There are plenty of horrible ways to get your server hacked, cracked, botnetted, malwared, spammed, virus infected, and any number of awful scenarios, but some are worse than others. I have more sympathy for a server administrator who is subjected to SQL injections and other stealthy, even sinister plots. They probably did not see it coming, but for some weaknesses in security, even a new sysadmin should know better. In case you do not, however, here are 5 of the worst security practices.
1. Easy passwords
By easy I mean that a child could guess them. Under no circumstances should “password” be your password, but even slightly more complex ones that use dictionary words (i.e. “sexymama”, “kingofdahill”, “whatisthis”, “mypassword”, and others) can be just asking for trouble. Even if they are not easy to guess by a person, simple software can easily gain access to your server and wreak havoc.
2. Exposed Root account
Your root account is the master of your dedicated server. It is the king on your chess board. Keep it safe and hidden from view. Do not allow SSH, FTP, or any other type of direct login for it.
3. Test/Guest accounts
On a home computer or temporary virtual machine, an account with the password “test” may be useful. On a dedicated server, open to the entire world, which is filled 6 billion potential hackers by the way, your guest account better have just as strong of a password as normal accounts.
4. Sacrificial lamb scripts
In the old days, nearly every out-of-box server installation seemed to come with a form mail script that was about as secure as the dark alley behind a fight club. Scripts similar to it have managed to survive even in 2010. Do yourself and your clients a favor, and make sure these scripts are neutralized and eradicated.