Jeffery Williams
Software Engineer
ISAT Hall
jefjewil@indiana.edu
-----Original Message-----
From: blug-bounces@cs.indiana.edu [mailto:blug-bounces@cs.indiana.edu] On Behalf Of Williams, Jeffery Allen
Sent: Wednesday, July 20, 2011 4:52 PM
To: Bloomington LINUX Users Group
Subject: Re: [BLUG] How many of you run home servers?
A while back (3 or more years) there was a discussion about ssh brute force attacks. (I think Mark sent something related to SUSO getting hammered.) Since then, I have limited the number of connection attempts per source IP to 4 / minute using hashlimit in iptables. I have other lines that limit service connections to a few per second from any source (ntp for instance). I also have a few things where I reject the first few connection attempts and after that all attempts are dropped until things quiet down.
I also have notes in my firewall script about portsentry. But I don't know if that's still a thing.
Finally, my router is a piece of crap. If too many connection attempts happen at once it just locks up until it's power cycled. This further prevents brute force attacks (but is more than a little annoying).
Jeffery Williams
Software Engineer
ISAT Hall
jefjewil@indiana.edu
-----Original Message-----
From: blug-bounces@cs.indiana.edu [mailto:blug-bounces@cs.indiana.edu] On Behalf Of Jim McKean
Sent: Wednesday, July 20, 2011 3:32 PM
To: blug@cs.indiana.edu
Subject: Re: [BLUG] How many of you run home servers?
This is a great thread! I am learning a lot. Thanks everyone.
On 07/20/2011 12:22 PM, Steven Black wrote:
> I wanted to note:
>
> Make sure you use Public Key authentication and disable system
> password authentication. A lot of the SSH attacks are done by botnets.
> This means blocking an IP after three unsuccessful login attempts does
> absolutely nothing to actually help security.
>
> Most of my available services are done via SSH port-forwarding. I get
> to them, but random folks can not. Then again, the services I run on
> my non-work servers are not for general consumption. When you can lock
> it up with SSH port-forwarding, this is by far the best approach.
>
> When you can use HTTPS (or another SSL-wrapped service) consider using
> this instead of an unencrypted service. If it is an authenticated
> service you're sending your password in clear-text if it isn't over
> SSL -- and that is the case regardless of the protocol. Consider SSL
> client certificates if your HTTP-based service has a limited audience.
>
> Cheers,
> Steven Black
>
> On Mon, Jul 18, 2011 at 3:52 PM, David Ernst <david.ernst@davidernst.net> wrote:
>> There are countless ways to try to break into a server. But in my
>> experience, the only one I've ever seen actually used - and I've seen
>> it a LOT of times - was people exploiting known security problems on
>> installed software. In other words, the server maintainers were
>> guilty of what Jonathan confesses to below: not applying security
>> updates. I should also confess that I have made this mistake before
>> and paid the same price.
>>
>> It's definitely overstatement to say "just keep your system software
>> up to date and you'll never get hacked." So, I won't say that.
>> However, I think I can stand by this: "if you have a publicly
>> accessible server that is running out-of-date software on a publicly
>> accessible port, you WILL get hacked". All of the best password
>> selections and firewall policies and such will do you no good if
>> you're running a version of apache with a security hole in it. Or
>> something like that.
>>
>> Next best advice: do not open any ports that you aren't intentionally
>> offering services on. Many many people will want to run SSH and HTTP
>> and nothing else. Some maybe just HTTP. Use a port scanner like nmap
>> to see which ports are available on your machine. The theory is
>> simple: it's fewer software programs that might be entry points to
>> your system if security holes are discovered in them.
>>
>> But, once again, I'll just say: keep your software up to date. Ubuntu
>> makes this really easy. Lots of other distros do too. So, do it.
>>
>> David
>>
>>
>>
>> On Mon, Jul 18, 2011 at 03:37:48PM -0400, Jonathan North Washington wrote:
>>> I run a server out of my house too, and have been doing so for about
>>> 10 years. Actually, these days it's run out of my parents' house,
>>> ever since I was out of the country for a year and needed it to stay
>>> up; before that I ran it out of my own apartments and dorm rooms (with
>>> the exception of one year--see below).
>>>
>>> The server hosts a handful of sites for various people, mostly for
>>> myself (firespeaker.org , jnw.name) and my father
>>> (salonaexploration.com , northeasterngeoscience.org).
>>>
>>> I'm also curious about the questions Ben asks, though I suppose I can
>>> add some of my own experience to the conversation.
>>>
>>> In about 2005, when my server was hosted for a little over a year out
>>> of Brandeis University's LUG (also BLUG :)'s server room, it got
>>> rooted. This was partly my own fault for not running debian security
>>> updates very often and allowing root ssh (which reminds me that I need
>>> to check that again). This is the only real problem I've had, besides
>>> thunderstorms and wind taking the server down at my parents' house
>> >from time to time. While Comcast doesn't seem to be providing a
>>> static IP address service, the IP address does not seem to have
>>> changed at all in the last four years (since I started hosting it at
>>> my parents' house).
>>>
>>> --
>>> Jonathan
>>>
>>> On 18 July 2011 15:20, Ben Shewmaker <ben@shewbox.org> wrote:
>>>> I've been running a server on my home machine for some time now and
>>>> was just curious how many others out there do the same? And I'm also
>>>> wondering about security of my home machine. I'm running AjaxXplorer
>>>> on this machine to serve up some photos/videos from my home computer,
>>>> and, while it does us https, I wonder sometimes about how wise it in
>>>> terms of a security risk. I also use Dyndns so I don't have to worry
>>>> about my changing IP and wonder if having a domain redirect from a
>>>> dyndns hostname makes me more of a target? I like to imagine that
>>>> spyware and viruses on my windows machine are a much bigger threat
>>>> than someone trying to hack into my little ubuntu server machine, but
>>>> I thought I'd ask anyone out there if they have any opinions?
>>>>
>>>> Thanks, and I hope everyone's A/C is working well both for your sanity
>>>> and any little home servers you may be running!
>>>>
>>>> Ben
>>>> _______________________________________________
>>>> BLUG mailing list
>>>> BLUG@linuxfan.com
>>>> http://mailman.cs.indiana.edu/mailman/listinfo/blug
>>>>
>>> _______________________________________________
>>> BLUG mailing list
>>> BLUG@linuxfan.com
>>> http://mailman.cs.indiana.edu/mailman/listinfo/blug
>> _______________________________________________
>> BLUG mailing list
>> BLUG@linuxfan.com
>> http://mailman.cs.indiana.edu/mailman/listinfo/blug
>>
> _______________________________________________
> BLUG mailing list
> BLUG@linuxfan.com
> http://mailman.cs.indiana.edu/mailman/listinfo/blug
_______________________________________________
BLUG mailing list
BLUG@linuxfan.com
http://mailman.cs.indiana.edu/mailman/listinfo/blug
_______________________________________________
BLUG mailing list
BLUG@linuxfan.com
http://mailman.cs.indiana.edu/mailman/listinfo/blug
_______________________________________________
BLUG mailing list
BLUG@linuxfan.com
http://mailman.cs.indiana.edu/mailman/listinfo/blug
No comments:
Post a Comment