Operating System Security
- Operating System Security
This article details crucial operating system (OS) security considerations for MediaWiki servers. A secure OS is the foundational layer protecting your wiki from unauthorized access, data breaches, and service disruptions. This guide is aimed at system administrators new to securing a MediaWiki environment.
Understanding the Threat Landscape
Before diving into configuration, it’s important to understand the common threats. These include:
- Unauthorized Access: Hackers attempting to gain control of the server.
- Malware Infections: Viruses, worms, and Trojans that can compromise data and system stability.
- Denial-of-Service (DoS) Attacks: Overwhelming the server with traffic, making it unavailable to legitimate users.
- Data Breaches: Unauthorized access, disclosure, or modification of sensitive wiki data.
- Privilege Escalation: Exploiting vulnerabilities to gain higher-level access than intended.
Regularly reviewing Security Policy and staying updated on emerging threats are vital. Consider using a Vulnerability Scanner to proactively identify weaknesses.
Operating System Hardening
Hardening the OS involves reducing its attack surface by disabling unnecessary services, configuring strong authentication, and patching vulnerabilities.
User Account Management
Proper user account management is paramount.
- Least Privilege: Grant users only the minimum necessary permissions. Avoid using the root/administrator account for routine tasks. Utilize sudo appropriately.
- Strong Passwords: Enforce complex password policies. Encourage the use of Password Manager tools.
- Account Lockout: Implement account lockout policies to prevent brute-force attacks.
- Regular Audits: Review user accounts and permissions regularly to identify and remove inactive or unnecessary accounts.
The following table summarizes recommended user account practices:
| Practice | Description | Priority | ||
|---|---|---|---|---|
| Minimum length, complexity requirements, regular changes. | High | Grant only necessary permissions. | High | Prevent brute-force attacks. | Medium | Review and remove inactive accounts. | Medium | Remove or rename default accounts (e.g., 'admin'). | High |
Software Updates and Patch Management
Keeping the OS and all installed software up-to-date is crucial.
- Automated Updates: Configure automated updates whenever possible. Be sure to test updates in a staging environment before applying them to production.
- Security Patches: Prioritize applying security patches promptly. Subscribe to security mailing lists for your OS distribution (e.g., Debian Security Advisories, Red Hat Security Advisories).
- Version Control: Track changes to system configuration files using a Version Control System like Git.
Here’s a breakdown of common OS update mechanisms:
| OS | Update Mechanism | ||
|---|---|---|---|
| `apt update && apt upgrade` | | `yum update` or `dnf update` | | `zypper update` | | Windows Update | |
Firewall Configuration
A firewall acts as a barrier between your server and the outside world.
- Default Deny: Configure the firewall to block all incoming traffic by default, then selectively allow only necessary ports.
- Port Restrictions: Only open ports required for MediaWiki and other essential services (e.g., SSH, HTTP/HTTPS). Specifically, allow inbound traffic on ports 80 (HTTP) and 443 (HTTPS).
- Stateful Inspection: Use a firewall with stateful inspection to track the state of network connections and block unsolicited traffic. iptables and firewalld are common Linux firewall solutions.
Example firewall rules (iptables):
``` iptables -A INPUT -p tcp --dport 80 -j ACCEPT iptables -A INPUT -p tcp --dport 443 -j ACCEPT iptables -A INPUT -p tcp --dport 22 -j ACCEPT # SSH - restrict to trusted IPs! iptables -A INPUT -j DROP ```
File System Security
Securing the file system prevents unauthorized access to sensitive data.
- Permissions: Set appropriate file and directory permissions. Avoid world-writable files and directories.
- Ownership: Assign ownership of files and directories to the appropriate users and groups.
- Access Control Lists (ACLs): Use ACLs for more granular control over file access.
- File Integrity Monitoring: Implement a File Integrity Monitoring System (FIMS) to detect unauthorized changes to critical files.
Recommended file permissions for MediaWiki files:
| File/Directory | Permissions (Octal) | Owner | Group |
|---|---|---|---|
| 750 | `www-data` | `www-data` | | 755 | `www-data` | `www-data` | | 750 | `www-data` | `www-data` | | 640 | `www-data` | `www-data` | |
Additional Security Measures
- Intrusion Detection System (IDS): Consider deploying an IDS to detect malicious activity.
- Regular Backups: Implement a robust Backup Strategy to protect against data loss. Store backups offsite.
- Security Audits: Conduct regular Security Audit to assess the effectiveness of your security controls.
- Disable Unnecessary Services: Turn off any services that are not required for MediaWiki to function.
- Log Monitoring: Regularly review system logs for suspicious activity. Use a Log Analysis Tool to automate this process.
Resources
- MediaWiki Security
- Server Security
- Database Security
- PHP Security
- SSH Hardening
- iptables documentation
- firewalld documentation
- SELinux
Intel-Based Server Configurations
| Configuration | Specifications | Benchmark |
|---|---|---|
| Core i7-6700K/7700 Server | 64 GB DDR4, NVMe SSD 2 x 512 GB | CPU Benchmark: 8046 |
| Core i7-8700 Server | 64 GB DDR4, NVMe SSD 2x1 TB | CPU Benchmark: 13124 |
| Core i9-9900K Server | 128 GB DDR4, NVMe SSD 2 x 1 TB | CPU Benchmark: 49969 |
| Core i9-13900 Server (64GB) | 64 GB RAM, 2x2 TB NVMe SSD | |
| Core i9-13900 Server (128GB) | 128 GB RAM, 2x2 TB NVMe SSD | |
| Core i5-13500 Server (64GB) | 64 GB RAM, 2x500 GB NVMe SSD | |
| Core i5-13500 Server (128GB) | 128 GB RAM, 2x500 GB NVMe SSD | |
| Core i5-13500 Workstation | 64 GB DDR5 RAM, 2 NVMe SSD, NVIDIA RTX 4000 |
AMD-Based Server Configurations
| Configuration | Specifications | Benchmark |
|---|---|---|
| Ryzen 5 3600 Server | 64 GB RAM, 2x480 GB NVMe | CPU Benchmark: 17849 |
| Ryzen 7 7700 Server | 64 GB DDR5 RAM, 2x1 TB NVMe | CPU Benchmark: 35224 |
| Ryzen 9 5950X Server | 128 GB RAM, 2x4 TB NVMe | CPU Benchmark: 46045 |
| Ryzen 9 7950X Server | 128 GB DDR5 ECC, 2x2 TB NVMe | CPU Benchmark: 63561 |
| EPYC 7502P Server (128GB/1TB) | 128 GB RAM, 1 TB NVMe | CPU Benchmark: 48021 |
| EPYC 7502P Server (128GB/2TB) | 128 GB RAM, 2 TB NVMe | CPU Benchmark: 48021 |
| EPYC 7502P Server (128GB/4TB) | 128 GB RAM, 2x2 TB NVMe | CPU Benchmark: 48021 |
| EPYC 7502P Server (256GB/1TB) | 256 GB RAM, 1 TB NVMe | CPU Benchmark: 48021 |
| EPYC 7502P Server (256GB/4TB) | 256 GB RAM, 2x2 TB NVMe | CPU Benchmark: 48021 |
| EPYC 9454P Server | 256 GB RAM, 2x2 TB NVMe |
Order Your Dedicated Server
Configure and order your ideal server configuration
Need Assistance?
- Telegram: @powervps Servers at a discounted price
⚠️ *Note: All benchmark scores are approximate and may vary based on configuration. Server availability subject to stock.* ⚠️