BLUG: 07/20/11

Wednesday, July 20, 2011

Re: [BLUG] How many of you run home servers?

Thomas,

If you're not religious about locking your screen, you're asking to be
compromised in any event. There is nothing more potent than console
access when it comes to providing an easy route to break in to a
system.

For instance: If you're not religious about locking your screen, are
you religous about logging out of all root shells you may use before
you walk away? I find I need to slip away while mid-process once and a
while. If I wasn't religous about locking my screen someone could walk
up to my system, create a nefarious account, and clear the screen
before they walk away and I would be unlikely to notice.

If you're not religous about locking your screen, you need an
automatic screen saver that locks your screen, and you need that
screen saver configured to go off after no more than about 2 minutes
of inactivity. I have used such configurations in the past. These days
I do that *and* I'm religous about locking my screen.

If you normally use GNU Screen while you're su'ing on a remote
machine, you should at least configure the internal GNU Screen
screensaver with locking. It is simple to configure and it can prevent
someone from walking up and gaining access to a remote root shell.
Configured to "rain" or something it can be a handy visual reminder
"finish the task here and log out!"

Also a note, any reasonable key agent can be configured to forget the
passphrase after a particular period of time (even immediately). Using
a short passphrase and a key agent that forgets the passphrase
immediately with public key authentication is still better than being
botnet attacked for months on end. (With public key authentication
your site gets dropped from the attack list of the botnets -- they'll
know they can never succeed. Otherwise they keep consuming your
precious upstream bandwidth with requests.

Personally, if I have a server, I want to preserve my upstream
bandwidth. These days it tends to be crazily lopsided from the
downstream bandwidth. It also removes any possibility of an attack
showing up in logs which frees a lot of mental resources for me.
(While on personal machines typically only 3 folks will have SSH
access, I've administered systems where they guessed account names of
users that can log in -- rarely but it has happened to me. In no case
did they actually catch a password/passphrase, but knowing the
username is enough of a scare.)

Cheers,
Steven Black

On Wed, Jul 20, 2011 at 10:32 PM, Thomas C. Knoeller <tck@pretend.net> wrote:
> On Wed, Jul 20, 2011 at 12:22 PM, Steven Black <yam655@gmail.com> wrote:
>>
>> Make sure you use Public Key authentication and disable system
>> password authentication. A lot of the SSH attacks are done by botnets.
>> [...]
>
> Disagree here. I am more worried about coworkers then script kiddies.
> My coworkers know that I have ssh-agent running all the time, and
> they know the vanity domain of my home server. It would take a
> coworker less time to hack me then it takes for me to walk to the
> kitchen and back. Since I am not religious about locking the screen
> each time I walk away from the laptop, and because of the nature of
> the kids I (used to) work with, I would never use public key on a
> public facing interface.
>
> But I should mention that I also got really sick of the script kiddie
> login attempts, so I did my own homegrown solution. Since I have a
> publicly accessible web server running on the gateway host, I created
> a small ssl'd cgi script that, when invoked, adds the connecting ip
> address to the /etc/hosts.allow file for the sshd service. Since it
> is ssl'd, the web server password auth is not seen cleartext on the
> wire. And since it is just opening up the ssh port, I don't worry
> about having a strong auth password. It's worked pretty well for me
> for several years now.
>
> That said, I do enable PKI access when inside my firewall, so I have
> mostly a false sense of security. With easily installable keyloggers
> and with wifi access to the gooey center of my home network, there are
> still easily accessible vectors for someone determined to get in...
>
> -Tom
> _______________________________________________
> BLUG mailing list
> BLUG@linuxfan.com
> http://mailman.cs.indiana.edu/mailman/listinfo/blug
>

_______________________________________________
BLUG mailing list
BLUG@linuxfan.com
http://mailman.cs.indiana.edu/mailman/listinfo/blug

Re: [BLUG] How many of you run home servers?

On Wed, Jul 20, 2011 at 1:36 PM, Jeremy L. Gaddis <jlgaddis@gnu.org> wrote:
>
> I also recently discovered an app that provides free two-factor
> authentication and wrote about it:
>
> http://tinyurl.com/69uqplc

+1 for the Duo Security product. Caveat, I used to work with one of
the developers. But he really is one of the brightest people I have
ever known. Anything he does has a very high trustworthiness level,
imho.

