> A while back (3 or more years) there was a discussion about ssh brute force attacks. (I think Mark sent something related to SUSO getting hammered.) Since then, I have limited the number of connection attempts per source IP to 4 / minute using hashlimit in iptables. I have other lines that limit service connections to a few per second from any source (ntp for instance). I also have a few things where I reject the first few connection attempts and after that all attempts are dropped until things quiet down.
Do you have examples of each of those restrictions you added to your
iptables? I would definitely be interested in seeing them, and I
suspect others paying attention to this thread might as well.
Otherwise, a link to an appropriate tutorial might also be nice.
--
Jonathan
http://jnw.name/
> I also have notes in my firewall script about portsentry. But I don't know if that's still a thing.
>
> Finally, my router is a piece of crap. If too many connection attempts happen at once it just locks up until it's power cycled. This further prevents brute force attacks (but is more than a little annoying).
>
> Jeffery Williams
> Software Engineer
> ISAT Hall
> jefjewil@indiana.edu
> Work (812) 856-1165
> Home (812) 219-5061
>
>
> -----Original Message-----
> From: blug-bounces@cs.indiana.edu [mailto:blug-bounces@cs.indiana.edu] On Behalf Of Jim McKean
> Sent: Wednesday, July 20, 2011 3:32 PM
> To: blug@cs.indiana.edu
> Subject: Re: [BLUG] How many of you run home servers?
>
> This is a great thread! I am learning a lot. Thanks everyone.
>
> On 07/20/2011 12:22 PM, Steven Black wrote:
>> I wanted to note:
>>
>> Make sure you use Public Key authentication and disable system
>> password authentication. A lot of the SSH attacks are done by botnets.
>> This means blocking an IP after three unsuccessful login attempts does
>> absolutely nothing to actually help security.
>>
>> Most of my available services are done via SSH port-forwarding. I get
>> to them, but random folks can not. Then again, the services I run on
>> my non-work servers are not for general consumption. When you can lock
>> it up with SSH port-forwarding, this is by far the best approach.
>>
>> When you can use HTTPS (or another SSL-wrapped service) consider using
>> this instead of an unencrypted service. If it is an authenticated
>> service you're sending your password in clear-text if it isn't over
>> SSL -- and that is the case regardless of the protocol. Consider SSL
>> client certificates if your HTTP-based service has a limited audience.
>>
>> Cheers,
>> Steven Black
>>
>> On Mon, Jul 18, 2011 at 3:52 PM, David Ernst <david.ernst@davidernst.net> wrote:
>>> There are countless ways to try to break into a server. But in my
>>> experience, the only one I've ever seen actually used - and I've seen
>>> it a LOT of times - was people exploiting known security problems on
>>> installed software. In other words, the server maintainers were
>>> guilty of what Jonathan confesses to below: not applying security
>>> updates. I should also confess that I have made this mistake before
>>> and paid the same price.
>>>
>>> It's definitely overstatement to say "just keep your system software
>>> up to date and you'll never get hacked." So, I won't say that.
>>> However, I think I can stand by this: "if you have a publicly
>>> accessible server that is running out-of-date software on a publicly
>>> accessible port, you WILL get hacked". All of the best password
>>> selections and firewall policies and such will do you no good if
>>> you're running a version of apache with a security hole in it. Or
>>> something like that.
>>>
>>> Next best advice: do not open any ports that you aren't intentionally
>>> offering services on. Many many people will want to run SSH and HTTP
>>> and nothing else. Some maybe just HTTP. Use a port scanner like nmap
>>> to see which ports are available on your machine. The theory is
>>> simple: it's fewer software programs that might be entry points to
>>> your system if security holes are discovered in them.
>>>
>>> But, once again, I'll just say: keep your software up to date. Ubuntu
>>> makes this really easy. Lots of other distros do too. So, do it.
>>>
>>> David
>>>
>>>
>>>
>>> On Mon, Jul 18, 2011 at 03:37:48PM -0400, Jonathan North Washington wrote:
>>>> I run a server out of my house too, and have been doing so for about
>>>> 10 years. Actually, these days it's run out of my parents' house,
>>>> ever since I was out of the country for a year and needed it to stay
>>>> up; before that I ran it out of my own apartments and dorm rooms (with
>>>> the exception of one year--see below).
>>>>
>>>> The server hosts a handful of sites for various people, mostly for
>>>> myself (firespeaker.org , jnw.name) and my father
>>>> (salonaexploration.com , northeasterngeoscience.org).
>>>>
>>>> I'm also curious about the questions Ben asks, though I suppose I can
>>>> add some of my own experience to the conversation.
>>>>
>>>> In about 2005, when my server was hosted for a little over a year out
>>>> of Brandeis University's LUG (also BLUG :)'s server room, it got
>>>> rooted. This was partly my own fault for not running debian security
>>>> updates very often and allowing root ssh (which reminds me that I need
>>>> to check that again). This is the only real problem I've had, besides
>>>> thunderstorms and wind taking the server down at my parents' house
>>> >from time to time. While Comcast doesn't seem to be providing a
>>>> static IP address service, the IP address does not seem to have
>>>> changed at all in the last four years (since I started hosting it at
>>>> my parents' house).
>>>>
>>>> --
>>>> Jonathan
>>>>
>>>> On 18 July 2011 15:20, Ben Shewmaker <ben@shewbox.org> wrote:
>>>>> I've been running a server on my home machine for some time now and
>>>>> was just curious how many others out there do the same? And I'm also
>>>>> wondering about security of my home machine. I'm running AjaxXplorer
>>>>> on this machine to serve up some photos/videos from my home computer,
>>>>> and, while it does us https, I wonder sometimes about how wise it in
>>>>> terms of a security risk. I also use Dyndns so I don't have to worry
>>>>> about my changing IP and wonder if having a domain redirect from a
>>>>> dyndns hostname makes me more of a target? I like to imagine that
>>>>> spyware and viruses on my windows machine are a much bigger threat
>>>>> than someone trying to hack into my little ubuntu server machine, but
>>>>> I thought I'd ask anyone out there if they have any opinions?
>>>>>
>>>>> Thanks, and I hope everyone's A/C is working well both for your sanity
>>>>> and any little home servers you may be running!
>>>>>
>>>>> Ben
>>>>> _______________________________________________
>>>>> BLUG mailing list
>>>>> BLUG@linuxfan.com
>>>>> http://mailman.cs.indiana.edu/mailman/listinfo/blug
>>>>>
>>>> _______________________________________________
>>>> BLUG mailing list
>>>> BLUG@linuxfan.com
>>>> http://mailman.cs.indiana.edu/mailman/listinfo/blug
>>> _______________________________________________
>>> BLUG mailing list
>>> BLUG@linuxfan.com
>>> http://mailman.cs.indiana.edu/mailman/listinfo/blug
>>>
>> _______________________________________________
>> BLUG mailing list
>> BLUG@linuxfan.com
>> http://mailman.cs.indiana.edu/mailman/listinfo/blug
> _______________________________________________
> BLUG mailing list
> BLUG@linuxfan.com
> http://mailman.cs.indiana.edu/mailman/listinfo/blug
>
> _______________________________________________
> BLUG mailing list
> BLUG@linuxfan.com
> http://mailman.cs.indiana.edu/mailman/listinfo/blug
>
_______________________________________________
BLUG mailing list
BLUG@linuxfan.com
http://mailman.cs.indiana.edu/mailman/listinfo/blug
No comments:
Post a Comment