New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
How secure is a server which is protected by csf only?
I've used "full managed" VPS and dedicated servers for long time, along with unmanaged ones( for small sites ), it seems that there's almost no difference between them, when the server is hacked, full managed ones can't give me the help as expected.
So I'm wondered that, is it reliable to rent an unmanaged server for sites that have thousands of visitors( or more ) every day , install a few security software on the server, then leave it unmanaged? Since I can do other things except the security ones.
Comments
Who is this provider? You should probably move to somewhere that knows what they are doing. I recommend Hudsonvalleyhost if you are looking for managed cPanel.
You cannot just install a few applications (i.e CSF) and hope for the best. Managing security is much more than that and includes regular checkups (e.g logs) and so much more.
Many people think that installing a few applications (often with default configuration) is enough to guarantee security. It's not. CSF protected server may be as secure as plain, vanilla Linux. There are many other factors that has to be taken into account.
Look for a provider that knows what they are doing.
It helps increase the security of the machine if configured correctly by using Iptables to only allow ports that need to be exposed and also by autoblocking people who try and brute-force various services.
However it's not a magic bullet and it won't stop someone's poorly coded site being hacked, likewise it won't stop someone from infecting other sites on the same box likewise it won't stop your box being pwn'd if you use root / password as your login.
iptables with limiting on specific port is much better imo. (example: one of my favourite rules ):
iptables -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name DEFAULT --rsource
iptables -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 3 --name DEFAULT --rsource -j DROP
iptables -A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT
Change port to whatever your port is, although this is still susceptible to ddos brute forces mind you. (I mean multiple IP's trying to connect), but ssh keys would be the best.
I have never needed a firewall of any sort. Just configure your software correctly. I'd say that's the most important part. And installing security updates regularly or even automatically.
Just install csf and leave it alone ? Regularly checking logs ? Hmm, both give you some protection but let me give you an example : GHOST glibc vulnerability was quite popular some months ago, what csf is going to do with that ?
In short--not very secure.
You need to look out for software and script vulnerabilities too. Both server software and end user scripts like WordPress (we all know malicious things happen with an out of date WP install)
If you're not sure about security and your site gets thousands of hits a day, I'd recommend going for a managed provider.
tl;dr : Not secure -- go grab a hardware/managed firewall.
If your "fully managed" provider cannot provide the expertise expected, have you considered looking to different providers?
I have never been hacked or attacked so I just use "password" for root.
Maybe you don't know that unused ports are closed anyway, firewall or not. If you are so dumb to configure a local service to bind to anything other than localhost, a firewall won't save you.
@4n0nx what about when hacker gets inside by some vulnerability and decides to open a back door on another port, that would normally be closed? Still don't need a firewall? Even the simplest one?
I'm not even talking about L7 stuff and DPI...
For what? The attacker already has access to it. Besides, if I am not mistaken, most of the users that run services have no command line access/very restricted rights. Right?
Depends. No solution fits all.
Find a provider that isn't going to just set up a cPanel server and install CSF...
Not totally true, I can have a service listening on a port on the routable IP but if the firewall is dropping all traffic to that port you still won't be able to get to it.
Particularly if the firewall is a different piece of kit to the server
I think this is a very good point.
Often, people are focused on blocking incoming traffic -- there's a million tutorials out there about howto do it. But there's less said about blocking outgoing traffic, presumably because you "know" what's running on your server and what outgoing connections it makes and needs. And that may just not be true.