-Tom
_______________________________________________
BLUG mailing list
BLUG@linuxfan.com
http://mailman.cs.indiana.edu/mailman/listinfo/blug

Re: [BLUG] How many of you run home servers?

On Wed, Jul 20, 2011 at 12:22 PM, Steven Black <yam655@gmail.com> wrote:
>
> Make sure you use Public Key authentication and disable system
> password authentication. A lot of the SSH attacks are done by botnets.
> [...]

Disagree here. I am more worried about coworkers then script kiddies.
My coworkers know that I have ssh-agent running all the time, and
they know the vanity domain of my home server. It would take a
coworker less time to hack me then it takes for me to walk to the
kitchen and back. Since I am not religious about locking the screen
each time I walk away from the laptop, and because of the nature of
the kids I (used to) work with, I would never use public key on a
public facing interface.

But I should mention that I also got really sick of the script kiddie
login attempts, so I did my own homegrown solution. Since I have a
publicly accessible web server running on the gateway host, I created
a small ssl'd cgi script that, when invoked, adds the connecting ip
address to the /etc/hosts.allow file for the sshd service. Since it
is ssl'd, the web server password auth is not seen cleartext on the
wire. And since it is just opening up the ssh port, I don't worry
about having a strong auth password. It's worked pretty well for me
for several years now.

That said, I do enable PKI access when inside my firewall, so I have
mostly a false sense of security. With easily installable keyloggers
and with wifi access to the gooey center of my home network, there are
still easily accessible vectors for someone determined to get in...

-Tom
_______________________________________________
BLUG mailing list
BLUG@linuxfan.com
http://mailman.cs.indiana.edu/mailman/listinfo/blug

Re: [BLUG] How many of you run home servers?

Speaking of "knocking at the door"... for the person who wants access to their server from random locations... there are "port knocking" solutions where your SSH port (whatever the port number) is normally locked, but if you try to hit port A, B, and C (where A, B, and C are arbitrary closed ports) in quick succession the port opens -- but only for a brief period of time (and maybe only for that IP).

I forget the product, but there's (I think) a product to do this in the standard Debian/Ubuntu repos.

Personally, I have an SSH client (and a public key) on my cell phone. I must note that my primary requirement for a cell phone was a decent SSH client.

Cheers,
Steven Black

On Jul 20, 2011 5:10 PM, "Jeremy L. Gaddis" <jlgaddis@gnu.org> wrote:
> David Ernst <david.ernst@davidernst.net> wrote:
>> I didn't realize that these brute force attempts were so common. Had
>> to go check and see if I was getting hit with such attempts. Indeed,
>> I am. About 1500 failed attempts in the last month. As Jeremy says,
>
> [...]
>
>> I supposed using a non-standard port would keep your log files
>> cleaner, but I don't know that it really makes you any more secure.
>
> More secure? Not necessarily but, for comparison, in the last 30 days I
> see exactly zero failed attempts against SSH on a box at home (with sshd
> running on a high port). Obviously it would only take one attempt if
> the attacker guessed the right username and password, but I certainly
> have a lot less people "knocking on the door".
>
> Somebody will chime in that running sshd on a high random port is
> "security by obscurity", but I don't agree with that.
>
> --
> Jeremy L. Gaddis
>
> _______________________________________________
> BLUG mailing list
> BLUG@linuxfan.com
> http://mailman.cs.indiana.edu/mailman/listinfo/blug

Re: [BLUG] How many of you run home servers?

David Ernst <david.ernst@davidernst.net> wrote:
> I didn't realize that these brute force attempts were so common. Had
> to go check and see if I was getting hit with such attempts. Indeed,
> I am. About 1500 failed attempts in the last month. As Jeremy says,

[...]

> I supposed using a non-standard port would keep your log files
> cleaner, but I don't know that it really makes you any more secure.

More secure? Not necessarily but, for comparison, in the last 30 days I
see exactly zero failed attempts against SSH on a box at home (with sshd
running on a high port). Obviously it would only take one attempt if
the attacker guessed the right username and password, but I certainly
have a lot less people "knocking on the door".

Somebody will chime in that running sshd on a high random port is
"security by obscurity", but I don't agree with that.

--
Jeremy L. Gaddis

_______________________________________________
BLUG mailing list
BLUG@linuxfan.com
http://mailman.cs.indiana.edu/mailman/listinfo/blug

Re: [BLUG] How many of you run home servers?

