Make sure you use Public Key authentication and disable system
password authentication. A lot of the SSH attacks are done by botnets.
This means blocking an IP after three unsuccessful login attempts does
absolutely nothing to actually help security.
Most of my available services are done via SSH port-forwarding. I get
to them, but random folks can not. Then again, the services I run on
my non-work servers are not for general consumption. When you can lock
it up with SSH port-forwarding, this is by far the best approach.
When you can use HTTPS (or another SSL-wrapped service) consider using
this instead of an unencrypted service. If it is an authenticated
service you're sending your password in clear-text if it isn't over
SSL -- and that is the case regardless of the protocol. Consider SSL
client certificates if your HTTP-based service has a limited audience.
Cheers,
Steven Black
On Mon, Jul 18, 2011 at 3:52 PM, David Ernst <david.ernst@davidernst.net> wrote:
> There are countless ways to try to break into a server. But in my
> experience, the only one I've ever seen actually used - and I've seen
> it a LOT of times - was people exploiting known security problems on
> installed software. In other words, the server maintainers were
> guilty of what Jonathan confesses to below: not applying security
> updates. I should also confess that I have made this mistake before
> and paid the same price.
>
> It's definitely overstatement to say "just keep your system software
> up to date and you'll never get hacked." So, I won't say that.
> However, I think I can stand by this: "if you have a publicly
> accessible server that is running out-of-date software on a publicly
> accessible port, you WILL get hacked". All of the best password
> selections and firewall policies and such will do you no good if
> you're running a version of apache with a security hole in it. Or
> something like that.
>
> Next best advice: do not open any ports that you aren't intentionally
> offering services on. Many many people will want to run SSH and HTTP
> and nothing else. Some maybe just HTTP. Use a port scanner like nmap
> to see which ports are available on your machine. The theory is
> simple: it's fewer software programs that might be entry points to
> your system if security holes are discovered in them.
>
> But, once again, I'll just say: keep your software up to date. Ubuntu
> makes this really easy. Lots of other distros do too. So, do it.
>
> David
>
>
>
> On Mon, Jul 18, 2011 at 03:37:48PM -0400, Jonathan North Washington wrote:
>>I run a server out of my house too, and have been doing so for about
>>10 years. Actually, these days it's run out of my parents' house,
>>ever since I was out of the country for a year and needed it to stay
>>up; before that I ran it out of my own apartments and dorm rooms (with
>>the exception of one year--see below).
>>
>>The server hosts a handful of sites for various people, mostly for
>>myself (firespeaker.org , jnw.name) and my father
>>(salonaexploration.com , northeasterngeoscience.org).
>>
>>I'm also curious about the questions Ben asks, though I suppose I can
>>add some of my own experience to the conversation.
>>
>>In about 2005, when my server was hosted for a little over a year out
>>of Brandeis University's LUG (also BLUG :)'s server room, it got
>>rooted. This was partly my own fault for not running debian security
>>updates very often and allowing root ssh (which reminds me that I need
>>to check that again). This is the only real problem I've had, besides
>>thunderstorms and wind taking the server down at my parents' house
>>from time to time. While Comcast doesn't seem to be providing a
>>static IP address service, the IP address does not seem to have
>>changed at all in the last four years (since I started hosting it at
>>my parents' house).
>>
>>--
>>Jonathan
>>
>>On 18 July 2011 15:20, Ben Shewmaker <ben@shewbox.org> wrote:
>>> I've been running a server on my home machine for some time now and
>>> was just curious how many others out there do the same? And I'm also
>>> wondering about security of my home machine. I'm running AjaxXplorer
>>> on this machine to serve up some photos/videos from my home computer,
>>> and, while it does us https, I wonder sometimes about how wise it in
>>> terms of a security risk. I also use Dyndns so I don't have to worry
>>> about my changing IP and wonder if having a domain redirect from a
>>> dyndns hostname makes me more of a target? I like to imagine that
>>> spyware and viruses on my windows machine are a much bigger threat
>>> than someone trying to hack into my little ubuntu server machine, but
>>> I thought I'd ask anyone out there if they have any opinions?
>>>
>>> Thanks, and I hope everyone's A/C is working well both for your sanity
>>> and any little home servers you may be running!
>>>
>>> Ben
>>> _______________________________________________
>>> BLUG mailing list
>>> BLUG@linuxfan.com
>>> http://mailman.cs.indiana.edu/mailman/listinfo/blug
>>>
>>
>>_______________________________________________
>>BLUG mailing list
>>BLUG@linuxfan.com
>>http://mailman.cs.indiana.edu/mailman/listinfo/blug
> _______________________________________________
> BLUG mailing list
> BLUG@linuxfan.com
> http://mailman.cs.indiana.edu/mailman/listinfo/blug
>
_______________________________________________
BLUG mailing list
BLUG@linuxfan.com
http://mailman.cs.indiana.edu/mailman/listinfo/blug
No comments:
Post a Comment