Maintaining a Secure Server

Having to run your own server, whether it’s in the cloud or rented as a physical machine in a data center, is inevitable once you try to do more than just host a few HTML files. It seems easy at first: Install Linux and the LAMP stack and you’re ready to go. But even with the best intentions, chances are you will quickly find that your server has been hacked and is now serving porn to the world and emailing viruses to unsuspecting internet users.

As soon as Linux is installed and running, the access log (at /var/log/auth.log) will reveal tons of attempts to gain root access. Let’s hope you chose a good password (or better even, disabled the root login). Almost any software you are running, be it MySQL or the PHP FastCGI Process Manager (required if you’re hosting with nginx) will expose their services on a port, and any open port is another attack surface for hackers. Of course, some ports need to be open (e.g. “80” or “443” for your website and a number of ports for email service - good luck on setting up email securely!). So you’re quickly into the details of your firewall. And let me tell you that iptables is a huge mess and I dread every moment I have to make changes to my firewall!

You may even have set up a reasonably secure server but it’s never time to lean back. You need to be informed about recent vulnerabilities, that is, read tech news and always keep your software up to date. Many of these will allow hackers to shut you out of your system and do whatever they want with it. You may say to yourself: “I don’t run a very popular website so why would a hacker attempt to gain access to my system?” But remember that hackers don’t do this manually. Automatic scripts scan the internet’s servers for vulnerabilities around the clock, and any compromised server becomes part of a large botnet. You don’t need to be famous to become a victim. You may say: “So what? I’ll shut it down and reinstall everything after it happened.” But you may not notice for a long time that people have been sending malware using your domain which can be tracked back to your name. There are reports of people getting unpleasant phone calls or even visits from the recipients of such mail.

I’ve been taking all the precautions I knew of with this server but still got hacked. This blog was running on Wordpress which, by and large, if upgraded regularly, doesn’t attract too many problems. But after I installed a plugin (rated with five stars, mind you), odd things started to happen. I noticed when traffic increased significantly because spam was sent from my IP address. I purged it from the malicious files but they kept getting access to my file system. Hackers place files in many different directories and if you miss one, they will still have access.

So I finally ditched Wordpress. The blog is now hosted with static files. They are generated with Hugo, a static website generator written in Golang. It’s been a quite nice experience (with the occasional frustration caused by any new tool). It will take PHP scripting out of the equation. But as always, unexpected new threats will pop up. You can never go to sleep.