ServePath Blog

If you answered NO to the question in the title of this article, then you run the risk of not being able to handle traffic loads as well as not have application or server redundancy with your architecture. Believe it or not, your customers DO have a requirement that your site or application be resilient or highly available…they just want it to work whenever they access it. To that end, your infrastructure must scale as well as be redundant, especially should your infrastructure encounter an issue rendering a server as unavailable.

With a properly architected load-balanced network, your site can handle spikes of load more elegantly, minimizing performance issues when the demand peaks. Similarly, if you want to maintain a high-availability website, server outages or issues should be minimized or hidden away from the end user. A correctly set up load-balanced network will automatically route traffic away from hardware that is having issues or not responding, thus preventing your users from seeing sluggishness or down-time.

At ServePath, we recognize the importance of providing solid and robust load balanced architecture offerings, part of the reason why we have chosen f5 to be our load balancing solution of choice.

We have recently revamped the Load Balancing page on the ServePath site in order to better explain the options available to you as well as provide some examples on how load balancing can (and should) be used. Some of the questions we answer are:

• What is a Load Balanced Server Network?
• How does a load balancer work?
• Who needs a Load Balanced Server Network?
• What are some examples of a Load Balanced Server Network?
• Why host your Load Balanced Network with ServePath?

What I like best about this updated section of the site are the different examples of Load Balanced Server Networks:

Simple Load Balanced Network

• F5 Load Balancing
• Web servers distributed across public switches

Load Balanced Network With a Firewall

Hybrid Load Balanced Network

• F5 Load Balancing Across ServePath & GoGrid Servers
• Cloud Connect
• Cloud Storage

Highly Available Load Balanced Network

• F5 Load Balancing
• High Availability Via Redundancy
• Gigabit Private VLAN

Remember, having a Load Balanced Network is only part of a “high availability” hosting solution. Frequently, you need to utilize other services (like backup & recovery, firewalling or replication) to ensure redundancy and resiliency of your server environment. You can even set up hybrid infrastructure environments that use Cloud Computing (with GoGrid) as your Web & Application environment and Managed Dedicated Servers (with ServePath) as your back-end database and high-I/O infrastructure.

We offer a variety of packaged or individual solutions to meet your hosting needs. Just ask one of our Sales Reps and they can definitely help you out.

With hacker and network attacks commonplace within the computer industry, ServePath, has taken further measures to combat security threats through an on-going partnership with Fortinet. Offering a variety of managed security products and services, ServePath continues its desire to provide its customers the most robust threat management packages available in the managed hosting industry.

Built using features within Fortinet’s FortiGate appliance, ServePath now offers its customers a Unified Threat Management suite though Fortinet’s virtual chassis-based firewall. ServePath recently launched an updated, more feature-rich yet less expensive combined threat prevention package with the following services:

• ServePath Internet Security Package (using Fortinet technology) includes:
  • Fortinet ASIC accelerated firewall
  • Unlimited IP addresses in a trusted interface
  • 100 Mpbs Internet traffic throughput
  • 100,000 concurrent sessions
  • Intrusion Prevention Services (ISP)
  • AntiVirus/AntiSpyware/AntiMalware Protection

Originally priced at $449.99 per month with a $299.99 setup charge, the ServePath Internet Security Package has been reduced in price to $99.99 per month with a $99.99 setup charge. This drastic reduction in price reflects ServePath’s desire and commitment to ensuring its users have the latest and most advanced threat prevention package available.

If you have questions or would like to order this for your managed hosting solution at ServePath, please contact a ServePath Sales representative at: 1-866-321-PATH (7284). International callers should call: +1-415-869-7000. Or you can fill out the contact form.

Note: this post has been updated slightly to correct some minor errors. Also, commands may have been improperly formated due to WordPress’s treatment as such. Converted now to “code” formating.

1. Software Firewall – For security purposes, the software-based firewall that is included in all freshly deployed dedicated server operating system has been enabled and configured to allow on the minimal amount of connectivity required for you to access and configure your server. For Linux/UNIX users, this means that port 22 is permitting SSH connections. Port 80 (HTTP/Web) and port 443 (HTTPS/SSL Web) have been opened to allow all standard web traffic. In addition, the required ports for control panel access have been opened if you have ordered a control panel from ServePath. Finally, ICMP Ping has been permitted to allow our monitoring services the necessary access to aid in managing out network.

2. File Permission – There are certain files whose presence in the Linux file system can present a security risk and should be remedied as soon as possible. When the SUID (set user ID) or SGID (set group ID) bits are set on an executable, that program executes with the UID or GID of owner of the file as opposed to the user executing it. This means that all executables with SUID bit set and are owned by root are executed with the UID of root. This situation is a security risk and should be minimized unless the program is designed for this risk. To find all files on your file system that have the SUID or SGID bit set, execute the command:

# find / -path /proc –prune –o –type f –perm +6000 –ls

It is good practice to generate a list of SUID or SGID files on your server as soon as possible and re-run the above command on a regular basis to ensure new binaries with unsafe permissions are not being added to your server. World-writable files are a security risk as well. World-writable files and directories are dangerous since it allows anyone to modify them. World-writable directories allow anyone to add or delete files. To find all world-writable files and directories, execute the command:

# find / -path /proc –prune –o –perm -2 ! –type 1 –ls
 # find / -path /proc –prune –o –perm -2 ! –type l –ls

Another file permission issue is when files are not owned by any user or group. While this is not technically a security vulnerability, an audited system should not contain any unowned files. This is to prevent the situation where a new user is assigned a previous user’s UID so that the previous owner’s files, if any, are all owned by the new user. To find all files that are not owned by any user or group, execute the command:

# find / -path /proc –prune –o –nouser –o –nogroup\
 # find / -path /proc –prune –o –nouser –o –nogroup

3. Listening Ports – It is very important to ensure that all listening ports on your server are limited to only those that are necessary for you’re your server and its applications. To get a list of listening network ports, run the following command:

# netstat –tulp

Disable any ports that are not necessary. To do so, kill the PID (process ID) shown by netstat. The only port that your server must be listening on is SSH (port 22/tcp). Other ports that will need to be listening depend upon the specific purpose of your dedicated server. Note that by killing the PID of the process you are not preventing your server from starting the same service again on bootup. In order to see what programs your server is launching on startup, execute the following command:

# chkconfig –list |grep on (Red Hat systems)
 # chkconfig –list | grep on (Red Hat systems)

# ls -l /etc/rc2.d/S* | cut -d/ -f6 (Debian systems)

This command will show you which programs are to be executed in which run levels. In Red Hat, full multi-user mode is 3. To disable a service permanently, issue the following command:

# chkconfig <service_name> off where <service_name> equals the name of your service, such as httpd

To disable any service in Debian, simply execute the following command:

# rm –f /etc/rc2.d/S*<service_name>

Please note that the above commands do not actually disable the service, they simply prevent the service from being executed on startup.

4. Unlocked User Accounts – The first thing you should take stock of on a new server are the users with unlocked accounts. Users with unlocked accounts are allowed to login if assigned a valid shell, and should be kept to a minimum. To get a list of unlocked users, execute the following command:

# egrep –v ‘.*:\*|:!' /etc/shadow|awk -F: '{print $1}'
 # egrep –v '.*:\* | :!' /etc/shadow | awk -F: '{print $1}'

If you do not recognize any user returned by the above command, check to see if that user owns any files by executing the command:

# find / -path /proc -prune -o -user <user_name> -ls where <username> is the name of the user you do not recognize, such as jdoe

If the user does not own any files, or files that will not hinder the stability of your server, delete the user by executing the command:

# userdel –r <user_name>

5. Enable/Disable Features – All of the following lines and values should be added to the file /etc/sysctl.conf if you want to enable or disable the feature mentioned. You will need to restart your system for these changes to take effect:

6. Basic Access Control – One of the most important things you can do to protect your server is to implement very basic access control. Access control can eliminate a majority of the risk involved in running out of date services on the Internet. In order to implement an effective access control policy on your dedicated server, you will need the following pieces of information: The IP address or addresses of your Internet connection. For some, this may be one static address, while for others it is a pool of addresses. If you have more than one Internet connection, please be sure to get ALL the IP addresses you could be assigned at any time. You may need to contact your Internet Service Provider for this information.

7. Restrict SSH Connections – While we do not recommend anybody running outdated software, especially something as crucial as SSH, a not insignificant portion of the risks involved in running an outdated SSH server can be mitigated by only allowing certain IP networks to access your SSH server via iptables. Execute the following command to only allow SSH connections from certain IP address:

# $IPTABLES –A INPUT –p tcp –dport 22 –s <X.X.X.X/NN> –j ACCEPT

The above line will allow TCP packets destined for port 22 to be accepted if and only if the source of the packets are within the network denoted in <X.X.X.X/NN>. If you have more than one Internet connection, or have multiple networks, simply add another line, replacing <X.X.X.X/NN> with the proper values.

8. Access Control on Control Panel – If your server is running a control panel, you can also improve your security by implementing an access control policy on the control panel administrative port.

Plesk:

$IPTABLES –A INPUT –p tcp –dport 8443 –s X.X.X.X/NN –j ACCEPT

Ensim:

$IPTABLES –A INPUT –p tcp –dport 19638 –s X.X.X.X/NN –j ACCEPT

Cpanel:

$IPTABLES –A INPUT –p tcp –dport 2082 –s X.X.X.X/NN –j ACCEPT

9. Access Control on FTP – Another service you may want to implement an access control policy on is FTP. If you or a small handful of people are the only allowed users to FTP into your dedicated server, then you will certainly benefit from employing some iptables rules by entering the commands:

$IPTABLES –A INPUT –p tcp –s X.X.X.X/NN –dport 20 –syn –j ACCEPT
 $IPTABLES –A INPUT –p tcp –s X.X.X.X/NN –dport 21 –syn –j ACCEPT

Note that both of the above lines must be executed for each source network.

10. Enable IPTABLES – Lastly, if you do not have a hardware firewall you will want to enable iptables, the software firewall in Linux systems. For a detailed iptables tutorial from ServePath, please visit our Support Center pages at: http://www.servepath.com/support/iptables.htm.

Hope that helps you get your Linux Server get even more secured! For other helpful tips like this, be sure to visit the ServePath Knowledge Base.