On 20 July 2011 16:51, Williams, Jeffery Allen <jefjewil@indiana.edu> wrote:
> A while back (3 or more years) there was a discussion about ssh brute force attacks. (I think Mark sent something related to SUSO getting hammered.) Since then, I have limited the number of connection attempts per source IP to 4 / minute using hashlimit in iptables. I have other lines that limit service connections to a few per second from any source (ntp for instance). I also have a few things where I reject the first few connection attempts and after that all attempts are dropped until things quiet down.

Do you have examples of each of those restrictions you added to your
iptables? I would definitely be interested in seeing them, and I
suspect others paying attention to this thread might as well.
Otherwise, a link to an appropriate tutorial might also be nice.

--
Jonathan
http://jnw.name/

> I also have notes in my firewall script about portsentry. But I don't know if that's still a thing.
>
> Finally, my router is a piece of crap. If too many connection attempts happen at once it just locks up until it's power cycled. This further prevents brute force attacks (but is more than a little annoying).
>
> Jeffery Williams
> Software Engineer
> ISAT Hall
> jefjewil@indiana.edu
> Work (812) 856-1165
> Home (812) 219-5061
>
>
> -----Original Message-----
> From: blug-bounces@cs.indiana.edu [mailto:blug-bounces@cs.indiana.edu] On Behalf Of Jim McKean
> Sent: Wednesday, July 20, 2011 3:32 PM
> To: blug@cs.indiana.edu
> Subject: Re: [BLUG] How many of you run home servers?
>
> This is a great thread! I am learning a lot. Thanks everyone.
>
> On 07/20/2011 12:22 PM, Steven Black wrote:
>> I wanted to note:
>>
>> Make sure you use Public Key authentication and disable system
>> password authentication. A lot of the SSH attacks are done by botnets.
>> This means blocking an IP after three unsuccessful login attempts does
>> absolutely nothing to actually help security.
>>
>> Most of my available services are done via SSH port-forwarding. I get
>> to them, but random folks can not. Then again, the services I run on
>> my non-work servers are not for general consumption. When you can lock
>> it up with SSH port-forwarding, this is by far the best approach.
>>
>> When you can use HTTPS (or another SSL-wrapped service) consider using
>> this instead of an unencrypted service. If it is an authenticated
>> service you're sending your password in clear-text if it isn't over
>> SSL -- and that is the case regardless of the protocol. Consider SSL
>> client certificates if your HTTP-based service has a limited audience.
>>
>> Cheers,
>> Steven Black
>>
>> On Mon, Jul 18, 2011 at 3:52 PM, David Ernst <david.ernst@davidernst.net> wrote:
>>> There are countless ways to try to break into a server. But in my
>>> experience, the only one I've ever seen actually used - and I've seen
>>> it a LOT of times - was people exploiting known security problems on
>>> installed software. In other words, the server maintainers were
>>> guilty of what Jonathan confesses to below: not applying security
>>> updates. I should also confess that I have made this mistake before
>>> and paid the same price.
>>>
>>> It's definitely overstatement to say "just keep your system software
>>> up to date and you'll never get hacked." So, I won't say that.
>>> However, I think I can stand by this: "if you have a publicly
>>> accessible server that is running out-of-date software on a publicly
>>> accessible port, you WILL get hacked". All of the best password
>>> selections and firewall policies and such will do you no good if
>>> you're running a version of apache with a security hole in it. Or
>>> something like that.
>>>
>>> Next best advice: do not open any ports that you aren't intentionally
>>> offering services on. Many many people will want to run SSH and HTTP
