Unix How-To: Give Me That Old-Time Security!
Even in the wild frontiers of today's Internet, good basic Unix system security provides extremely valuable protection against security breaches. In today's column, I'm going to rant about some basic security rules of thumb that every Unix sysadmin ought to consider.
The first basic security rule is to keep your consoles safe. Lock them up, eliminate them by replacing them with console servers (recovering rack space at the same time), and make sure that only a very select group of people have access to them. What's more, access to your data centers should be limited to just those who need to lay hands on the servers. If anyone can walk in and out, you're asking for a headache.
Data centers should be equipped with UPS or, better still, a generator to keep them up through significant power outages. Wait, you ask, is power to the data center security? You bet it is! Anything that threatens the productivity of your staff and the smooth running of your business is a security concern. UPS systems can often be configured to send low battery signals to systems and initiate auto-shutdown options, further preventing hardware loss. Check your UPS systems and make use of this feature if it's supported. If your AC is not also on the UPS or generator, auto-shutdown of systems might prevent them from being damaged through overheating.
Use locked cabinets for those things that are especially sensitive or that you just don't want walking off. I can't tell you how easily tools seem to leave data centers. Maybe you should have one set that isn't left out for just anyone to use. Consider adding binders with instructions on configuring critical applications to the locked cabinet. You might need them during an emergency and you might want to be sure that no one who doesn't (legitimately) need them walks off with them.
Your backup media should have very limited exposure. If encryption is an option (keep in mind that you will have to store and save your keys), make use of it. Backups are best stored offsite. Duplicate copies going to two different locations is even better.
Good user security remains a prime component of any Unix security scheme. Train your users to use good passwords, committed only to secure storage (tools like KeePass) and never written to slips of paper that remain in clear view. Explain why locking their screens and reporting suspicious events are so important to overall security.
We still should not be running any services we don't need on our systems. It's simply a matter of statistics. The fewer services you run, the fewer exploits you'll be vulnerable to. You'll also have more bandwidth for those services you really do need to support if you don't waste cycles on services no one needs.
Set up your user groups sensibly. If you support distinct projects, maybe you need to configure groups of related users. Other (world) permission, on the other hand, may not be needed at all. Consider setting your users' UMASK to 027 to ensure that new directories they create won't give the world read permission by default.
To the extent possible, keep people form logging in as root. It may not seem to matter until you're trying to trace back through something that happened on a hurting system and find that you simply can't tell who was logged in when or who ran which commands because eleven people log in as root. Ideally, all privileged commands will be logged and a good log of privileged commands can provide an invaluable record of a system's history.
Avoid shared accounts, if you can, and don't allow default passwords under any circumstances.
Make sure you have an easy and reliable way of shutting down accounts when someone moves on (leaving the organization of just switching roles). Creeping privilege remains a leading contributor to security breaches. Adopt the practice of double checking now and then to be sure that all the accounts
remaining on your systems really need to be there. Expiring passwords at least limits the chance that an old account will be abused.
And, of course, disable all those insecure protocols that we should have disabled twenty years ago. I'm surprised at how many people still use telnet and ftp routinely. The warnings about these protocols have been around as long as many of the people using them today.
Much has changed in the security landscape in the past ten years or more, but the basics are still critically important. And many break-ins occur not because hackers are getting smarter ever minute, but because sysadmins and the users they support are still making the same dumb mistakes.