Basic Server Security – Detecting And Protecting Against Vulnerabilities
Welcome to the final part of our series on basic server security. Over the course of the series we’ve covered almost everything you need to know about securing a server, so if this is the first part you’ve seen, it is well worth looking back over the others. As we’ve covered in a previous article, it is important to keep your applications up to date as bugs and vulnerabilities will be exploited by attackers. So how do you find out if your server has any vulnerabilities?
Automatic Updates
Firstly, many systems provide the option for automatic updates which will fix vulnerabilities for you. These are often limited to the operating system itself, and in the case of Linux systems, software installed from the repositories. Chances are that you will also be running some software that your automatic updates may not update should there be vulnerabilities, so for that software the onus is on you to find and fix them.
Most software providers will have an area on their website where they will post updates and security notices. These are worth checking regularly to see what they’ve updated and why. There’s also the Common Vulnerabilities and Exposures (CVE) database which is generally used to list and classify all major software vulnerabilities, and as such is a good source of information.
Unfortunately it’s a time consuming process to monitor all the update releases for your software, and it can be quite easy to miss releases of information that may be important. There are tools that can help make this much easier, though, in the form of vulnerability scanners.
What are vulnerability scanners?
Vulnerability scanners are tools that effectively perform the same tasks an attacker would be doing to gain access to your server. They can scan for open ports and work out what processes are running on those ports. They will then make use of a database of known exploits of the software detected to find out if the software is vulnerable to any of them. They can also flag software that is out of support and may need upgrading in order to still be eligible for security updates. Some tools may even go a step further. If a web server is detected, the website will be scanned for vulnerabilities against commonly used website software.
Tools such as Nessus, SAINT and OpenVAS are commonly used for vulnerability scanning. OWASP ZAP can perform scans as well as active and passive tests against a website while used as a proxy for a browser using the site, making it a commonly used tool for website testing. The different tools all have their own strengths and weaknesses, so it’s worth making use of multiple ones to test against your server to cover as many potential vulnerabilities as possible.
What do I do if vulnerabilities are detected?
Once a vulnerability scanner has run, it will present you with an output informing you of what was detected and more importantly, any vulnerabilities that were found. With that information you can then look into finding the updates for your vulnerable software and getting them installed before an attacker can make use of them. Much like an anti-virus, these vulnerability scanners need to be kept up to date to ensure they’ll be detecting all the latest known vulnerabilities, as well as being run against your systems at regular intervals.
As you have seen from our series, there are many different aspects to be considered when configuring a server and keeping it secure. For the best results you should be thinking about how the server would be secured at the same time as planning your software deployment, meaning that the two can work together in harmony rather than one being a fight against the other.