Security for web host

I'm planned to rent a dedicated server at a hosting company. The server will have Debian Lenny 5.0 OS. The purpose of this server is to host my company website, to host email server to manage company emails and to host FTP services.

The Web service is Apache, The FTP is ProFTPd and the mail service is not decided yet but mostly it will be Exim4.
 My question is: After server being up and start serving company website visitors and company emails ...etc., what security I should consider to protect my server from any kind of attackers. In particular those attacker who will relay on these 3 services installed on my server?

Thank you in advance
MoodynetAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

akosbCommented:
Generally speaking, so called "hardening" your server needs lots of expertise and efforts, and also not only an initial setup but also frequent monitoring of services, traffic, load etc. and generally the health of your system.
Some of those elements can be:
  • properly setting up services
  • blocking unused ports, allowing only those which are actually used
  • installing a firewall
  • installing BFD (brute force detection) service
  • installing proper spam filtering for email and various enhancements for your mail server
  • installing a rootkit scanner
  • ...and some additional system and service related settings and applications
If you'd like to stay on the safe side (as I did as well without an excessive knowledge of Linux OS's) I'd recommend either hiring an experienced Linux sysadmin you trust, or going with server management service of one of the many companies out there who can manage this for a reasonable price (I won't advertise none of those here, a search through forums would help a lot though).

At last, please remember that it's not enough to have a smooth running system set up once - it needs to be monitored and a quick and experienced help is required when least expected. Maybe once in a year, but for mission critical tasks your business depends on how you can handle the situation within hours, and that's when the help is needed the most.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
MoodynetAuthor Commented:
Thank you Akosb,

I know very well what you advised me, but I would like to take these challenges on my responsibility which then I will learn from my mistakes. Lets stick with this principle!

What firewall to install on Debian you recommend? I'm very well familiar with IPtables which installed by default on Debian Lenny.

What BDF your recommend? Is SNORT enough to do the task?

What SPAM filter you recommend?

What rootkit scanner you recommend?

Just name these tools and I will dig the net for how to install.

Thank you again
0
akosbCommented:
Hi,

Let me tell you I'm not a Linux admin, just a software engineer involved in hosting for years with help of system administrators and picking up web server maintenance knowledge in the meantime. I can tell you about my experience so far with Debian systems, mostly based on PLESK control panel. The applications I use turned out to be satisfying for keeping my servers up, though as not being an expert, these can be only recommendations, and not best practices.

As a layer over the IPTables you can use APF, which can make handling it easy.

From the makers of the same software, you can obtain BFD, I think it's quite of a standard software for this purpose. It requires APF installed.

SpamAssassin is a great spam filtering solution. You can set it up quite easily, or if you use PLESK or some other popular control panel, you can find modules for it which will pre configure it for you and make the maintenance easy.
Other techniques for hardening your spam protection are "greylisting" and tuning up SpamAssassin with additional modules which check spam databases, like DNSBL, RBL, SORBS etc.

On my servers I had rkhunter (Rootkit hunter) installed - running it on schedule will keep most of the rootkits off your system.

These are just some basic protections - if you'd still like to do it on your own, I suggest you digging tutorials on the net and also finding the list of the security measures which some of the server management companies apply.

Please let me know if I can help you with more specific information.
0
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

MoodynetAuthor Commented:
Thank you Akosb,

APF stand for Advanced Policy Firewall?

Do you have a list of security measures that some of server management companies apply?

In general, What kind threats you experienced in managing a host? for example DoS and UDP flood, although these are old techniques?

Thanks,
 
0
Kamran ArshadIT AssociateCommented:
Hi,

Please check the below list. It has APF, BFD and every other thing required to secure your web server. The web-hosting company I worked for had these applications installed and it helped us a lot.

http://www.rfxn.com/projects/
0
akosbCommented:
Hi,

APF is Advanced Policy Firewall indeed.

In few years of hosting, I experienced a DoS attack (though it was intended against the whole cluster, not especially my server), breaking into some mailboxes through pop3 which turned my server into spam bot, and generally, fighting spam is what requires quite an effort.

Here is a list of steps a company did for me:

#  SIM - (System Integrity Monitor) -   24x7 Internal Monitoring of services.
# SPRI - (System Priority) - Sets priority to current processes being run on your server, decreasing load 10-25%.
# PRM - (Process Resource Monitor) - Monitors all resources used by all processes and if a process is being flooded or causing high load on the server, it is killed.
# BFD - (Brute Force Detection) - Detects brute force connections and automatically enters the offending IPs into the firewall to be blocked.
# LES - (Linux Environment Security) - Enforces root-only permissions on system binaries as well as other restrictions on system programs.
# /tmp & /var/tmp hardening  We harden /tmp and /var/tmp so no malicious bash scripts can be executed from this commonly used directory.
# /dev/shm & /proc hardening - Another place hackers tend to upload files to is /dev/shm. This directory is hardened as well.
# Optimize FTP Server for faster connections.
# Optimize PHP, MySQL, Apache to reduce load and speed up connections.
# Secure Apache to reduce the amount of information visible about a server's software making it less vulnerable.
# Host.conf Hardening - Prevents IP spoofing and prevents DNS poisoning.
# CHKRootKIt  Simple script that detects software used by hackers. It scans once a day and emails the client if any rootkits are found.
# Firewall Installation - APF (Advanced Policy Firewall) iptables based firewall and anti-dos rulesets.
# TCP/IP Stack Hardening  Prevents DDOS and SYN-Flood attacks.
# Logwatch  Sends a daily report to the client with all activity that has taken place on the server for that day.
# Operating System Optimization  Optimize the OS for faster operation and load reduction.
# Disable Open DNS Recursion - Prevent foreign queries that strain your dns servers and prevent it from being utilized in DNS DDoS attacks.
# Remove unused software  We remove unneeded software to minimize the number of software that could possibly be exploited.
# Remove unused services  Unused services are shutdown and their ports closed.
# Libsafe - Libsafe prevents buffer overflows and scans for exploitable software and notifies the client daily if any is found.
# LCAP - LCAP restricts certain kernel capabilities, improving system security.
# eAccelerator - eAccelerator dramatically decreases page loading times by caching php scripts in a compiled state.
# SSH Server Hardening - locks down and hardens the SSH server, including setting a wheel user.
# Zend Optimizer / Ioncube Installation - Some scripts require Zend or Ioncube in order to function.
# System Update - We bring your operating system packages completely up to date.
# Nessus Security Scan - We perform a full system security scan on your server and patch any vulnerabilities found.
# Minor Adjustments - Finally we make several minor adjustments to the system to improve overall performance, security, and system health.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Networking

From novice to tech pro — start learning today.