>>> and nothing else. Some maybe just HTTP. Use a port scanner like nmap
>>> to see which ports are available on your machine. The theory is
>>> simple: it's fewer software programs that might be entry points to
>>> your system if security holes are discovered in them.
>>>
>>> But, once again, I'll just say: keep your software up to date. Ubuntu
>>> makes this really easy. Lots of other distros do too. So, do it.
>>>
>>> David
>>>
>>>
>>>
>>> On Mon, Jul 18, 2011 at 03:37:48PM -0400, Jonathan North Washington wrote:
>>>> I run a server out of my house too, and have been doing so for about
>>>> 10 years. Actually, these days it's run out of my parents' house,
>>>> ever since I was out of the country for a year and needed it to stay
>>>> up; before that I ran it out of my own apartments and dorm rooms (with
>>>> the exception of one year--see below).
>>>>
>>>> The server hosts a handful of sites for various people, mostly for
>>>> myself (firespeaker.org , jnw.name) and my father
>>>> (salonaexploration.com , northeasterngeoscience.org).
>>>>
>>>> I'm also curious about the questions Ben asks, though I suppose I can
>>>> add some of my own experience to the conversation.
>>>>
>>>> In about 2005, when my server was hosted for a little over a year out
>>>> of Brandeis University's LUG (also BLUG :)'s server room, it got
>>>> rooted. This was partly my own fault for not running debian security
>>>> updates very often and allowing root ssh (which reminds me that I need
>>>> to check that again). This is the only real problem I've had, besides
>>>> thunderstorms and wind taking the server down at my parents' house
>>> >from time to time. While Comcast doesn't seem to be providing a
>>>> static IP address service, the IP address does not seem to have
>>>> changed at all in the last four years (since I started hosting it at
>>>> my parents' house).
>>>>
>>>> --
>>>> Jonathan
>>>>
>>>> On 18 July 2011 15:20, Ben Shewmaker <ben@shewbox.org> wrote:
>>>>> I've been running a server on my home machine for some time now and
>>>>> was just curious how many others out there do the same? And I'm also
>>>>> wondering about security of my home machine. I'm running AjaxXplorer
>>>>> on this machine to serve up some photos/videos from my home computer,
>>>>> and, while it does us https, I wonder sometimes about how wise it in
>>>>> terms of a security risk. I also use Dyndns so I don't have to worry
>>>>> about my changing IP and wonder if having a domain redirect from a
>>>>> dyndns hostname makes me more of a target? I like to imagine that
>>>>> spyware and viruses on my windows machine are a much bigger threat
>>>>> than someone trying to hack into my little ubuntu server machine, but
>>>>> I thought I'd ask anyone out there if they have any opinions?
>>>>>
>>>>> Thanks, and I hope everyone's A/C is working well both for your sanity
>>>>> and any little home servers you may be running!
>>>>>
>>>>> Ben
>>>>> _______________________________________________
>>>>> BLUG mailing list
>>>>> BLUG@linuxfan.com
>>>>> http://mailman.cs.indiana.edu/mailman/listinfo/blug
>>>>>
>>>> _______________________________________________
>>>> BLUG mailing list
>>>> BLUG@linuxfan.com
>>>> http://mailman.cs.indiana.edu/mailman/listinfo/blug
>>> _______________________________________________
>>> BLUG mailing list
>>> BLUG@linuxfan.com
>>> http://mailman.cs.indiana.edu/mailman/listinfo/blug
>>>
>> _______________________________________________
>> BLUG mailing list
>> BLUG@linuxfan.com
>> http://mailman.cs.indiana.edu/mailman/listinfo/blug
> _______________________________________________
> BLUG mailing list
> BLUG@linuxfan.com
> http://mailman.cs.indiana.edu/mailman/listinfo/blug
>
> _______________________________________________
> BLUG mailing list
> BLUG@linuxfan.com
> http://mailman.cs.indiana.edu/mailman/listinfo/blug
>

