Saturday, 13 September 2014

UNIX Servers and Secure Access


Nobody has access until explicitly granted.

A UNIX firewall will be in place to limit traffic and to drop a possible mass attack.
Port monitoring and IP blocking tool will be installed for suspected mis-use.
All insecure or plain text tools are not available for use.
These include telnet, ftp, rsh, rexec etc.
The open ports on any server are locked down to a bare minimum.
22 - ssh for remote access and data transfer
25 - mail
143/587 - mail server
80 - standard web server
443 - secure web server
3306 - data base access with ssl/ssh
other ports only on demand.
Security on the open ports.
3306 - only open to other database and backup servers
443 - open to the world, but monitored
80 - open to the world, but monitored
25 - open only for outgoing mail as standard
        if incoming mail is required (Jira) open, but monitored
22 - open for approved staff and configured for certificate only (see below)
143/587 - open for registered mail users.
other ports will be added if opened.
Where possible, http will be redirected to https.
A virus filter to protect the Windows users will be in place for servers with mail and upload access.
Servers with VNC access requirements will have this accessible via localhost and SSH certificate only.
Root log-in is locked down and replaced with sudo access after SSH connection.
No user will have access to the ROOT password.
User access is granted via a 2048bit SSH key.
No password log-in is available.
After 3 failed SSH handshake attempts the account will be locked and the IP blocked with the tool see 3.
The public key has to be registered on the server before access can happen.
The user cannot change the access credential or the protected SSH certificate.
Every server access, successful or fail, will be logged in a audit file.
Every sudo command is audited.
Every web site access will be logged and presented in a daily report.
Server and data backup will be in place and stored in a secure location.  
on web facing servers the denyhosts tool is installed to block IP's after repeated failed attempts.


The default access permission to for servers is defined in the file:


/etc/hosts.deny

ALL:   ALL


Then put IP addresses with access permission in this file:


/etc/hosts.allow

# Office IP
ALL: nnn
#
# Remote server
ALL: nnn
#
# 24x7 support IPx
ALL: nnn


since all web servers for obvious reason are open access and therefore not adhering to the hosts.deny rules an iptables firewall need to be put in place.

No comments: