New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
Yes.
Yes, some users don't even respect the minimal configuration in terms of security.
How so?
Not creating backups. I was burned before 4-5 years.
Example (just an example - actually a 777 directory not really needed)
hacked index.php > hacker can upload anything to cache directory OR overwrite index.php OR write new files in the current directory...
Convinced yet?
Nope. If I can execute arbitrary code on index.php, I already have the write permissions the web server user has. Doesn't matter if the file is 777 or 600.
I never said an attacker would limit himself to public_html files. You can set 777 permissions on any file in the system.
Riiiiiiiiiiiiiiiight. I'm sure a ton of newbies set 777 on their
/root/.ssh
or something...You just said if it did matter. It does. Depending on the file? Sure!
But it does.
Having 123456 as the password is by far the worst.
Well, in the sense that one should worry about getting hit by a meteorite while crossing the road - sure, it can happen, I guess... Does it make a worthy item on a sec todo list? Nope.
Why did you post your selfies?
@deadbeef I'm not here to talk about what you and your colleagues do at http://x.co/8ehAW
Piscem natare doces...
@traffic, No need to advertise it - we get it. You're a skid who knows shit about security and tries to be a wise-ass by parroting things you read on some forum and don't get. Alright, it's not like you're a unique snowflake, tons of lq kids around.
Recognizing the problem is the first step towards recovery. We can't help you if you don't want to help yourself, son.
Stop bashing the world for your problems and start solving them instead.
Most common mistake is that they buy a VPS.
Blindly following tutorials with no knowledge of the OS.
free advertise their website and link to german blog post.
Root login doesn't need to be disabled, it doesn't add any real-world security against attackers (just against yourself, if you don't trust yourself to double-check your commands). Using keypair authentication is sufficient.
Nothing wrong with port 22 either. Again, use keypair authentication.
Exact. With password-based login disabled, you can use port 22 without any problems or risks. It's just another inconvenience / way to add "security" by obscurity.
Primary newbie error is buying VPS in the first turn.
All the rest are inevitable consequences.
Newbie VPS users have an excuse, being new and all. I have seen professionals use FTP and unencrypted emails and it's 2015...
However the SSH advice is sound, just create a key and disable password login through SSH. First think I do.
Yep. Nothing to do with security, but moving SSH away from port 22 sure does reduce the noise in your logs. But then again, I guess logs are not high on the list of priorities for newbies.
That is right. But logs noise are not a problem if managed properly.
Installing Kloxo
I used to give the port 22 SSH logs (sorted by login frequency) to pregnant friends who were searching for baby names. That worked well until one of my friends named her baby "postgres". ;-)
Oh I missed this thread. Most common security mistake:
"I haven't touched this server in 3 years, if someone got in it's clearly YOUR servers that are insecure!"
Said 10+ clients to me every single day at my previous job...
@mr2nice2me Is there a problem? It's meant to help and it's getting considered as advertising? Nice idea. And yes, it is in German, but G. Translate will help you or just follow the commands.