Too many times now I have seen companies spend lots of time renewing servers, yet not thinking about the overall strategy and what they wish to achieve. So here are some helpful suggestions of things you may wish to consider before beginning your upgrade…

The Operating System

When looking at the system you wish to use, the operating system is important. Too many people look at the A-Z, see Centos (the first in the list, so default selected) and don’t think about the long term affects of their choice. My preference is Ubuntu 12.04, but why?

When looking at an operating system, first consider the “end of life” of each version. Centos 6 actually wins on first glance. Its life cycle ends on November 30, 2020, whereas Ubuntu 12.04, an LTS (Long Term Service) version, ends on April 25th 2014. However, before we debate the pros and cons of these two, remember that not all operating systems have a support period this long. Ubuntu 12.10, for example, actually only has a 1 year life span – not something you wish to be caught up with!

My first question to Centos is does anyone actually know what computers will look like in 2020? I’m actually am a little dubious about the advertised long run. The fact I always find Centos’s default repos to be behind in software patches, I just consider ┬áthe system slow moving, which means slow to fix issues, and no real care for futureproofing. Another issue I always find with Centos is the complete lack of software in it’s default repos. Logcheck, Portsentry and libpam-shield (or pam_shield as Redhat names go), for me key security applications, are not there! Yes, it may be a long lifespan – but the software choice within the system is a little thin.

The Kernel

Who actually cares about the Linux Kernel? After all, it doesn’t really do anything significant when I’m configuring my Apache! Wrong! It has everything to do with how you look after your system! If attackers get in, the first thing they want to get at is your root terminal – and the best way to do that is to use a rootkit on the Kernel. A dodgy kernel is an insecure server. Who wants that bad WordPress plugin, installed by a client, to end up with a completely compromised system, with an attacker strolling around with root access?!

Furthermore, did you know that most 2.6 kernels are now at the end of their life? The only version from this series still supported is 2.6.34. Also consider that the latest kernel version is 3.7- quite a jump! Knowing this wouldn’t you prefer, as you are already making the effort to renew your servers, to make your kernel version 3.4 – the version supported until 2014, fitting in with the lifetime of your choice (well, my choice) of OS – Ubuntu 12.04?

Upgrading is a BIG job, don’t make the mistake of renewing your server then realising you need to upgrade the kernel 6 months later – especially if that means trying to upgrade it while it is live!

Apache 2 and Core Services

Whenever I’m scanning for vulnerable systems there are always an abundance of Apache 2.0 installations – and what can I tell from this? Well, you really don’t care about upgrades, and that means you are unlikely to care about security!

While you are doing your huge upgrade, why not install Apache 2.4? More features, likely a longer time until end of life (though Apache doesn’t have much documentation on their product life). Use your upgrade to your advantage! Look at the default versions of applications, and understand them.

This goes with most services: research, understand versioning, and plan how long you intend your upgrades to last. After this, managing minor upgrades is easy.

Security Software

When building a server, put the security in before the server goes live so you can test it. Use your latest re-install to give you that grace period and time for experimentation. No-one wants to really install security software after the time, when it may affect clients.

What can you look at? Well here are some to get started!

  • Logcheck – Easy monitoring of system logs
  • portsentry – Stop those port scanners
  • libpam-shield (pam_shield) – Protect from bruteforce SSH/login attack
  • bastille – Provides an interactive way to harden the kernel
  • ASLR, Heap Protection, Stack Protection et al. – These are general security techniques

Conclusion

What we’re trying to say is don’t upgrade your server, then realise you’ll have to do it again in 6 months because you didn’t think what you were installing. Most people seek a complete overhaul simply because they had some some issue they wish to get rid of, and leave that as the only thing on their mind. Look ahead, plan and decide what you wish to do. Understand your choices, and seek advice before you proceed. Things are cheaper and more stable when they are sorted out first time, on a clean system.

Server installs don’t last forever, but they can last a predictable amount of time. Take an approach of selecting software based on a 4 year upgrade cycle. This keeps your minor upgrades easy, and your system on-line.


Add Comment | Categories: Development | Posted: February 19, 2013

Leave a Reply

Your email address will not be published. Required fields are marked *


− 8 = one

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>