Every server-based software that ain’t designed to fail requires security measures. Part of it is software itself, another part – system environment where it runs. This time I want talk about the latter and the tool that we used in product development projects for our clients – Bastille Unix (formerly known as Bastille Linux; read the awkward story why it was renamed so).
What does it do? It hardens your server operating system, so that it reduces system’s surface of vulnerability. It closes unneeded ports, terminates unnecessary services and does bunch of other things that help you retain control over this “system surface”. Bastille (as one could guess from its name) works for different Unixoids, predominantly Linux family (Debian, Fedora Core, Gentoo, Mandriva, RedHat, SuSE, TurboLinux). Mac OS X is supported too as of recently. It is free, distributed under GPL license.
We used Bastille scripts for Linux CentOS, really good operating system that deserves separate post as great free alternative to RedHat (that is why BTW we didn’t or better say almost didn’t have troubles hardening it with Bastille despite it’s not listed above). If you run Bastille without configuring it specifically – it “locks” literally everything, every connection to the outside world. But the process is indeed wizard-like and allowing you to configure the individual policies and works great overall. We helped our client secure their data center with 75 dual Xeon based servers with CentOS on it (this DC included both production and staging areas). The optimal way to do this is to harden one instance of operating system with Bastille and then replicate it to all other instances.
Here’s potential pitfalls and ways to avoid them:
Mistakes made on “Server 0″ will be replicated to the rest of the servers. This means that Server 0 has to be tested in adequate environment very carefully.
The process of hardening is reversible but works ideally when only minimum changes/customizations made. Thus plan for services you gonna have running on your services whenever possible and reflect in Server 0 configuration.
The result is rewarding: you’re confident that there’s no hidden side of the iceberg hidden from you full of vulnarabilities from the outside world. Be safe!
How is the automotive industry responding to digitalization? Where we last left off, we began talking about the strengths of open source in the automotive industry, and why it’s so important for OEMs to “become software companies” and leverage i...
Joining Excelian in 2008 straight from university, Rushmi Watson has worked for clients in London, Germany and France. She has had the opportunity to work in many areas of Murex and grow into one of our most experienced subject matter experts, partic...
As the automotive industry speeds forward, OEMs are realizing at an increasing rate how important it is to keep up with the digital wave. Switching to user-centric designs with a human-machine interface (HMI) that meets the needs of modern consumers ...