Why “the Perfect Server” Is NOT Perfect

Republished due to popular 404s :–)

Or why not to follow Howtoforge.com’s articles on your production machines.

I suppose everyone heard about “The Perfect Server” series from howtoforge.com. I was looking today at “The Perfect Server – Ubuntu Gutsy Gibbon” and I’ve found that it’s the same old story since the beginning of the series.

So what mistakes do they make? First of all, in a production environment, one servers makes one thing. For example, a nameserver is a nameserver. Not also a web server, a mail server, and God knows what other services are running. Defining a single service for your server in your network allows you to have a better management and you are somehow safer in the Internet world.

Think that you have “The Perfect Server” on a machine connected to the Internet. You are running Apache, MySQL, postfix, bind, proftpd, Courier-POP3/IMAP, Webalizer and ISPConfig. That looks like a very busy server. What’s happening if an exploit is out in the wild, about which you have no knowledge, and which is not officially out and the vendor doesn’t have a fix for it? And believe me, there are many. Someone who’s having access to that piece of code, will have the opportunity to hack into your server. And after he’s in, he has access to all your other running services. Think about what impact has this attack if he has access to the e-mails you are exchanging with your business customers. Think about you are running an eCommerce website. The attacker will have access to all your customer database. And that’s the best case scenario. Now imagine what your customers will think if they see a banner on your site “H4ck3d by th3 l33t3st h4x0r 1n th3 w0rld”.

So, if you’re running “The Perfect Server” you are running a lot of services. Every one of these services can have, and will have, trust me, one or several vulnerabilities. Count your total running services, think of a number of ways an attacker could possibly exploit a service, and multiply those 2 values and you’ll find the chances your server will be attacked and successfully exploited. I’ll let you do the math.

On the other side, you will not tell me that your budget is low and you don’t have enough money to spend on hardware. No problem. Use virtualization! You can run all those servers inside a single one. Much better, you can do full backups much easily, just copy/paste the image of your virtual machine.

In my oppinion, the following can be a better setup for your network:

  • 2 nameservers.
  • 1 or 2 mailservers.
  • 1 webserver
  • 1 database server
  • 1 FTP server
  • 1 server for statistics (webalizer, cacti, awstats, SNMP or whatever you want)
  • 1 access server
  • 1 firewall server

One every one of those servers, install your distro of choice as minimal as you can, then install only the needed software for that server’s purpose.

The access server should be the only one accessible from outside your network via SSH or other remote-login protocol. All the other servers should accept remote-login only from t he access server. Also, try to restrict who can access your access server. If you know from which IP’s you will SSH into it, you can restrict the access from your firewall. If you don’t know that, or if you get your IP via DHCP, you use port knockingKnockd can do this job for you.

Finally, take care what you run and how do you setup access to your servers. More services running on a single machine means more chances for an attacker to get into your server

Copyright © 2014 - Liviu Damian.