Protect your file server

Running a file server is a risky proposition on today's Internet. File servers are attractive targets for "warez" traders. If your server has enough space for the latest Hollywood blockbuster bootlegged in DivX format and isn't properly secured, the odds are good that someone will find your server and exploit it.

While nothing short of physically disconnecting your server from the network will guarantee that it can't be broken into, there are a number of steps you can take to reduce your risk. The following is a basic approach to securing computers regardless of the type of computer or the function it is intended to perform:

• Change default passwords, or disable default accounts
  Some systems come with software installed that has password protection, but with passwords that are set at the factory. These default passwords are widely available online; if you leave a service running with a password which was set by the vendor, you may be leaving yourself open to the first attacker who comes along with a default password list. Some vendors are better about this than others, but make sure for yourself.

• Know what services should be running and which actually are running
  Many systems come with services enabled that don't need to be. If your server is running a service that you don't know about, and a weakness is found in that service, you may continue to think your server is safe when it is not. Make sure you know what is actually running on your server. If something is running that you don't need, turn it off. It's better to start with everything off and turn on the services you do need than to start with everything on and disable the services you don't think you need. If you haven't enabled a service your users need, they'll let you know. If you haven't disabled a service you don't need, you probably won't find out until it has been exploited.

• Keep your operating system up-to-date
  Make sure you know where your operating system vendor publishes notices about updates and patches, and keep your system up-to-date with security patches. Some operating systems come with utilities to help you keep them up to date; others require more manual labor. If this task cannot be automated in your operating system, make sure a human has time to regularly check for current patches.

• If network filtering/firewalling is available to you, use it
  Many systems these days come with the ability to restrict access to and from the network based on a number of criteria such as network port number and source/destination address. If you have an environment where it is possible to make a list of clients that should be allowed to connect to your server, it's best to start off by denying all network access, and then allow access from those clients. If client-based restrictions aren't possible, port-based restrictions are still a good idea. Allow access to those ports required to use the services you are running, and deny everything else.

• Try not to do too much with any single machine
  While budget restrictions make it tempting to buy the best machine possible and use it for all your needs, consider the impact losing that one machine would have on your day-to-day operations. Spreading vital services out over a number of machines where possible protects you from productivity loss in the event that one machine is compromised.

• Have discretionary access controls
  Make sure your system is configured so that individual users can be included/excluded from accessing files and other objects or from achieving certain forms of access (READ, WRITE, EXECUTE, DELETE, CONTROL).

• Turn on auditing
  Many systems have the ability to audit changes to userid files and mounts/dismounts of disks and tapes. Examine log files for unusual connections and activity. Check for:

  • Suspicious files
  • User accounts and groups
  • If system binaries have changed
  • If ther are unauthorized shares or jobs
  • Odd processes
  
  
  

• Use an encryption system to provide a high level of security for sensitive data transmission files

• Provide for regular backup of data residing on the system

• When possible, scan your own machine for vulnerabilities
  Potential intruders are already scanning your machine for vulnerabilities. Use a scanning tool such as Nessus to scan your own machine and find vulnerabilities before they do.

• Stay abreast of security updates and summaries of new vulnerabilities
  A good source can be found at the SANS Institute site

Resources

Some good resources on security are listed here. This is by no means a complete list. While some of these resources are geared towards a particular operating system, the basic principles of security can be applied to any operating system.

• Macintosh security

• Microsoft security
• CERT Windows 95/98 Computer Security Information
• CERT Windows NT Configuration Guidelines
• National Security Agency Security Recommendation Guides

• CERT Unix Security Checklist v2.0
• CERT UNIX Configuration Guidelines
• Linux Security HOWTO
• Linux Security Quick-Start HOWTO
• UW Computer Training: Unix System Administration Survival Course

Vendor-specific security advisories and patches

Below are pointers to vendor-specific security advisories and patches. Some commercial vendors may not provide access to their full archive of patches without a support contract; make sure you know how to get security patches for your system at the very least.

• Macintosh Patches

• Windows Patches

• AIX Patches
• Caldera OpenLinux Security Advisories
• Debian Linux Security Information
• FreeBSD Security Advisories
• HP-UX Support
• Irix security patches
• Mandriva Linux Updates and Security Advisories
• NetBSD Security Advisories
• OpenBSD Security Advisories
• Red Hat Linux Security Alerts
• Slackware Linux Administrators Security Tool Kit
• Solaris Operating System Patches
• SuSE Linux Security Announcements
• Tru64 Unix Patches - (registration required)

UW Technology
Contact Us
Modified: January 5, 2007