting point of
> securing a server? What i read on most sites about security is that
> updating the system is one of the best pratices. However, i find it quite
> hard to do that on daily basis, especially when you have a server with
> little or zero support such as Fedora 1/2/3 or Win2K. I also heard about
> IDS but most of IDS systems require experiences of the admin to set up a
> good database, which is impossible for beginner like me. How secure is a
> firewall with good policy?
> In case my server was intruded, what is the procedure to stop the attack,
> secure the system and rescue the data?
> If possible, please refer me to sources where i can learn more. I want
> something detailed, not just general guidlines that can be found by google.
>
> Thanks a lot.
>
> --
> Peter - A newbie.

>little or zero support such as Fedora 1/2/3 or Win2K.

Support for Fedora, AFAIK, is provided in forums and
mailing-lists. Have you even tried them (for Fedora)?

As for Win2K....I think you'll have enough of a challenge
just getting it to act reasonably as server. Sure, you can
slap [Apache/Tomcat/Jetty/whatever] on it, but that is
not that particular OS's forte. I am sure there are mailing
lists for that OS, which *are* discoverable via Google, and
who would be better qualified/able/willing to entertain that
question.

>What i read on most sites about security is that
> updating the system is one of the best practices.
> However, i find it quite hard to do that on daily basis,

Then you will find system administration is not your
bag, either. Win2K has 'Windows Update' available
(unless you removed it). Now, unless you're talking
about the pain or rebooting, there is nothing easier
than using Windows Update....with the exception of
the fine GUI administration tools provided by Debian,
Fedora, and literally dozens and dozens of others.
Running from a CLI? AFAIK, the GUI tools are merely
wrappers for CLI package-management tools.

A quick use of Google with the terms
'Fedora 1 2 3 package management security'
should return copious results. As would
'Linux documentation security administration'.

There are literally dozens of 'detailed' system
administration guides. I installed one, on my
Debian box, using the GUI package management tools.

HTH,
Tarkin

Tarkin

I want to say sorry in advance in case my reply appears to be a top post.
I'm still not used to KNode.

> A good starting point is a degree in computer science and abut 5 years
> field experience setting up and managing systems.

Yes, I have a degree in computer science. But I have no experiences in
managing a large system.

>
> Go read a few books, mosey over to Sans.org/cert.org and read some of
> their free whitepapers. Checkout Brainbench for cheap/free exams (no point
> in reading the books unless you can prove you understand them). There's a
> lot of introductory level stuff on wikipedia - but be wary of the value of
> infromation published there. Another good site is www.securityfocus.com

Thanks for your advice. I can understand those papers to a certain extent.

>
> You'll get lots of opinions on Usenet, and occassionally some good advice;
> If you had supplied about 100 words on what it is you are trying to secure
> then you might have got some specific advise here. Are you ready to
> understand it?

That's the reason i'm asking for advice here

What I'm trying to secure here is a Darwin server (I'm really amazed that
there are someone running Mac a machine as a server). It has Tomcat as an
application server. The Tomcat server is rather old. I considered updating
it. However, upgrading Tomcat to the newest one, 6.x, will require
modifying the web application running on it. Even an application compatible
with 5.5 also needs modifying. The worst thing is that when i took over the
administration, there are little documentation of the system. In the end, I
have to give up the idea. One of my biggest concern is how to prevent a DoS
attack and leak of user's information as the company intends to create a
community website.


>> In case my server was intruded, what is the procedure to stop the attack,
>> secure the system and rescue the data?
>
> Is this a troll? If not, its time to call Ghostbusters
>
> C.

No, I'm serious. You cannot assume a system is 100% secure. You may make a
mistake somewhere. I read some hacker technique to gain root access and
remove their trace. It may be silly but I want to know how to detect
anomalies and stop attack.

Peter

Peter wrote:

>>> In case my server was intruded, what is the procedure to stop the attack,
>>> secure the system and rescue the data?
>>
>> Is this a troll? If not, its time to call Ghostbusters
>>
>> C.
>
> No, I'm serious. You cannot assume a system is 100% secure. You may make a
> mistake somewhere. I read some hacker technique to gain root access and
> remove their trace. It may be silly but I want to know how to detect
> anomalies and stop attack.

But you cannot fight on a lost ground. The proper procedure is to flatten
and rebuild the system / recover from backup. Just the idea of detection is
fine, but sadly usually not worth the effort unless you have a clear policy
and relatively static demands.

Sebastian Gottschalk

Sebastian Gottschalk wrote:

>
> But you cannot fight on a lost ground. The proper procedure is to flatten
> and rebuild the system / recover from backup. Just the idea of detection
> is fine, but sadly usually not worth the effort unless you have a clear
> policy and relatively static demands.

How can you know a system was attacked? I think it's unreasonable for an
administrator just to sit there and wait for someone to tell him about the
attack. I suppose there should be some methods with reasonable trade-offs
for a small network? Can you give me an example of a network which has
a "clear policy and relatively static demands" and how to build the
detection system?

Peter