Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In with OpenID
Advertise on LowEndTalk.com

In this Discussion

Your security Hardening...

Your security Hardening...

eastoncheastonch Member
edited August 2012 in General

Hello LET members,

Today I pose a nice thread, that maybe.. won't get det.._ derailed? Really? It wont? Yes. It will.

I have a question, when you first get that new OVZ server, or a dedicated server, how do you go about hardening it? Do you instantly run some "top secret" script, or do you simply do a passwd change and a port change?

Your scenario is this: Server that will be used only for you, has 2 assigned IP's and is not listed on any blacklists. The server will be used as a production server as a webserver hosting your personal blog and a status script for the other bunch of LEB's you have.

How do you secure it? How do you monitor it? What would be your optimisation of security?

I'm interested into whom is using the most hardened server techniques, and who're just leaving it as "root123" or "toor".

So let the thread begin!

Tagged:

Comments

  • Where would you go for the best deals on SSDs? I'm thinking of getting a couple.

    jarland.me | Read about my new hosting experiment.

  • passwd + port change + CSF + SSH Key-only login?

    (Or you could give passwd + port change + CSF + Google Authenticator for each login a go.)

    "We are in a prison drama. This is like The Shawshank Redemption, only with more tunneling through shit and no fucking redemption."
  • If the ovz node is not well secured, no matter how secured your server is, it is the matter of 1-command only to get into it from the unsecured main node... vzctl enter

  • Do you have any SSH server preference? Personally just like using open-ssh or Dropbear.

    Never used GA, tempted though.

  • @Alex_LiquidHost Let's assume it's some master of security... what's your next move?

  • gsrdgrdghdgsrdgrdghd Member
    edited August 2012

    Just the basic hardening: Removing every unneeded service, moving SSH to a non-standard port, disableing root login, disabeling cleartext passwords and enabeling SSH keys.

    I don't think anything more is needed.

    President Of Operations/CEO/CFO/CTO/COO of my account
    image

  • KuJoeKuJoe Member
    edited August 2012

    Change SSH port. Change root password to something I can't remember. Create user account. Setup RSA key with IP restrictions. Setup sudo. Disable password authentication. Disable root access to SSH. Setup denyhosts. Setup logwatch. Setup hosts.allow file. Setup e-mail notification scripts for any SSH logins. Remove unused scripts/services. Setup motd and banner. Setup hourly backup script. Install monitoring/alerting script + snmp. Setup heirloom-mailx for e-mail alerts. Reboot server and confirm everything is setup correctly.

    I've scripted most of this.

  • Monkeys are cute. Have you got one? /derail

  • @gsrdgrdghd said: Just the basic hardening: Removing every unneeded service

    This is the most important thing. SSH with key only and you can skip moving port is the next. I wouldnt go that far as disable root login and change port and i am paranoid usually. If you have to, do some limiting from iptables, for example only 1 ssh attempt in a minute, limit syn according to your normal usage, things like those. At the end of the day, if we are only to defend against bots, then it is easy, if someone is after you, it is more complicated, so know if you have enemies before going too deep into security, will do more harm than good. M

    I am only representing myself :)

  • KuJoeKuJoe Member
    edited August 2012

    Another thing, security is pointless without regular audits. You won't know how secure your security is if you don't check it. Right now I do a manual audit once a month but I've been building a nice audit script that I can run nightly if I wanted to (probably will run it bi-weekly though).

  • @KuJoe Why Denyhosts over Fail2Ban? And why a MOTD/Banner for your own server? Do you have this? image I understand the main important for e-mail notifications, that's simple to setup, it's in the .bashrc right?

    Why have a root password you can't remember, but not only that, remove the possibility of logging in through root, or with passwords at all? Seems silly. :']

    Thanks for the decent posts guys, will help me develop a security plan for myself.

  • For me, there's different levels of security, depending on various factors. Usually, it's a tradeoff between convenience and security. For a server that I have to access every day, multiple times per day, but doesn't need a ton of security, I'll just do a pretty standard setup - SSH key auth only, and fail2ban, along with removing anything that's not needed. For something high security, I'd restrict SSH access from all but one or two IPs as well, and those intermediate servers would have even further access restrictions (such as port knocking and two-factor auth). Really, you can combine any of these methods for as much or as little security as you need.

    Lead Developer - HostGuard Control Panel

  • Why Denyhosts over Fail2Ban? And why a MOTD/Banner for your own server? Do you have this?

    Personally preference I guess. Been using denyhosts for years and I like it. MOTD/Banner is there for legal reasons. They act like a No Trespassing sign, if you press charges against them they can't claim they didn't know it wasn't allowed when it's posted. I can't see the picture you're posting, I'll look at it when I get home.

    Why have a root password you can't remember, but not only that, remove the possibility of logging in through root, or with passwords at all? Seems silly. :']

    I put the password in my password program to remember it for me. :P I disable root for SSH, that doesn't mean root cannot be logged into or used, it just makes it harder for the hacker.

    Thanked by 1HalfEatenPie
  • @NickM said: Usually, it's a tradeoff between convenience and security.

    Exactly, when something happens you dont want to look up passes in a file, not to mention introducing more SPOFs. I dont know about others, but me, when I am in a hurry with a server down or something, I cant stand the pressure and get frustrated fast by my own security checks. I think everyone has it's own level of security, for the general fox, dont use bob or 123 as a pass and dont put any software you dont need, while removing that which your distro or image puts without asking along with keeping the software you do need up to date. For the others, well, we can go from mildly paranoid to danger to ourselves, and I bet nothing is really unbreakable given enough time and effort. There will be a mistake or unknown vulnerability, so if you are out of luck, then you are out of luck. M

    I am only representing myself :)

  • For the really secure stuff, I disable remote access completely (we even have a separate network that we user a different router and switch and pay for different IPs, bandwidth, cables, and VLANs just for management stuff).

