Hardening a server
Posted: Thu Jan 17, 2008 12:51 pmI am currently building up a new server for my home (as I type, the hardware is running its burn-in tests). I am building this box to take over the roles of many network services that I have running on various systems throughout the house. I realized not too long ago that MySQL runs on one box, Apache and my music streaming runs off my primary desktop system, my wifes computer runs the print server, my laptop actually has my CVS (I honestly don't know what I was thinking on that one... 
probably like most of my projects "hey look! a shiny new project to play with!" followed by "I don't want to move it now...I'll do it later"), and my RAID backup system sits in the corner turned off except for that one Saturday a month in which I run backups. I still have several other tasks running on various systems as well. This brought 2 things to mind.
1) thats a lot of wasted computing and energy.
2) no wonder why I have issues when an update on one system makes another go nuts!
So I have decided to make things simpler (if thats possible). I built up one system for all these tasks and hopefully I can shut down the other systems and save money on the electricity bill. The problem is that when I have hardened a server before, I have done so with just a few things in mind (large business / school training mentality of setting up one system for one purpose). Example, if its a MySQL system and thats all it runs then I can turn off everything but SSH and MySQL and toss the box to the back of the closet with a power cable and network cable knowing that I don't need to worry about much else. Since I am now running so many services on one box, I don't want a ton of holes but I am not sure how locked down I can make this system and keep it usable. I have a pretty hardened Smoothwall Firewall running and I will not be forwarding anything to this box from the outside world so I can be at least a bit more flexible then if this box was seen by the outside universe but thats not an excuse to do nothing at all either.
The services that I want to run on this system are:
MySQL - Database
Apache - Web server Internal use only ( I do not have plans on having this exposed passed my firewall and if I ever do I will build a box specifically for that purpose. This is for my coding projects as well as things like the next two items)
Zabbix - Monitors all my boxes, does all my reporting, creates a nice pretty layout in Apache, ect.
Jinzora - Music streaming though Apache
Share Printer
Samba - Sharing files with XBMC as well as a few other things.
CVS - Code repository (though I am debating on switching to subversion or something else like it...but thats another conversation)
FTP - internal use only (not exposed through firewall).
SSH - internal use only (not exposed through firewall).
Apt-proxy - Considering I run almost exclusively Debian and Ubuntu theres no need to pull a package a dozen times off the net. So I have my own apt repository that only updates files that have been requested (eg it takes up about 6GB space versus a full mirror which I think was 50+ GB last time I checked).
Considering that I have been taught for so long that "if a box has power and a net connection, it can be hacked" and "Its better to be paranoid and prepared then unaware and sorry" its probably no surprise that the only thing going through my head right now is "with that many services running, there is going to be a vulnerability". So I thought I would ask the group what your thoughts / opinons were. Besides doing the basics (making sure root can't log in via SSH, Samaba shares are read only, ect) what else should I do? Is it worth the hassle to setup and maintain an IDS like Snort or Tripwire? Or should I just run nmap against it every once in a while and take care of the basics? I guess another question would be, am I overloading a single server with too many tasks (the physical box can take the abuse but can the security) or should I just do the basics and leave the paranoia and tin foil hats for the firewall?
~Stack~
probably like most of my projects "hey look! a shiny new project to play with!" followed by "I don't want to move it now...I'll do it later"), and my RAID backup system sits in the corner turned off except for that one Saturday a month in which I run backups. I still have several other tasks running on various systems as well. This brought 2 things to mind.1) thats a lot of wasted computing and energy.
2) no wonder why I have issues when an update on one system makes another go nuts!
So I have decided to make things simpler (if thats possible). I built up one system for all these tasks and hopefully I can shut down the other systems and save money on the electricity bill. The problem is that when I have hardened a server before, I have done so with just a few things in mind (large business / school training mentality of setting up one system for one purpose). Example, if its a MySQL system and thats all it runs then I can turn off everything but SSH and MySQL and toss the box to the back of the closet with a power cable and network cable knowing that I don't need to worry about much else. Since I am now running so many services on one box, I don't want a ton of holes but I am not sure how locked down I can make this system and keep it usable. I have a pretty hardened Smoothwall Firewall running and I will not be forwarding anything to this box from the outside world so I can be at least a bit more flexible then if this box was seen by the outside universe but thats not an excuse to do nothing at all either.
The services that I want to run on this system are:
MySQL - Database
Apache - Web server Internal use only ( I do not have plans on having this exposed passed my firewall and if I ever do I will build a box specifically for that purpose. This is for my coding projects as well as things like the next two items)
Zabbix - Monitors all my boxes, does all my reporting, creates a nice pretty layout in Apache, ect.
Jinzora - Music streaming though Apache
Share Printer
Samba - Sharing files with XBMC as well as a few other things.
CVS - Code repository (though I am debating on switching to subversion or something else like it...but thats another conversation)
FTP - internal use only (not exposed through firewall).
SSH - internal use only (not exposed through firewall).
Apt-proxy - Considering I run almost exclusively Debian and Ubuntu theres no need to pull a package a dozen times off the net. So I have my own apt repository that only updates files that have been requested (eg it takes up about 6GB space versus a full mirror which I think was 50+ GB last time I checked).
Considering that I have been taught for so long that "if a box has power and a net connection, it can be hacked" and "Its better to be paranoid and prepared then unaware and sorry" its probably no surprise that the only thing going through my head right now is "with that many services running, there is going to be a vulnerability". So I thought I would ask the group what your thoughts / opinons were. Besides doing the basics (making sure root can't log in via SSH, Samaba shares are read only, ect) what else should I do? Is it worth the hassle to setup and maintain an IDS like Snort or Tripwire? Or should I just run nmap against it every once in a while and take care of the basics? I guess another question would be, am I overloading a single server with too many tasks (the physical box can take the abuse but can the security) or should I just do the basics and leave the paranoia and tin foil hats for the firewall?
~Stack~
), I will probably have this box for a long while. I tend to keep my primary systems around for a while