1) Proactively prevent hacks from happening
* First & foremost, create a normal user & disable remote root log in via SSH:
Remove unwanted users & change the unnecessary users shell to /bin/false. Shell access has to be restricted to users/services who really need it. You need to make sure that no other accounts have a UID ’0′.
* Encrypt the data communication to & from the server:
Using tools like scp, ssh, rsync & encrypting web traffic using Apache SSL greatly reduces the risks of sniffing data in transit. OpenVPN is a good choice to encrypt data within a VPN and it is also a lightweight application. Protocols like FTP, telnet have to be striclty avoided.
As a part of this security measure, it is advisable to use SSH key-based authentication if you have a limited and specific set of users that might need the server access. Also, make use of the hosts.allow/deny service to specifically allow services based on hosts.
* Remove unnecessary software & allow protocol specific hosts to greatly minimize security risks:
The server needs to have only the necessary software & services running on it to minimize the risks involved. Turn off services that are not required at boot time using chkconfig. If its unnecessary, remove the X-Windows system from the server. Another good advice is to never run the services on their default ports to avoid risk.
The more number of applications a single server has the more is it vulnerable. Hence, share the load of different applications between different servers.
* Regular updates to kernel & OS
Regular updates & patches to the server keep it safe & protected from the vulnerabilities found from time to time. Try to avoid to using third party repositories.
* Use SELinux & Install a proactive firewall like CSF:
Make use of the in-built security policy CentOS gives us to allow access based on a controlled list that can be tailor-made to suit the needs of the server/applications.
CSF has always been one of my favorite applications as it drastically reduces the work for a monitoring administrator. It can ban, suspend, deny access to suspicious services or hosts based on their prior behavior. It can be extensively modified and customized based on our needs.
* User accounts & strong password policy
As a system administrator I cannot stress enough the necessity that the users not save passwords within their browsers or any other physical material. Frequent changing of passwords, locking accounts for ‘n’ failed log in attemtps, long and combination passwords, reject dictionary passwords are an essential part of a strong password policy.
* Password protect the boot loader
* Physical Security for the server
2) Test for security flaws on the server or in PHP code.
* Penetration testing
Scanning & testing web applications before they go live is an absolute necessity. Web server, network vulnerability scanners like Nikito2, Nessus, Snort, Tripwire come in handy. My personal favourite to find SQL Injections & XSS attacks on PHP malicious scripts in recent times has been the “Malware Detect Scanner” from rxfn.com. It has been remarkable in finding XSS attacks & I cannot seem to be able to work without it each day.
3) Regularly create useable backups
I personally prefer using rsync. But heard great features about fwbackups & bacula too. Incorporating rsync on NFS shares using bash scripts is what I prefer and can handle.
4) Increase server or application efficiency
* Install application monitoring and server monitoring tools like the ‘sysstat’ package. I always tend to use sar & /var/log/messages/ combination to check & narrow down on the cause of an unresponsive server or a shutdown. Also, vmstat gives a very detailed report of the processor & memory usage which helps to determine the idle time. Though ‘top’ gives a realtime picture of the processor/memory consuming processes I tend to use it with the command: ps -eo user,pcpu,pid,pmem,command | sort -r -k4 | head -11
Also the python memory analysing script from pixelbeat.org is also very useful in finding memory leaks. Applications that run on java can be restricted to use memory [memory heap Xms] between an interval so that it does not affect the performance of the other applications.
