A major reason for malicious attacks on Linux servers has been poorly implemented security or existing vulnerabilities. When configuring a server, the security policies need to be implemented properly and ownership needs to be taken for proper customization of the server.
Let's have a look and various security policies
Let's discuss the various security policies:
- The administration of all the internal servers in an organization is the responsibility of a dedicated team that should also keep watch for any kind of compliance issues. If a compliance issues occurs, the team should immediately review and implement an updated security policy.
- When configuring internal servers, they must be registered in such a way that the identification of the servers can be done on the basis of the following information:
- Location of the server
- Operating system version and hardware configuration
- Services and applications running on the server
- Any kind of information in the organization's management system must always be kept up to date.
Let's discuss the various security policies:
- The operating system on the server should be configured in accordance with the guidelines approved for InfoSec.
- Any service or application not being used should be disabled, wherever possible.
- Every access to the services and applications on the server should be monitored and logged. It should also be protected through access-control methods. An example of this will be covered in Chapter 3, Local FileSystem Security.
- The system should be kept updated and any recent security patches, if available, should be installed as soon as possible
- Avoid using the root account as much as possible. It is better to use security principles that require least access to perform a function.
- Any kind of privileged access must be performed over a secure channel connection (SSH), wherever possible.
- Access to the server should be in a controlled environment.
Let's discuss the various security policies:
- All security-related actions on server systems must be logged and audit reports should be saved as follows:
- For a period of one month, all the security-related logs should be kept online
- For a period of one month, the daily backups, as well as the weekly backups, should be retained
- For a minimum of two years, the monthly full backups should be retained
- Any event related to security being compromised should be reported to the InfoSec team. They shall then review the logs and report the incident to the IT department.
- Some examples of security related events are as follows:
- Port-scanning-related attacks
- Access to privileged accounts without authorization
- Unusual occurrences due to a particular application on the host