This website uses cookies to improve your experience and deliver relevant information.

on Sunday, 30 September 2012

Server Setup: Don't do it alone!

Tools such as CPanel/WHM or Plesk make managing a server far easier for those who don't know how to use the shell. Arguably, they allow those outside of the tech sector to manage their own servers effectively and with minimal effort.

Where this falls down, however, is when setting a new server up. It's very easy to be lulled into a false sense of security, leaving your server potentially vulnerable to miscreants. In this post, I'll explain what the issues are, and why you should always seek help from someone familiar with configuring servers running your OS of choice (whether that be Linux, Windows, AIX or anything else!).

If you're on shared hosting, this article won't apply to you, as your host will have configured things for you, and even if they've done it wrong you lack the power to change it!


Firstly, for the sake of convenience (mine!) I'll be using CPanel as an example. Most of what I write, though, applies to Plesk as well.

 



Simplicity vs Security

For the average user, these are often almost mutually exclusive. Making things simpler for the user can often lead to degraded security, whether it be Windows XP adding users with Administrator rights as default, or the reliance on CPanel to set a server up for the first time.

Most users don't understand why they should do something in the name of security, if it includes an extra step, they don't want it. Look at the fuss that was made when UAC was introduced in Windows Vista (though to be fair, it was overly sensitive).

Users don't want to be bothered by prompts, they simply want to click a link/button/icon to achieve a task. Once everything's installed and configured properly, that's often fine, the initial set up that should never be viewed in this way.

 



You didn't install the OS

When you took out the contract for your dedicated server or VPS, you chose from a list of operating systems, and may well have selected that you wanted CPanel as well (some hosts don't offer without). At that point, the hosting company loaded an image matching your professed needs onto the new server.

This image is the same one used for anyone else who selected the options you did, and often matches the average use case in terms of what is enabled.

The problem for you, is you didn't install the OS and so don't actually know what's enabled by default.

 



Don't run un-necessary services

Although you selected CPanel, I know of at least one hosting company who's images include Webmin as well. So already there's a service accessible to the world that you don't even know about. All software can contain bugs and vulnerabilities, and yet there's one exposed to the world that you may not even be aware of. Webmin doesn't appear in WHM's service list, so how would you know? An attacker, on the other hand, would quickly find Webmin running and would be able to exploit any vulnerability that Webmin may contain.

Not every host suffers from this issue, of course, but the issue runs deeper than that. If you take a default CPanel install (with no Webmin), you'll almost certainly have the following services not only running by default, but exposed to the outside world

  • Apache
  • An FTP daemon 
  • Named
  • SSH daemon
  • MySQL
  • Exim
  • Courier

Do you know what each of these are? Do you know whether you actually need them? On a webserver, you'll definitely be in need of Apache, but if you're not going to use FTP or SSH why have them available? Most users certainly won't need MySQL to be accessible from anywhere but the server itself.

It's commonly understood within the tech community that you only run and expose the services that are strictly necessary. Identifying which services those are requires an understanding of what the service does, and who actually needs to be able to access it.

The more services that are available, the greater the attack surface. The greater the attack surface, the more chance an attacker has of finding and exploiting a weakness. Sadly, no software is bullet-proof, so we have to work to mitigate the risks.

 



Bring in the Professionals

You may feel perfectly competent at managing your server using CPanel, and there's no reason you shouldn't be able to complete most regular tasks with it. But when the server is first configured, don't make the mistake of assuming it's no different to regular maintenance. Your hosting provider has made choices for you, and you don't know what the questions were, let alone the answers.

By all means, set the server up the way you want it, but at least ask a professional to check the server to see if anything's been missed. It's far more expensive to bring someone in to clean up after you've been compromised than it is to pay someone to check a server's configuration. The former could well take days, whereas the latter is likely to take a few hours at most.

The fact of the matter is, you can perform as many security tweaks as you like, but if there are services exposed unnecessarily then there's a fundamental flaw in your security model. It is these flaws that attackers exploit.

 



Conclusion

Hopefully this article has opened your eyes to the potential risks inherent in configuring a server without a full understanding of what you are doing. IT is an area where it's easy to seem elitist without meaning to, so I hope I've avoided that pitfall, but it's a fast moving sector and things change. It's our job to stay up to date with the latest development, and if you don't work in IT you've probably got better things to be doing! CPanel and it's ilk make things far easier for you, but simplicity can only be safe if it's built on a foundation of solid security. It's that foundation which you need to be sure has been built correctly, and the only way to be sure is to ask a professional to do it (or at least appraise your work).

 

We support shared hosting, VPS and dedicated servers Host with us today!

Virya Group provides a range of solutions to your technology needs