_______________________________________________
BLUG mailing list
BLUG@linuxfan.com
http://mailman.cs.indiana.edu/mailman/listinfo/blug

Re: [BLUG] How many of you run home servers?

On Wed, Jul 20, 2011 at 03:03:20PM -0400, Jeremy L. Gaddis wrote:
>Jonathan North Washington <jonwashi@indiana.edu> wrote:
>> However, I still want to be able to open up putty from a public
>> machine somewhere and ssh to my server. Is there any way to allow
>> myself to do this short of memorising my public key or carrying it
>> around with me on flash drive or something?
>
>Just change your /etc/ssh/sshd_config to run the daemon on some high
>random port and be sure you have a strong password and you'll be fine.
>
>The automated brute force attacks are looking for the "low hanging
>fruit" -- servers w/ the SSH daemon running on 22/TCP with weak user
>passwords.

I didn't realize that these brute force attempts were so common. Had
to go check and see if I was getting hit with such attempts. Indeed,
I am. About 1500 failed attempts in the last month. As Jeremy says,
they seems to be looking for low-hanging fruit: most of the failed are
attempts are to log in as 'root', which is actually not possible on my
system. Many other popular usernames are being tried: "oracle",
"mysql", "www", etc. no one has attempted to log in as a username
that is actually has a password or a shell configured. I only have
one account that is open for ssh logins, and no one has even tried
that username. At 1500 attempts per month, it would be a really long
time before they got the password correct even if they knew the
username.

I supposed using a non-standard port would keep your log files
cleaner, but I don't know that it really makes you any more secure.
However, realizing that these brute force attempts are so common, I
would definitely make sure that root cannot ssh in, and use a
non-obvious username and a strong password for any accounts that can
ssh in. Then, it seems like you should be fine.

David
_______________________________________________
BLUG mailing list
BLUG@linuxfan.com
http://mailman.cs.indiana.edu/mailman/listinfo/blug

[BLUG] Blug administration question.

Crud. I forgot to edit my standard signature work which has phone numbers. Any way to back edit a post? It's been sent to the user list. I can handle that, but being kept forever on the internet at large is a little unsettling.

Jeffery Williams
Software Engineer
ISAT Hall
jefjewil@indiana.edu

-----Original Message-----
From: blug-bounces@cs.indiana.edu [mailto:blug-bounces@cs.indiana.edu] On Behalf Of Williams, Jeffery Allen
Sent: Wednesday, July 20, 2011 4:52 PM
To: Bloomington LINUX Users Group
Subject: Re: [BLUG] How many of you run home servers?

A while back (3 or more years) there was a discussion about ssh brute force attacks. (I think Mark sent something related to SUSO getting hammered.) Since then, I have limited the number of connection attempts per source IP to 4 / minute using hashlimit in iptables. I have other lines that limit service connections to a few per second from any source (ntp for instance). I also have a few things where I reject the first few connection attempts and after that all attempts are dropped until things quiet down.

I also have notes in my firewall script about portsentry. But I don't know if that's still a thing.

Finally, my router is a piece of crap. If too many connection attempts happen at once it just locks up until it's power cycled. This further prevents brute force attacks (but is more than a little annoying).

Jeffery Williams
Software Engineer
ISAT Hall
jefjewil@indiana.edu

-----Original Message-----
From: blug-bounces@cs.indiana.edu [mailto:blug-bounces@cs.indiana.edu] On Behalf Of Jim McKean
Sent: Wednesday, July 20, 2011 3:32 PM
To: blug@cs.indiana.edu
Subject: Re: [BLUG] How many of you run home servers?

This is a great thread! I am learning a lot. Thanks everyone.

