Wow, what a week in terms of security. What with the all the information coming out about the Flame malware and the LinkedIn, eHarmony, and LastFM hacks. These recent events have certainly turned my focus on it’s heels. So this week I spent the majority of my time going back and making sure my systems are as locked down as they can be. New threats and attack vectors pop up all the time, but some of them can be mitigated by layering security. The idea being that if Apache has a new vulnerability that will expose you, but the system is limited to who it can talk to by IPtables, then maybe it’s a headache you don’t have to worry so much about. Now, securing each application as best you can is just general good security practice. And when it comes to a new and highly sophisticated piece of malware like Flame, that good practice may be the only thing standing in the way of data compromise. But lets be honest, how many admins actually have the time to go back, check, and harden all the applications after they get them up and running. I can tell you from experience, it’s a luxury rarely afforded. But sometimes you just have to let items pile up in the ‘to-do’ list. For me, making sure that the systems I’ve set up are as secure as I can make them is worth it.
So this week, I focused on learning what I could about Apache2 and double checking my IPtables rules. This led me down a path filled with a lot of head shaking as I realized how easy it can be to misconfigure a web server. So, if you’re looking to secure your Apache2 install you need to do some reading on the Apache website. Get to know how it works and what you need from it. Most of the web servers I oversee are fairly simple static pages. For those I was just able to go through, adjust my default config to be locked down a bit more using ‘order deny,allow’ directives, and then disable modules that aren’t needed to serve those pages. Next week, I plan on trying to get those installations running out of chroot jails. Now, I do have a few other web servers that require PHP to run. If you have a web server running PHP, stop what you are doing right now and go look through that config file because it will almost certainly need some work. Here is a good tutorial on how to get started securing both Apache and PHP.
Lastly, with all the hacks that happened this week, I feel the need to say what so many other security experts have been saying for a long time. And that is, do not use the same password for every site you create an account on. Each account should use a different password. And while that sounds onerous it doesn’t have to be. And so I have a recommendation for password management, LastPass. I’ve been using them for about 2 years now and haven’t had any issues. I’ve recently turned several people, including my girlfriend, on to using this product I believe in it so much. The pricing is very reasonable at only $12 per year. And now they even have an enterprise offering which I’ll be looking into on Monday.