I’ve recently begun working on a project of my own and have been exploring options for colocation of servers (web servers, application servers, database servers, etc). I know that there are cloud services out there such as Amazon Web Services/AWS, Microsoft Windows Azure, Heroku among many others that simplify much of this process by virtualizing it all for you and allowing your services to scale easily with traffic. This is all fantastic, however it doesn’t fit the need for everything and it also takes some of the fun out of learning how to setup these services for those that are interested.
One of the key items that we need to be aware of in this age of information is security. Countless times I’ve read articles about data theft including passwords, email accounts, credit card data, etc. along with spam and phishing attacks coming from servers that don’t know they’ve been compromised. I ran a few simple searches on Google and came up with some webpages that iterated through the basics, but many of them fell short of a fully hardened system and/or didn’t describe *why* each security recommendation is done, how to test if it’s complete, and possible ways to resolve the potential security hole.
After some more in depth searches I found references to a STIG. STIG stands for “Security Technical Implementation Guide“.
“A Security Technical Implementation Guide or STIG is a methodology for standardized secure installation and maintenance of computer software and hardware.”
The DoDs (Department of Defense) website has many STIGs for various common server and desktop operating systems, including what we might use for our web/application/database servers.
There are categories for Operating Systems, Network/Wireless, Application Security, etc. For the sake of this article, we’re interested in STIGs for Operating Systems.
There is a large list of STIGs for various flavors of Linux as well as Windows and other OSs. Be sure to get your hands dirty as you’ll be reading all about partitioning, secure password storage/algorithms, daemons/services, access rights/ACLs/permissions of directories, files and processes as well as a ton of other security recommendations.
In summary, follow the STIGs on the DoD website for your web server operating system of choice to improve the security of your server.