On 07/20/2011 12:22 PM, Steven Black wrote:
> I wanted to note:
>
> Make sure you use Public Key authentication and disable system
> password authentication. A lot of the SSH attacks are done by botnets.
> This means blocking an IP after three unsuccessful login attempts does
> absolutely nothing to actually help security.
>
> Most of my available services are done via SSH port-forwarding. I get
> to them, but random folks can not. Then again, the services I run on
> my non-work servers are not for general consumption. When you can lock
> it up with SSH port-forwarding, this is by far the best approach.
>
> When you can use HTTPS (or another SSL-wrapped service) consider using
> this instead of an unencrypted service. If it is an authenticated
> service you're sending your password in clear-text if it isn't over
> SSL -- and that is the case regardless of the protocol. Consider SSL
> client certificates if your HTTP-based service has a limited audience.
>
> Cheers,
> Steven Black
>
> On Mon, Jul 18, 2011 at 3:52 PM, David Ernst <david.ernst@davidernst.net> wrote:
>> There are countless ways to try to break into a server. But in my
>> experience, the only one I've ever seen actually used - and I've seen
>> it a LOT of times - was people exploiting known security problems on
>> installed software. In other words, the server maintainers were
>> guilty of what Jonathan confesses to below: not applying security
>> updates. I should also confess that I have made this mistake before
>> and paid the same price.
>>
>> It's definitely overstatement to say "just keep your system software
>> up to date and you'll never get hacked." So, I won't say that.
>> However, I think I can stand by this: "if you have a publicly
>> accessible server that is running out-of-date software on a publicly
>> accessible port, you WILL get hacked". All of the best password
>> selections and firewall policies and such will do you no good if
>> you're running a version of apache with a security hole in it. Or
>> something like that.
>>
>> Next best advice: do not open any ports that you aren't intentionally
>> offering services on. Many many people will want to run SSH and HTTP
>> and nothing else. Some maybe just HTTP. Use a port scanner like nmap
>> to see which ports are available on your machine. The theory is
>> simple: it's fewer software programs that might be entry points to
>> your system if security holes are discovered in them.
>>
>> But, once again, I'll just say: keep your software up to date. Ubuntu
>> makes this really easy. Lots of other distros do too. So, do it.
>>
>> David
>>
>>
>>
>> On Mon, Jul 18, 2011 at 03:37:48PM -0400, Jonathan North Washington wrote:
>>> I run a server out of my house too, and have been doing so for about
>>> 10 years. Actually, these days it's run out of my parents' house,
>>> ever since I was out of the country for a year and needed it to stay
>>> up; before that I ran it out of my own apartments and dorm rooms (with
>>> the exception of one year--see below).
>>>
>>> The server hosts a handful of sites for various people, mostly for
>>> myself (firespeaker.org , jnw.name) and my father
>>> (salonaexploration.com , northeasterngeoscience.org).
>>>
>>> I'm also curious about the questions Ben asks, though I suppose I can
>>> add some of my own experience to the conversation.
>>>
>>> In about 2005, when my server was hosted for a little over a year out
>>> of Brandeis University's LUG (also BLUG :)'s server room, it got
>>> rooted. This was partly my own fault for not running debian security
>>> updates very often and allowing root ssh (which reminds me that I need
>>> to check that again). This is the only real problem I've had, besides
>>> thunderstorms and wind taking the server down at my parents' house
>> >from time to time. While Comcast doesn't seem to be providing a
>>> static IP address service, the IP address does not seem to have
>>> changed at all in the last four years (since I started hosting it at
>>> my parents' house).
>>>
>>> --
>>> Jonathan
>>>
>>> On 18 July 2011 15:20, Ben Shewmaker <ben@shewbox.org> wrote:
>>>> I've been running a server on my home machine for some time now and
>>>> was just curious how many others out there do the same? And I'm also
>>>> wondering about security of my home machine. I'm running AjaxXplorer
>>>> on this machine to serve up some photos/videos from my home computer,
>>>> and, while it does us https, I wonder sometimes about how wise it in
>>>> terms of a security risk. I also use Dyndns so I don't have to worry
>>>> about my changing IP and wonder if having a domain redirect from a
>>>> dyndns hostname makes me more of a target? I like to imagine that
>>>> spyware and viruses on my windows machine are a much bigger threat
>>>> than someone trying to hack into my little ubuntu server machine, but
>>>> I thought I'd ask anyone out there if they have any opinions?
>>>>
>>>> Thanks, and I hope everyone's A/C is working well both for your sanity
>>>> and any little home servers you may be running!
>>>>
>>>> Ben
>>>> _______________________________________________
>>>> BLUG mailing list
>>>> BLUG@linuxfan.com
>>>> http://mailman.cs.indiana.edu/mailman/listinfo/blug
>>>>
>>> _______________________________________________
>>> BLUG mailing list
>>> BLUG@linuxfan.com
>>> http://mailman.cs.indiana.edu/mailman/listinfo/blug
>> _______________________________________________
>> BLUG mailing list
>> BLUG@linuxfan.com
>> http://mailman.cs.indiana.edu/mailman/listinfo/blug
>>
> _______________________________________________
> BLUG mailing list
> BLUG@linuxfan.com
> http://mailman.cs.indiana.edu/mailman/listinfo/blug
_______________________________________________
BLUG mailing list
BLUG@linuxfan.com
http://mailman.cs.indiana.edu/mailman/listinfo/blug

_______________________________________________
BLUG mailing list
BLUG@linuxfan.com
http://mailman.cs.indiana.edu/mailman/listinfo/blug

Re: [BLUG] How many of you run home servers?

I also have notes in my firewall script about portsentry. But I don't know if that's still a thing.

Jeffery Williams
Software Engineer
ISAT Hall
jefjewil@indiana.edu
Work (812) 856-1165
Home (812) 219-5061

This is a great thread! I am learning a lot. Thanks everyone.

_______________________________________________
BLUG mailing list
BLUG@linuxfan.com
http://mailman.cs.indiana.edu/mailman/listinfo/blug

Re: [BLUG] How many of you run home servers?

