Hardening Your Servers: Because It's Not 1995 Anymore, Darren!

#ServerHardening #Cybersecurity #OpenSource #FacepalmingInInfoSec #SecurityNightmares

Views expressed are my own, intentionally provocative for shock value and emphasis, and ABSOLUTELY do not represent those of my employers, past or present, or any potentially affiliated organizations. [s]Heck, they may not even represent my own views on any given day.[/s]**  This is edu-satire. Reader discretion is advised.

** Oh no - this one TOTALLY represents my views!        

?

Well, well, well. Here we are, nearly in 2025, and we're still treating our servers like they're college freshman on their first spring break trip to Cancun. "Woo! Just hook up like there's no tomorrow! What could possibly go wrong?!" Spoiler alert: Everything. Everything could go wrong.

?

Case in point: yesterday’s little adventure in "Why Are We Still Doing This?" brought to you by CUPS, the printing system that apparently decided it wanted to be a security vulnerability with some printing features tacked on. Congratulations, CUPS, you've achieved a CVE score of 9.9. That's like getting an A+ in "How to Royally Screw Up Security 101."

?

The CUPS Runneth Over (With Vulnerabilities)

?

For those of you who haven't been paying attention (which, judging by the state of most servers out there, must be about 99.7825% of you), CUPS just got a vulnerability so bad it's practically begging hackers to come in and make themselves at home. And the best part? It's been sitting there, on millions of Linux/Unix systems, just waiting for someone to notice. I think I read the vuln author found like 300k machines exposed Day-Zero?! [shiver]

?

But hey, why would anyone bother to check what's actually running on their servers, right? That would be like, I don't know, doing our jobs or something!

?

Hardening Servers: A Novel Concept [Not]

?

Now, I know what you're thinking. "But Jodie, hardening servers sounds hard! Can't I just install a bunch of antivirus software and call it a day?" First of all, no. SECOND OF ALL, "NO, but in all caps." Here's a crazy idea: how about we actually secure our systems properly? I know, I know, it's revolutionary.

?

Step 1: Stop Connecting Everything to the Internet, You Bunch of Maniacs!

?

It's almost 2025. If you're still connecting your servers directly to the internet, you might as well just email your data to the hackers and save them some time. How about you instead use a proxy? Put it behind a firewall? A load balancer? Heck, protect it with a moat full of alligators for all I care… but geesh! Please just stop making it so easy for the bad guys!

?

Step 2: Use Open Source Tools (Because Apparently, Free is the Only Price Point We'll Even Consider)

?

- Lynis: An open-source security auditing tool that will make you question every life decision that led you to this point in your IT career. But it works really really well for finding running services you totally don't need.

- OpenSCAP: For when you want to comply with security policies AND feel bad about your imposter syndrome at the same time!

- Nmap: Because knowing is half the battle, and the other half is crying when you see how many open ports you still have.

?

Step 3: Remove Unnecessary Services (Looking at You, CUPS)

?

Here's a novel idea: if you don't need it, remove it. Is your server a dedicated print server? No? Then why in the name of all that is holy and secure do you have CUPS installed? Remove it. In fact, remove anything that isn't absolutely essential. Your NTP server probably also doesn't need five different text editors and a Minecraft server.

?

Step 4: Update and Patch (Yes, Even on Weekends)

?

I know, I know. Updating is such a pain. You might have to reboot. You might have to actually pay attention to your systems for about five minutes. But consider this: it's less painful than explaining to your boss why your company's data is being sold on the dark web.

?

Step 5: Firewall Everything

?

If your firewall rules aren't stricter than a vegan at a BBQ restaurant, you're doing it wrong. Default DENY ANY ANY, people. If it's not explicitly allowed, it shouldn't be getting through. Ever.

?

But Wait, There's Still More!

?

- Implement Least Privilege: Because Bob from accounting doesn't need root access, no matter how much he begs.

- Enable and Monitor Logs: Logs are like your server's diary. Read it occasionally. It's trying to tell you something.

- Use Multi-Factor Authentication: Because passwords are like underwear. Change them often, and don't share them with other people.

?

The CUPS Lesson: A Bitter Brew

?

Now, back to our friend CUPS. The lesson here isn't just "update your systems" (although for the love of all that is right and proper, please do). It's "question everything." Do you need it? No? Get rid of it. It's that simple.

?

Remediating the CUPS vulnerability is as easy as removing it if you're not running a print server. And if you are running a print server... why? It's 2025 (almost). We have these things called "cloud printing" and "PDFs." Look it up.

For me, remediating this latest vulnerability across thousands of servers involved... umm... writing this article. Because my machines are all hardened, and my NG firewalls, software firewalls, and layer 3 switching already ignore traffic to port 631 where it isn't needed.

?

In Conclusion: Harden or GTFO

?

Folks, it's time to face facts. If you're not hardening your servers, you're basically hanging a "Data Breaches Welcome" sign on your network. Use the tools. Do the work. And for the sake of all our sanity (and PHI), stop connecting things directly to the internet.

?

Remember: A hardened server is a happy server. And a happy server means you might actually get to sleep at night instead of dealing with the latest breach. It’s probably running faster without all that bloat. I know I would. If I ever actually ran any time I wasn't being chased…

?

Now if you'll excuse me, I need to go audit my InstaPot. You can never be too careful these days.