All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Your security Hardening...
Hello LET members,
Today I pose a nice thread, that maybe.. won't get det.._ derailed? Really? It wont? Yes. It will.
I have a question, when you first get that new OVZ server, or a dedicated server, how do you go about hardening it? Do you instantly run some "top secret" script, or do you simply do a passwd
change and a port change?
Your scenario is this:
Server that will be used only for you, has 2 assigned IP's and is not listed on any blacklists. The server will be used as a production server as a webserver hosting your personal blog and a status script for the other bunch of LEB's you have.
How do you secure it? How do you monitor it? What would be your optimisation of security?
I'm interested into whom is using the most hardened server techniques, and who're just leaving it as "root123" or "toor".
So let the thread begin!
Comments
Where would you go for the best deals on SSDs? I'm thinking of getting a couple.
passwd + port change + CSF + SSH Key-only login?
(Or you could give passwd + port change + CSF + Google Authenticator for each login a go.)
If the ovz node is not well secured, no matter how secured your server is, it is the matter of 1-command only to get into it from the unsecured main node... vzctl enter
Do you have any SSH server preference? Personally just like using open-ssh or Dropbear.
Never used GA, tempted though.
@Alex_LiquidHost Let's assume it's some master of security... what's your next move?
Just the basic hardening: Removing every unneeded service, moving SSH to a non-standard port, disableing root login, disabeling cleartext passwords and enabeling SSH keys.
I don't think anything more is needed.
Change SSH port.
Change root password to something I can't remember.
Create user account.
Setup RSA key with IP restrictions.
Setup sudo.
Disable password authentication.
Disable root access to SSH.
Setup denyhosts.
Setup logwatch.
Setup hosts.allow file.
Setup e-mail notification scripts for any SSH logins.
Remove unused scripts/services.
Setup motd and banner.
Setup hourly backup script.
Install monitoring/alerting script + snmp.
Setup heirloom-mailx for e-mail alerts.
Reboot server and confirm everything is setup correctly.
I've scripted most of this.
Monkeys are cute. Have you got one? /derail
This is the most important thing. SSH with key only and you can skip moving port is the next.
I wouldnt go that far as disable root login and change port and i am paranoid usually.
If you have to, do some limiting from iptables, for example only 1 ssh attempt in a minute, limit syn according to your normal usage, things like those.
At the end of the day, if we are only to defend against bots, then it is easy, if someone is after you, it is more complicated, so know if you have enemies before going too deep into security, will do more harm than good.
M
Another thing, security is pointless without regular audits. You won't know how secure your security is if you don't check it. Right now I do a manual audit once a month but I've been building a nice audit script that I can run nightly if I wanted to (probably will run it bi-weekly though).
@KuJoe
Why Denyhosts over Fail2Ban? And why a MOTD/Banner for your own server? Do you have this?
I understand the main important for e-mail notifications, that's simple to setup, it's in the .bashrc right?
Why have a root password you can't remember, but not only that, remove the possibility of logging in through root, or with passwords at all? Seems silly. :']
Thanks for the decent posts guys, will help me develop a security plan for myself.
For me, there's different levels of security, depending on various factors. Usually, it's a tradeoff between convenience and security. For a server that I have to access every day, multiple times per day, but doesn't need a ton of security, I'll just do a pretty standard setup - SSH key auth only, and fail2ban, along with removing anything that's not needed. For something high security, I'd restrict SSH access from all but one or two IPs as well, and those intermediate servers would have even further access restrictions (such as port knocking and two-factor auth). Really, you can combine any of these methods for as much or as little security as you need.
Personally preference I guess. Been using denyhosts for years and I like it. MOTD/Banner is there for legal reasons. They act like a No Trespassing sign, if you press charges against them they can't claim they didn't know it wasn't allowed when it's posted. I can't see the picture you're posting, I'll look at it when I get home.
I put the password in my password program to remember it for me. :P I disable root for SSH, that doesn't mean root cannot be logged into or used, it just makes it harder for the hacker.
Exactly, when something happens you dont want to look up passes in a file, not to mention introducing more SPOFs.
I dont know about others, but me, when I am in a hurry with a server down or something, I cant stand the pressure and get frustrated fast by my own security checks.
I think everyone has it's own level of security, for the general fox, dont use bob or 123 as a pass and dont put any software you dont need, while removing that which your distro or image puts without asking along with keeping the software you do need up to date.
For the others, well, we can go from mildly paranoid to danger to ourselves, and I bet nothing is really unbreakable given enough time and effort. There will be a mistake or unknown vulnerability, so if you are out of luck, then you are out of luck.
M
For the really secure stuff, I disable remote access completely (we even have a separate network that we user a different router and switch and pay for different IPs, bandwidth, cables, and VLANs just for management stuff).
What's in it? Just monitoring scripts and all the super secret SecureDragon's take over the world plans?
I'll be adding my PogoPlug next week, it will run our monitoring/alerting and some auditing and recovery scripts also. Right now I'm just running some stuff off the router (VPN and monitoring) and the switch houses our DRACs.
Install minimal..
Login..
Change password to abc1234..
Install Slave, Change boot order, selinux, IPv6..
Setup RAID Monitoring..
Run my module script..
Reboot..
Completed..
That is my ultimate plan, Feel free to leach as you please.
A while ago, I installed dropbear (configured for a high port) on a Deb 6 test box. I shutdown openssh and disabled it from startup at boot. During an apt-get upgrade, openssh was updated, and the installer blissfully ignored the fact that it was disabled in startup and... started it. So I had two SSH servers running: dropbear all nicely buttoned down and a default-configured openssh on port 22
It pays to pay attention....
Well a default-configured up-to-date SSH server also isn't much of a security risk. If someone had a 0day OpenSSH remote code execution exploit they wouldn't be hacking some small servers.
I didn't say it was. It was an example. My point is, be vigilant about what running.
SSH: port change, set up DSA keys, disable passwd auth
Other: keep system up to date, don't run unnecessary daemons, set services that don't need remote access but listen on TCP ports to listen on 127.0.0.1
Change ssh port, create my user/pass, disable root login, set my user as allowed ssh user, set root password (different). Then login as user and su -. Lock down SSH port in iptables to certain IP (jump box) and VPN only
simple. setup a local firewall and only allow your OWN IP block all connections
What if your IP changes or an emergency when you are away from your home connection? Not practical.
VPN :P
But too much overhead, I agree with you n_n
VPNs fail now and again like now, I can't connect for some reason, I do have squid though but still, I don't feel safe so I'm sticking on my phone and with Opera Mini until I get back to the UK.
Multiple VPNs. :P I keep 5 VPNs available just in case (6 if I still have my Hostigation box setup for it).
I always admired ppl organized enough to always have at hand passwords, VPN locations, keys for SSH and the like...
It was a real challenge for me when i had more than 10 VPSes, some ppl have 100 and still manage to keep track and order on what is on which and separate access credentials...
My respect !
bows
M
It was a real challenge for me when i had more than 10 VPSes, some ppl have 100 and still manage to keep track and order on what is on which and separate access credentials...
I'm working on something that you'll like. Stay tuned.