This chapter contains the following:
Perhaps the most important security concepts in operating an Internet service are the following:
Every piece of software may contain bugs that can potentially be exploited by a malicious or mischievous user out on the Internet to gain some level of unauthorized control over server resources.
It is probable that an Internet service will at some point come under some form of attack from one or more client systems on the Internet.
A hacker only has to be lucky once. As the system administrator defending the server against attack, you have to be lucky every day. At some point, your luck may run out.
Given the existence of hackers on the Internet, it is unfortunately necessary to adopt a comprehensive security culture that includes the following key components:
A siege mentality tempered by the need to deliver your service to legitimate users at an acceptable cost.
A set of applications that repel documented modes of attack. New modes are continually being discovered and defensive countermeasures published. You need to keep current on the subject matter.
A set of security policies and associated business processes that ensure the security applications are not undermined accidentally or for the sake of operator convenience.
SGI has written the Server Security: An Overview White Paper, which provides a high-level introduction to security and general instructions for the secure configuration and operations of a 24/7 production Internet service.
The white paper is intended to provide system administrators less familiar with the complex issue of computer security insight into the actions already performed during system lockdown and file integrity assessment setup. It will help you to scope your security requirements and to limit your exposure to many types of attacks aimed at compromising your system and/or network.
You can access the white paper from the following URL:
Site Security Handbook:
Linux Administrator's Security Guide:
SGI security page:
Internet Engineering Task Force (IETF) security working group page:
Computer Emergency Response Team (CERT) page:
Netscape security page:
W3 security FAQ: