Nowadays, many of the big companies which get “hacked” claim they were compromised by “nation-state actors” or “highly sophisticated attackers”. Surely, some of them are probably true.
But most often, it seems, it’s just a nice cover up. It’s better for the company’s image to say that it was a “highly sophisticated attacker” than to admit they didn’t patch their stuff in time.
In this post I will not focus on how to build a highly secure server. That would take a whole book.
Instead, I will focus on what I would do, if I would need to build a server which would be a challenging target even for a nation-state actors. This means, I would need to be super paranoid.
Of course, such a request requires some compromises. Building a highly secure server is surely not practical. Nation-state actor could be “the russians”, NSA, whatever is your preference :)
So here’s the deal: I’ll give you the list of 12 prerequisites I would follow, if I’d have to try to build a server which is a challenging target even for the nation-state actors. I hope you find some of these ideas interesting.
Each single point brings upsides and downsides, and should be heavily researched before you even think you should adopt this in our environment.
I don’t offer any arguments for my tips, because that would take too much time and space. They’re based on my experience. So I warn you: they might hurt your feelings.
## The list
Don’t use Windows servers.
Even better, don’t use ANY Microsoft technology in your production environment.
Don’t use “the cloud”.
AWS, GCP, Azure, whatever. Don’t keep your sensitive data on someone else’s computer.
Yeah, surely you’ll find a bunch of articles claiming that whoever says “The cloud is just someone else’s computer” doesn’t understand what cloud actually is. But these articles are usually written by “tech” “cyber” “freelance” journalists. Who are, well, journalists.
Imagine you have a problem with your heart. Would you take advice from a “freelance cardiovascular journalist”? Right. Me neither. I’d go to a professional. In this case, a Cardiologist.
So pay attention to who is giving you the advice.
Don’t use virtualization.
Don’t use virtual machines, droplets, VPS instances, or whatever they’re called. You should never allow your sensitive data to live in a multi-tenant environment. Never share server hardware resources with another tenant.
You might wonder - what do I use then?
Use bare metal machines.
Owning your own servers is a huge pain. But if you’re protecting from a nation-state actor, you can afford it.
This way, you’re in full control of both hardware and software.
Compile minimal kernels.
Make one or a few kernel flavours, to satisfy the needs for different types of servers. For example, your storage servers use ZFS? Compile a kernel with ZFS support deployed only to storage servers. Your web server doesn’t have to (and shouldn’t) have ZFS support.
Compile your kernels only with the minimum required stuff. This way, you’ll reduce your attack surface. Compile and deploy your kernels often.
Compile all the software you use with minimum required features.
Don’t install software on your servers from official package repositories. They’re compiled to fit good to the majority of users.
Instead, compile each package only with the minimum necessary features you actually need. This way, you’ll reduce your attack surface drastically.
This approach is painful with most of the Linux distributions. But it’s very easy with Gentoo. So, I would…
And hire people who actually have a real-world experience with Gentoo. Gentoo makes the custom compiling of the software you need very easy. Plus, when you compile software specifically for your type of server, you might gain on performance too.
Surely, you can use other Linux distributions too. But over the time, you’ll waste a lot of resources (time and money) on managing the custom packages compiled for your servers.
On the other side, Gentoo provides
use flags, which make it very easy to compile the packages only with the features you actually need.
Use open-source software
Use open-source software as much as you can. Also, hire engineers who can actually read and understand the code of the open-source software you use.
Don’t install “next-gen” “AI” and similar shiny cyber security products
Because a lot of them just bring more problems than solutions. They usually need to run as
root, and they’re also usually full of vulnerabilities.
On a daily level I get a few emails from companies in the cybersecurity industry. They all claim to have a “silver bullet”. Most of the time, most of them, have very immature software products.
They go so far to offer me things like pre-filled virtual credit cards, Amazon vouchers, t-shits and other similar stuff - just to reply to their email or get 15 minutes of my time.
That is just one side of the sad reality of the cybersecurity industry nowadays.
Don’t use PHP.
I realize this might hurt some people’s feelings, but deal with it. Year after year, PHP wins in being weak at security. Google it. According to this report PHP apps were 3x more likely to be exploited in 2020.
If you want a highly secure server, stay away from PHP. Yes, that also means you should not run Wordpress on your server, if you want it to have a chance of being secure.
Configure your firewalls properly.
Block all ports which are not used. Make sure firewall rules are only changed through a secure “code review” of multiple sysadmins/devops or whoever manages your servers. Of course I assume that you utilize infrastructure as code.
Keep your kernels and all of your software up to date. Get alerts whenever there’s a vulnerability for the package you have on your server. Gentoo offers
glsa-check. There are similar tools for other Linux distributions.
There are some decent paid services too.
There’s a lot of other important things one can do in building up a highly secure server. Surely, you can have secure servers in the cloud too.
But, if NSA is after your data, could you really trust Amazon, Google or Microsoft?
It’s extremely hard to build an “unhackable” server. It’s even harder to build “unhackable” infrastructure. There’s no system which can’t be compromised. But no matter how secure your servers are, there’s probably something you can do to make them even more secure.
Of course, some of these tips are not practical. But the goal of this post wasn’t building a relatively secure server in a practical manner :)
You most likely don’t need to defend from a nation-state actor, or super sophisticated attackers.
If your servers are in the “cloud” or running on virtual machines of some sort - you can still do many things to reduce the risk of getting compromised. More about that, in some of the next posts.