June 20, 2005

The Ninth Commandment of system administration

Author: Brian Warshawsky

For every network service you run, you've opened one more window on your server to the world. Firewalls are great for defending servers against attacks from the outside, but attacks don't always come from the outside. If you have a server inside your firewall hacked, the attacker can continue hacking away at other servers without worrying about the firewall stopping his progress. For this reason it is important to schedule network audits of all of your servers.

IX. Thou shalt know the openings into your servers

Remember last week when we talked about creating a server log to keep track of all the details about your server? This is one place that log will come into play. Since you're tracking all the details about your servers, you know from when you started it up for the first time what services it should be offering, and as a result, what ports should be open, right? Good, because now you can use that list to check against the output of weekly network scans from Nmap. Nmap will tell you a large number of things about a remote computer including a surprisingly accurate guess at the operating system. Most importantly to us right now, Nmap tells us what ports are open on the server. By cross-referencing our server logs, we'll know something is up if one week a machine is hosting an FTP server when before there was none.

This kind of foresight and vigilance is necessary to stay ahead of potential problems before they become outright emergencies. Other options to provide this kind of knowledge of open services on your network include commercial tools like SAINT (formerly SATAN). They will provide you with information regarding vulnerabilities associated with open or insecure services and will recommend a solution to the problem.

By checking on these services on a regular basis, you're staying aware of the changing topology of your systems and network. This will help you maintain an awareness of the inherent strengths and weakness of each server and each segment of your network. With that knowledge gained, you will also have an increased understanding of the traffic needs of your network, and your firewall can be configured accordingly if need be.

I stated before that system administration is a profession of details. This is an example of some of those details. It's important not to get overwhelmed by some of the more mundane and repetitive details involved here. Next week I'll show you an easier way to accomplish repetitive tasks such as this.

The commandments so far:
I. Thou shalt make regular and complete backups
II. Thou shalt establish absolute trust in thy servers
III. Thou shalt be the first to know when something goes down
IV. Thou shalt keep server logs on everything
V. Thou shalt document complete and effective policies and procedures
VI. Thou shalt know what cable goes where
VII. Thou shalt use encryption for insecure services
VIII. Thou shalt not lose system logs when a server dies
IX. Thou shalt know the openings into your servers

Click Here!