Building a Secure Web Server - Running services (Page 4 of 4 )
In the case of a bastion web server sitting out on the Internet we want to be running as little as possible, and certainly not running any services that open up connections other than the web server itself.
Here is a list of the default services installed on my fresh Ubuntu system:
Sysklogd – the system logger klogd – the kernel logging facility mysql – the mysql database mysql-ndb-mgm – supporting mysql service makedev – create the devices in /dev used to interface with drivers in the kernel mysql-ndb – supporting mysql service rsync – facility for remote syncing of files atd – at daemon for running commands at a specified time cron – cron daemon for running commands on a periodic table apache2 – the apache2 web server rmnologin – remove /etc/nologin. allow users to login to your machine
On a Windows machine you can do this by right-clicking on My Computer and selecting Manage -> Services and Applications -> Services.
Start by looking through the list of running services and identify them. A modern operating system has many services, too many. For each one ask yourself whether the service is something that should be running on a web server.
In the case of this list, I plan on using everything listed. Your mileage may vary. For example, I chose Ubuntu’s LAMP install, which installed the MySql database services. If I didn’t want to run the database, I would disable it.
After you identify all the running services, make sure you know what each service is and what it does. The goal is to turn off as much as possible.
SUID and SGID
Some commands run with a special bit set that instructs the OS to run the command as a privileged user.
The idea is that some commands or daemon processes need to run with higher permissions than that of the user. Take for example thepasswdcommand. If a user wants to change his password he executes thepasswdcommand, but the user does not normally have permission to write to the /etc/passwd file. With the SUID bit set, the command can perform its function with superuser privileges.
This is obviously a security concern. It is critical that any command or process that has this bit set be something that is necessary and make sense given the system that we are creating. The best way to find these sorts of files is to issue a command that looks like this:
find / -perm +4000 –user root –type f –print
This command finds all the SUIDs for therootaccount. Examine the list and remove or disable any unnecessary items you find.
Logging and Auditing
A critical factor to a web server’s security is its logging. If there is an attack, often the most critical evidence will be found in the logs. Therefore, it is vital that the logs and logging mechanisms be securely implemented.
Unix/Linux
Syslog is the default logging facility on most Unix/Linux-based systems. It records events coming from the kernel (via klogd, a system daemon that intercepts and logs Linux kernel messages) and from any program or process running on the system. It can even record remote messages sent from other network devices and servers.
Please check back next week for the continuation of this article.
DISCLAIMER: The content provided in this article is not warranted or guaranteed by Developer Shed, Inc. The content provided is intended for entertainment and/or educational purposes in order to introduce to the reader key ideas, concepts, and/or product reviews. As such it is incumbent upon the reader to employ real-world tactics for security and implementation of best practices. We are not liable for any negative consequences that may result from implementing any information covered in our articles or tutorials. If this is a hardware review, it is not recommended to open and/or modify your hardware.
JavaScript 
/ 4 
Detecting and Countering Server Intrusions
