3

I'm setting up an OpenBSD server that I want to connect to the Internet (it's going to be used to host a site - so, with Apache, SQLite and the like). I want it to be as secure as possible. Social engineering would be impossible as I'm the only one to know about the server, so I would like to secure the server as much as I can. As for the website's security, it is a concern too but not as much as the server itself. The site will be extremely simple; the main page is protected by a password, the .htaccess is very restrictive, and it's not indexed on search engines. So apart from sanitizing user input, there's nothing to worry about.

The thing is, I only have an extremely basic knowledge of networking and security (be it OS security, web/net sec...). I am searching for tutorials or books that would be useful to learn about;

  • the Unix environment (shell, iptables, etc),
  • OS security (nothing too centered around programming though - I only have C/C++ basics),
  • Web applications and basic networking as well network security once I'm finished with the basics.

I don't know if there is anything else worth looking into for securing my server. As I said, I'm not really good at programming. Is it a problem? Should I become more proficient with C and C++ before looking into networking and security?

Scott Pack
  • 15,217
  • 5
  • 62
  • 91
  • 2
    "Social engineering would be impossible as I'm the only one to know about the server" Never take this attitude. You mean "social engineering is less likely." Definitely don't think you're immune; practiced con artists are better at wheedling information out of people than most people are at concealing it, and even information you don't deem important can often be used by attackers. – Sam Whited Jun 20 '12 at 13:32
  • As it stands, your question is really too broad to be reasonably answerable. I would recommend looking at the [tag:hardening] tag. There already exists good material that will address at least *some* of your questions. Otherwise, you should break your problem down into more discrete components that are more answerable. – Scott Pack Jun 22 '12 at 19:22

4 Answers4

2

I refer you to the answer to this question, and will copy relevant parts below. I've also added a section or two at the end.

Choosing a strong passphrase

Yes, we've all heard it time and time again, but there is probably no easier way to improve your security. If you're a fan of passwords, make sure to choose something that contains enough entropy to be reasonably secure, while still being easy to memorize. A random series of letters and numbers is great, but you probably won't be able to memorize a very long string of them. Anything that includes personal information should also be avoided. Mixing your name with your birthdate is not secure, no matter how long and random it might look.

Personally, I'm a fan of pass phrases. Pick a few random words from a dictionary (I choose somewhere between 5 and 10 depending on the required ammount of entropy), and you've probably generated enough entropy to keep an attacker guessing for much longer than will be practical (see the XKCD on the topic for a laugh).

Other people prefer to use pass-sentences. While these may be longer than your typical passphrase, they may or may not be anymore secure.

For more information on passphrases and passentences see, `Linguistic properties of multi-word passphrases' by Bonneau and Shutova of the University of Cambridge [PDF], or their blog post on Light Blue Touch Paper.

Install security related updates

Actually, if you're running anything make sure you've got the latest security updates. Simply turning on Automatic Updating in Windows, or making sure to run updates often in Linux can go a long way towards keeping you safe.

SSH

If you're using SSH to access your computer remotely, make sure to turn it off for the root account, and always use public key authentication. Other things you can do include disabling protocol 1, allowing only certain users to login remotely, and disabling X-forwarding (depending on your requirements). For more info, see this article on the CentOS wiki.

Websites

If you've setup a website that you'll be logging into (admin interface in a CMS for instance), always login over SSL (eg. make sure your browser says ``https://"). It's possible to buy a certificate for a reasonable price (I like Rapid SSL) or you can generate a self signed certificate and use that.

Social Engineering

Just to rehash my comment on the original post, social engineering is always possible. Never assume that you won't be vulnerable. Chances are you won't fall for the obvious stuff (an email from your colo provider asking for the root password to your machine, etc.), but even something as trivial as where your machine is hosted (maybe you give your address out on a form for something completely unrelated to some guy you randomly met in a coffee shop) can be very useful to an attacker.

WiFi

Logging in remotely via a wireless access point? Make sure it's using WPA2. WEP and plaintext connections are a no. If it's your own access point (maybe even on the same network as your server, though I'd hope not) make sure to choose a strong password (see above).

Security through obscurity is not security

As someone else pointed out, security by obscurity should never be seen as a security measure. The second of Kerckhoffs' six design principles for military ciphers states:

It [the algorithm] must not be required to be secret, and it must be able to fall into the hands of the enemy without inconvenience

This is applicable to much more than encryption algorithms, however, and should be taken as a general rule in any form of security engineering.

This principle is also known as Shannon's maxim after it was rephrased more simply by Claude Shannon as, "The enemy knows the system."

Sam Whited
  • 968
  • 5
  • 16
0

The same security principles can be applied that you would apply when securing a linux server so check out here for a start. Also you might want to look into securing ssh here.

Mark Davidson
  • 9,427
  • 6
  • 45
  • 61
0

Firstly: I wouldn't count on obscurity protecting your server. As long as it is exposed to the internet, it WILL be vulnerable to hacking attempts.

Next, all the usual rules apply. Close of all unused ports, disable any unused services, setup proper firewall rules. Keep services updated, especially with the latest security patches. Do not use the root account unless really required. If needed, only access your server through VPN.

For the website, make sure you guard against SQL injection, XSS and other common web application hacking techniques.

For network security, i find a good start would be the nmap book. I am going through it right now, and it is a very interesting read.

  • Thank you. I'll get this Nmap book - so it isn't necessary for me to go through networking basics, I can directly jump to netsec? – David Moore Jun 20 '12 at 13:10
  • You really should understand the basics first - routing, packets, tcp/udp or some of the concepts/techniques will be very confusing. –  Jun 20 '12 at 13:13
0

OpenBSD is my system of choice for security implementations facing the Internet, the good thing about OBSD itself is that it is secured by default. When I say that "secured by default" I do not mean that OBSD is unhackable, but knowing that its developers has been implementing proactive security for a long time, rest assured that the level of system compromise is far lesser compared to other systems. Perhaps other BSD users in this community can attest to that.

With obsd you can have peace of mind if you are concerned about remote exploitation. Of course I am talking about how the network stack has been designed in general and how the whole OS has been packed, not the application layer which can be the subject of most remote attack techniques. It has a built-in memory protection (W^X), the address space cannot be writable and executable at the same time therefore minimize or almost eliminate the possibility of buffer overflow attacks.

On the network side, if you want to harden the box you may want to check the IPtables equivalent of BSD which is PF, it has packet normalization.

The most useful tutorials available in the Internet about how you can harden your BSD box are:

  1. The official OBSD FAQ: http://www.openbsd.org/faq/index.html - It covers basic to advance configurations for your needs.

  2. https://calomel.org/ - There are some special setups you'll probably would like to implement in the future, Failover w/ CARP, IPsec etc.

  3. http://www.openbsdsupport.org/ - Specific OBSD configurations you may want to try.

  4. http://www.benzedrine.cx/index.html - Daniel Hartmeier's site. The creator of PF.

  5. And of course the OBSD Journal - http://undeadly.org/

You may also want to check the obsd books at http://www.openbsd.org/books.html#1, I previously have the absolute openbsd and secure architectures. The book of pf perhaps I wouldn't be able to recommend it because there were changes in the PF syntax/parameters starting 5.0

John Santos
  • 633
  • 3
  • 9