dcsimg

Server Virtualization in Action: A View From the Trenches Page 2

By Amy Newman (Send Email)
Posted Dec 30, 2009


Reboot your VM or restart your X server to initialize the new video support. Your graphical interface should fire up and prompt you for a username and password. A graphical interface isn’t necessary to any functions of a dedicated server, but it’s nice to have for performing some administrative tasks (creating new users, sharing folders, printer setup) in a busy environment.

Whether you use Windows, Linux, or some other operating system, your virtual server is now ready for dedicated service.

Dedicating the Server

Depending on your operating system and choices during installation, it takes only 15 to 45 minutes to completely install and prepare a VM for this next critical step in the process of creating a dedicated system.

For our Debian-based mail server, we must prune out all unnecessary daemons (services) and check for open ports that may offer an attacker opportunity to hack our system. We downloaded and installed the NMap network security auditing tool from http://www.nmap.org. This tool is available as source code, Linux/UNIX packages, and as a Windows installer.

The NMap tool assists you in checking your new system for open TCP and UDP network ports so that you can make informed decisions about which ones to turn off. When we performed an intense scan of my new Debian system, we found that we had three open ports. Table 9-1 shows the output from NMap for that system.

Although we have three open ports, only two are essential: SMTP and SSH. You could argue that SSH is not absolutely necessary, but we prefer to keep it. rpcbind (rpc.statd) is a good candidate for removal because the mail server does not require Network File System (NFS) or any other Remote Procedure Call (RPC) program to operate normally.

The same service pruning can be done for Windows systems, although more caution should be taken when doing so. Disabling required services can be devastating to a Windows system. We scanned a virtual Windows 2003 server that acts as an Active Directory server with NMap. Table 9-2 shows the results. The server is a default installation to which Active Directory was added upon initial configuration. No other services were configured for it.

Table 9-3 is an NMap scan of a Windows 2003 system default installation.

Table 9-1  NMap Results for Debian Mail Server Scan.

PORT

PROTOCOL

STATE

SERVICE

VERSION

53

tcp

Open

Ssh

OpenSSH

88

tcp

Open

Smtp

Postfix smtpd

135

tcp

Open

rpcbind

 

Table 9-2  NMap Results for Windows 2003 Active Directory Server Scan.

PORT

PROTOCOL

STATE

SERVICE

VERSION

53

tcp

Open

Domain

Microsoft DNS

88

tcp

Open

kerberos-sec

Kerberos-sec

135

tcp

Open

Msrpc

RPC

139

tcp

Open

netbios-ssn


389

tcp

Open

Ldap

LDAP

445

tcp

Open

microsoft-ds

Directory Services

464

tcp

Open

kpasswd5


593

tcp

Open

ncacn_http

RPC over HTTP

636

tcp

Open

Tcpwrapped


1025

tcp

Open

Msrpc

RPC

1027

tcp

Open

ncacn_http

RPC over HTTP

3268

tcp

Open

Ldap

LDAP

3269

tcp

Open

Rpcbind


Table 9-3  NMap Results for Windows 2003 Server Scan.

PORT

PROTOCOL

STATE

SERVICE

VERSION

135

tcp

Open

Msrpc

RPC

139

tcp

Open

netbios-ssn


445

tcp

Open

microsoft-ds

Directory Services

1025

tcp

Open

Msrpc

RPC

1026

tcp

Open

ncacn_http

RPC

Although this is not a book on security, it bears mentioning that ports 135 and 445 should be blocked from the Internet. Port 445 is deeply embedded in Windows and is almost impossible to turn off without negative consequences, so your best option is to block it via firewall. Port 135, on the other hand, may be turned off without ill effects. At a minimum, it should be blocked via firewall from the Internet. When it comes to Internet security, you should expose only those ports that need exposure.

After you have removed any offending services from your system, it’s ready for business as a dedicated virtual server.

This excerpt © Copyright Pearson Education. All rights reserved.

Want to read more than that? Pick up a copy of Practical Virtualization Solutions from InformIT

.

Follow ServerWatch on Twitter

Next >> Deploying Server Appliances

Page 2 of 3


Comment and Contribute

Your name/nickname

Your email

(Maximum characters: 1200). You have characters left.