Five Common Weaknesses in a Linux Server that are Worth Covering
There seems to be a belief these days that complying with the PCI standard is bound to be expensive and difficult to put in place. Actually if you have a Linux system, this doesn’t have to be the case at all. However, while a Linux system is generally thought to be better for security, nevertheless, there are weaknesses to Linux that could be exploited by a potential hacker, and knowing these weaknesses and knowing how to deal with these weaknesses can be crucial to the server administrator who wants to ensure that his systems and networks are PCI complaint.
Actually, with Linux security, knowing in advance what you are going to need to secure and making the right alterations in the right place can go a long way towards perfecting your security. Anyone who’s worked with PCI-DSS knows that truly enhancing the effectiveness of this system lies in a complete understanding of the risk factors. Generally speaking, I would say that limiting risk factors primarily lies in the realm of limiting access. Now when I say limiting access I’m not just talking about password security, but about even small lapses in security that could be used by a potential hacker.
Limiting outgoing information:
Apache, for example, routinely gives out a lot of information that it should actually be retaining. For example, its version, the modules that it has loaded, and even your operating system. Now this is unnecessary information that a hacker or intruder could possibly use, if not to break into your system, then certainly to help in breaking into your system. Under such circumstances, you need to limit this seemingly minor risk. It’s actually very simple to prevent Apache from handing out all this information. All you do is to change the server tokens directive when you configure Apache to ‘server tokens prod’. Then all you do is restart Apache, and it will be a great deal more secure than it was before.
Now that was only one loop hole that we plugged. There are others. Another interesting tip that can further improve the security of your server is to disable the option “server signature” in the configuration as well. Now what this does is that it cloaks your PHP byline. You’ll find that your PHP reveals its version number much as Apache does, and you need to switch off this variable in the PHP configuration. The PHP configuration is PHP.INI, and the variable that you need to change is the expose_PHP. Just turn it to off, and when you restart Apache, the change will be implemented, and the PHP version will no longer be visible.
Now the next flaw, we need to deal with is in your SSL. SSL works well most of the time, but it still has certain weaknesses. For example, some of the protocols can be penetrated, and some of its ciphers are rather weak. The best thing that you can do is to disable the weak and medium ciphers and those that provide only high levels of security.
And of course, this includes SSL too. You need to alter the SSL protocol and the SSL cipher suite lines in the configuration, and then as usual restart Apache and the changes will be in place. Now these changes in the configuration that I’ve mentioned will give you some idea of the kind of loopholes you need to plug. Never reveal any amount of information that is unnecessary. Never give a hacker an edge – even something as small or as insignificant seeming as the version number can still be a point at which a hacker can begin to hack your system. Every bit of information that you give to hackers is a bit of information to help him to do what he can to damage your system.
Two more flaws in Linux security that are easily plugged:
And now when I’m giving you my little talk about how important it is to plug even minor loopholes, let’s go on to discuss two more of these loopholes. There’s the ‘Track and trace’ function which is really another loophole that needs to be plugged. It can be useful in debugging, but it can also be used by a hacker to intrude upon your system. Just set trace enable off in your configuration file, and track and trace will be disabled.
Lastly, disable TCP timestamps, and your system should be relatively more secure than it was before. Remember, Linux is superb for security, but it certainly doesn’t hurt to give it a little helping hand.