CertiGuide to Security+  9  Chapter 3:  Infrastructure Security (Domain 3.0; 20%)

3.5.3.9.2  Databases 1 2 3 4 5 6 7 8 9 10 3.7  Success Questions

Hardening FTP Servers

FTP servers are used to exchange data internally and between internal and external sources. FTP uses ports 20 and 21 for its data and control connections, so those ports must be open in your firewall to allow transmission of data between external and internal sites. As with other application servers, keep up to date with patches and consult vendor-specific and user community documents describing secure configuration of your particular software. When securing an FTP server, consider:

• User authentication (limit access to only those users who really need it; avoid “Anonymous” access if you can, and use a secure FTP variant such as S/FTP to avoid transmitting passwords across the network in cleartext; when the original FTP protocol is used, you are susceptible to password and data sniffing and man-in-the-middle attacks).
  
  
• File permissions (carefully set file permissions on your server to ensure that users have access to only those files you wish them to have access to).
  
  
• Restricting uploads (restrict upload permission to only those users who need it; this reduces the number of accounts which if compromised can upload unauthorized files to your server).
  
  
• Disk quotas (setting a disk quota for users allowed to upload reduces the likelihood that they can DoS your FTP server by filling up its disk space).
  
  
• If you run your FTP server and web server on the same machine (bad idea), do not allow the FTP server access to web-server-related directories (scripts, HTML pages, etc.

DNS servers provide domain name service information to clients who need to map hostnames to IP addresses. DNS uses TCP and UDP port 53 for communication with clients and other nameservers on internal and external networks. The most widely used UNIX DNS software, BIND, has historically had many security issues (as have most other DNS servers), so keep up with software updates to your DNS server. Some actions to consider taking when hardening a DNS server, in addition to the obvious actions of securing the underlying OS, include:

• Follow vendor and community-provided guidelines for secure configuration; this can help guard against spoofing and DNS cache poisoning (the insertion of invalid information in the DNS cache, which can be used to redirect traffic to non-legitimate sites).
  
  
• Run the DNS server as an unprivileged user, so that if it is compromised via a buffer overflow, the attacker cannot run code with administrative privileges.
  
  
• Restrict zone transfers (batched DNS info updates) from your primary name server to your secondary name servers, to minimize DoS vulnerability and risks of other exploits.
  
  
• Configure redundant DNS servers, so that an outage on one machine doesn’t remove access to DNS information for your entire network.
  
  
• Locate a secondary DNS server in a distant area (both in terms of wire topology, and in terms of geography) for fault tolerance.

3.5.3.9.2  Databases 1 2 3 4 5 6 7 8 9 10 3.7  Success Questions