HACKER Q&A
📣 sdevonoes

How to secure a server from the time it boots?


With the recent incident of NewsBlur (https://news.ycombinator.com/item?id=27613217), I was wondering how do you guys secure a server on the internet immediately after it boots. I usually do this:

1. terrafom to "create" the infrastructure. Basic security (ssh root login with keys). Servers are running nothing yet (no webserver, no databases, no nginx, etc.)

2. after everything has been created I use Ansible to provision the servers. Is in this moment when I apply all the "best practices" regarding security (remove root login, don't allow root password login, perhaps even change default ports, use a bastion host, setup passwords and certificates for internal servers, improve the firewall rules)

I don't run anything critical yet, but I wouldn't like to get compromised. Any suggestions or resources I can read so I can improve the security of my services?

  👤 LinuxBender Accepted Answer ✓
Since you are already using Ansible, I would suggesting finding the playbooks for CIS/NIST hardening benchmarks. I don't have a specific one to suggest, but that is a starting point. You may need to adjust them as required to not break your services. Start with the playbooks that first just audit your servers and make reports. If this is a fairly greenfield deployment, then this would also be a good time to ensure that SELinux is enabled at least in targeted mode. SELinux is useful for preventing container break-out and for blocking some 0-day exploits from doing damage. If not a greenfield deployment, then you can always enable SELinux in permissive mode to get some auditd logging. Ensure you have syslog going to a centralized server and try to find something that makes it easier to read/report on the logs. You can configure auditd to write to syslog with:

  sed -i -e 's/^active.*/active = yes/g' /etc/audisp/plugins.d/syslog.conf
To get caught up on some questions/best practices, ensure you have an account on StackExchange (security) [1] and ServerFault [2]. There are a lot of great resources for server setup. Lurk first, as some moderators are a bit elitist.

Probably most important would be to ensure you have secure, tamper-proof backups of your customer data. You can always rebuild / redeploy your servers, VM's, containers, code. Getting customer data back without solid tested backups can break your business. The backups should be both local and in a disaster recovery location and tamper-proof. Remember that anything automation can change, so can attackers. Ansible would also be a great tool for automating the test copy and restoration of your backups to a staging environment. That staging environment could also be a good place to debug customer issues without affecting production.

[1] - https://security.stackexchange.com/

[2] - https://serverfault.com/