The top 3 priorities of an internet server administrator
The top three priorities of an internet server administrator are:
When I was a newbie, I naively installed Red Hat Linux 5.something and if I thought about security at all, I probably figured that I was using a popular distro, so it should be safe. Wrong! That server got cracked many times before I finally locked it down. More on that later.
If you don't start off with a well secured server, you're going to have a lot of headaches. For example, you'll have webpages defaced; backdoors installed that make it even easier for the next slob to get in and mess things up; poorly written software installed that causes your server to run slower, have connectivity problems, and even crash completely; sensitive data compromised; your computer used to send spam; your computer used as a launch point for attacks on other servers; etc. It's not a pretty picture. So what do you do?
The first thing to do (if you're running Linux, which is a good choice in my book) is to choose a distro that will be easy to keep patched. I had the good fortune of learning this tip from the administrator of my colocation provider when I went in to reinstall the system after it had become completely inaccessible. He recommended, and helped me install Debian, which has served me extremely well since then. Using "dselect" to run the "apt" package management program, I've been able to keep the system up to date easily since then. I'll talk more about that in another entry.
The second thing to do is to turn off all unnecessary services, and replace insecure ones with more secure ones. Most distros come with a lot of services turned on (finger, time, ftp, telnet, etc, etc, etc), which increases the probability of someone finind a way to hack in. A lot of those are totally unnecessary. You may be able to get away with, for example, just http, ssh, named, and smtp. More on how to do that some other time.
Next, you'll want to be very careful about what software you add to the server. Lots of insecure software is floating around the web, so don't be too quick to install every cool little gizmo that you think might make your website cooler. Do a little Googling to get a sense of how many security issues people discuss for a software package, and consider forgoing any that have a lot of problems.
Another important tip--don't give anyone access to any part of your server that they don't need access to.
The last thing I'll mention is that if you install software that isn't managed by your distro's package manager, be sure to implement a strategy for keeping it up to date too. I'll post a longer treatise on how to prevent that from getting hideously complex and time consuming later.