  • What's in it? Just monitoring scripts and all the super secret SecureDragon's take over the world plans?

    Catalyst Host - Pie Approved!
  • KuJoeKuJoe Member
    edited August 2012

    I'll be adding my PogoPlug next week, it will run our monitoring/alerting and some auditing and recovery scripts also. Right now I'm just running some stuff off the router (VPN and monitoring) and the switch houses our DRACs.

  • JacobJacob Member
    edited August 2012

    Install minimal.. Login.. Change password to abc1234.. Install Slave, Change boot order, selinux, IPv6.. Setup RAID Monitoring.. Run my module script.. Reboot.. Completed..

    That is my ultimate plan, Feel free to leach as you please.

  • sleddogsleddog Member
    edited August 2012
    • Keep the OS and apps up-to-date, e.g., apt-get update/upgrade.
    • Monitor the update process and have a good look after to see what's running....

    A while ago, I installed dropbear (configured for a high port) on a Deb 6 test box. I shutdown openssh and disabled it from startup at boot. During an apt-get upgrade, openssh was updated, and the installer blissfully ignored the fact that it was disabled in startup and... started it. So I had two SSH servers running: dropbear all nicely buttoned down and a default-configured openssh on port 22 :)

    It pays to pay attention....

  • Well a default-configured up-to-date SSH server also isn't much of a security risk. If someone had a 0day OpenSSH remote code execution exploit they wouldn't be hacking some small servers.

    President Of Operations/CEO/CFO/CTO/COO of my account
    image

  • @gsrdgrdghd said: Well a default-configured up-to-date SSH server also isn't much of a security risk. If someone had a 0day OpenSSH remote code execution exploit they wouldn't be hacking some small servers.

    I didn't say it was. It was an example. My point is, be vigilant about what running.

  • ZenZen Member

    If its for production, my own script, if its not, just general password change, port change, f2b, and a few other changes.

    Transparency: I work for Nodisto and all subsequent businesses: Backupsy, VPSDime, Winity, Cloudive, and DotVPS. My opinions represented through posts on this forum are mine and not the opinions of these businesses unless explicitly stated otherwise.
  • dmmcintyre3dmmcintyre3 Member
    edited August 2012

    SSH: port change, set up DSA keys, disable passwd auth Other: keep system up to date, don't run unnecessary daemons, set services that don't need remote access but listen on TCP ports to listen on 127.0.0.1

    FreeVPS.us - The oldest post to host VPS provider
  • bdtechbdtech Member
    edited August 2012

    Change ssh port, create my user/pass, disable root login, set my user as allowed ssh user, set root password (different). Then login as user and su -. Lock down SSH port in iptables to certain IP (jump box) and VPN only

  • RandyRandy Disabled

    simple. setup a local firewall and only allow your OWN IP block all connections

  • InfinityInfinity Retired Staff

    What if your IP changes or an emergency when you are away from your home connection? Not practical.

    我是一个巨魔 (;

  • @Infinity said: What if your IP changes or an emergency when you are away from your home connection? Not practical.

    VPN :P But too much overhead, I agree with you n_n

  • InfinityInfinity Retired Staff

    VPNs fail now and again like now, I can't connect for some reason, I do have squid though but still, I don't feel safe so I'm sticking on my phone and with Opera Mini until I get back to the UK.

    我是一个巨魔 (;

  • @Infinity said: VPNs fail now and again like now, I can't connect for some reason, I do have squid though but still, I don't feel safe so I'm sticking on my phone and with Opera Mini until I get back to the UK.

    Multiple VPNs. :P I keep 5 VPNs available just in case (6 if I still have my Hostigation box setup for it).

    Thanked by 1[Deleted User]
  • @KuJoe said: Multiple VPNs

    I always admired ppl organized enough to always have at hand passwords, VPN locations, keys for SSH and the like... It was a real challenge for me when i had more than 10 VPSes, some ppl have 100 and still manage to keep track and order on what is on which and separate access credentials... My respect ! bows M

    I am only representing myself :)

  • vahevahe Member

    @Maounique said: I always admired ppl organized enough to always have at hand passwords, VPN locations, keys for SSH and the like... It was a real challenge for me when i had more than 10 VPSes, some ppl have 100 and still manage to keep track and order on what is on which and separate access credentials...

    I'm working on something that you'll like. Stay tuned.

  • @Maounique said: I always admired ppl organized enough to always have at hand passwords, VPN locations, keys for SSH and the like...

    I think it's the boy scout in me, always be prepared. :)

  • @Infinity said: What if your IP changes or an emergency when you are away from your home connection? Not practical.

    Allow access from two separate, static IPs. Those two boxes can accept SSH connections from any IP address, but they're locked down even more (port knocking and 2 factor auth).

    Lead Developer - HostGuard Control Panel

  • Get a good VPN from a quality provider if you're concerned about your VPN going down. You could say "what if they go down" but "what if" is a dangerous path if you don't draw a line ;)

    jarland.me | Read about my new hosting experiment.

  • @NickM said: port knocking

    Maybe this is the way to go, and just that.

Sign In or Register to comment.