Host Security-server physical security

ServerRunningPhysical securityThe environment is very important, and many people ignore this. The physical environment mainly refers to the facilities of the server hosting machine room, including the ventilation system, power supply system, lightning protection and fire prevention system, and the temperature and humidity conditions of the machine room. These factors will affect the service life of the server and the security of all data. I don't want to discuss these factors here, because you will make decisions when selecting IDC.

It is emphasized that some data centers provide dedicated cabinet storage servers, while some data centers only provide racks. The so-called cabinet is like an iron cabinet like a cabinet in the house. There are front and rear doors, and there are backdoors, power supplies, and fans in the cabinet. After the server is put in, the door is locked, only the data center administrator can open the key. The racks are open-ended one by one. When servers are mounted, you only need to insert them into the racks. These two environments differ greatly in the physical security of servers. Obviously, servers placed in cabinets are much safer.

If your server is placed on an open rack, it means that anyone can access these servers. If others can easily access your hardware, what security is there? The following are examples of insecurity:

Many Windows servers use Terminal Services for management. In a rack-mounted machine room, you can connect the display to any server. If you happen to be an administrator or user of a machine using the machine through a terminal, you can view all the operations on the machine. You can even connect the keyboard, kkilloff it, and take full control of the machine. Of course, this kind of thing is rare, but it does not mean that it cannot happen.

In addition, many Unix system administrators do not exit the root or shell of other accounts from the keyboard when they leave the data center, so you only need to connect the keyboard and the display, you can obtain the shell permission. This is much easier to obtain system permissions than remote attacks. I once wanted a unixshell for temporary use at the data center, so I connected the display to several servers in the next rack, and soon I found a rootshell that was not exited, I connected the keyboard and helped him quit the shell after I finished my own work. If I am a restless and kind person, I can install a Trojan (RootKit) on his server without any trace ).

One day I saw a company's maintenance staff debugging a leased line in the data room and suspected that there was a problem with the Protocol converter, so he did not hesitate to pull the Protocol converter next to a rack, it is connected to his own leased line for debugging. The damaged server data transmission may be interrupted for several minutes, which may be fatal to some companies, and their server administrators may not be able to find the cause when they die!

In addition, if you use a Linux CD to guide the Linux system, you can obtain the root permission of the host without any obstacles. You can touch others' power sources accidentally, and so on. It should be noted that the servers placed on the open rack are not safe. If your server hardware can be easily accessible to other people, it is your luck that nothing happens. If something happens, you cannot find the cause or find the responsible person.

The servers placed in a sealed cabinet are much safer. Generally, it is wise to put all your servers together (the same cabinet or several cabinets, do not include servers from other companies in the cabinet. If your server has only a limited number of servers, it will be much safer to put them in the cabinet. Because not everyone can open the cabinet and access your hardware, even if the maintenance personnel of servers of other companies in the same cabinet have the opportunity, the risk is much lower. In addition, even if something goes wrong, you can trace the responsible person.

Once our server was interrupted for several hours due to power failure, we quickly determined the server's down status based on the system log. When we traced down the responsibility, I first thought of the responsibility of the maintenance personnel of the IDC room, because there is no server from other companies in our Cabinet, and others will not be exposed to the power supply. After investigation, it turned out that the IDC electrician accidentally cut off the power of our server while powering on. They issued an apology to us. If you encounter such a situation in an open-rack data center, you cannot find it.

If your server can only be deployed in an open-rack data center, you can do this:

1) bind the power supply tape to the slot to prevent others from hitting your power supply;

2) After the system is installed, restart the server and unplug the keyboard and mouse during the restart process. After the system is started, the normal keyboard and mouse won't work after being connected (except for the USB mouse and keyboard)

3) maintain a good relationship with the personnel on duty in the IDC room. Do not offend the maintenance personnel of other companies in the IDC room. After this is done, your server will be at least secure.

The physical security of servers plays a very important role in website hosts. It is the foundation of website host security. I hope you can learn more about it. We will also discuss it in future articles, I would like to share my knowledge with you.