This is a great thread! I am learning a lot. Thanks everyone.

Re: [BLUG] How many of you run home servers?

Jonathan North Washington <jonwashi@indiana.edu> wrote:
> However, I still want to be able to open up putty from a public
> machine somewhere and ssh to my server. Is there any way to allow
> myself to do this short of memorising my public key or carrying it
> around with me on flash drive or something?

Just change your /etc/ssh/sshd_config to run the daemon on some high
random port and be sure you have a strong password and you'll be fine.

The automated brute force attacks are looking for the "low hanging
fruit" -- servers w/ the SSH daemon running on 22/TCP with weak user
passwords.

--
Jeremy L. Gaddis

_______________________________________________
BLUG mailing list
BLUG@linuxfan.com
http://mailman.cs.indiana.edu/mailman/listinfo/blug

Re: [BLUG] How many of you run home servers?

With all this talk of public-key authentication, I'm rethinking
leaving my server open to password authentication over ssh.

However, I still want to be able to open up putty from a public
machine somewhere and ssh to my server. Is there any way to allow
myself to do this short of memorising my public key or carrying it
around with me on flash drive or something?

--
Jonathan

On 20 July 2011 13:36, Jeremy L. Gaddis <jlgaddis@gnu.org> wrote:
> Ben Shewmaker <ben@shewbox.org> wrote:
>> I've been running a server on my home machine for some time now and
>> was just curious how many others out there do the same? And I'm also
>> wondering about security of my home machine. I'm running AjaxXplorer
>> on this machine to serve up some photos/videos from my home computer,
>> and, while it does us https, I wonder sometimes about how wise it in
>> terms of a security risk. I also use Dyndns so I don't have to worry
>> about my changing IP and wonder if having a domain redirect from a
>> dyndns hostname makes me more of a target? I like to imagine that
>> spyware and viruses on my windows machine are a much bigger threat
>> than someone trying to hack into my little ubuntu server machine, but
>> I thought I'd ask anyone out there if they have any opinions?
>
> As others have mentioned, if you have SSH open you'll likely be hit
> constantly by attempts to brute force usernames and passwords. Using
> public key authentication will take care of that.
>
> I also recently discovered an app that provides free two-factor
> authentication and wrote about it:
>
> http://tinyurl.com/69uqplc
>
> I'm not using it on a home server, but I am using it on a web server
> that's exposed to the world. Works great (with my Android phone) and you
> can't beat the price.
>
> --
> Jeremy L. Gaddis
>
> _______________________________________________
> BLUG mailing list
> BLUG@linuxfan.com
> http://mailman.cs.indiana.edu/mailman/listinfo/blug
>

_______________________________________________
BLUG mailing list
BLUG@linuxfan.com
http://mailman.cs.indiana.edu/mailman/listinfo/blug

Re: [BLUG] How many of you run home servers?

Ben Shewmaker <ben@shewbox.org> wrote:
> I've been running a server on my home machine for some time now and
> was just curious how many others out there do the same? And I'm also
> wondering about security of my home machine. I'm running AjaxXplorer
> on this machine to serve up some photos/videos from my home computer,
> and, while it does us https, I wonder sometimes about how wise it in
> terms of a security risk. I also use Dyndns so I don't have to worry
> about my changing IP and wonder if having a domain redirect from a
> dyndns hostname makes me more of a target? I like to imagine that
> spyware and viruses on my windows machine are a much bigger threat
> than someone trying to hack into my little ubuntu server machine, but
> I thought I'd ask anyone out there if they have any opinions?

As others have mentioned, if you have SSH open you'll likely be hit
constantly by attempts to brute force usernames and passwords. Using
public key authentication will take care of that.

I also recently discovered an app that provides free two-factor
authentication and wrote about it:

http://tinyurl.com/69uqplc

I'm not using it on a home server, but I am using it on a web server
that's exposed to the world. Works great (with my Android phone) and you
can't beat the price.

--
Jeremy L. Gaddis

_______________________________________________
BLUG mailing list
BLUG@linuxfan.com
http://mailman.cs.indiana.edu/mailman/listinfo/blug

Re: [BLUG] How many of you run home servers?

I host a few services from home like a MOO (Mud-like service), but I keep ssh on a high-numbered port along with other basic security measures. At the very least it keeps the ssh grinders off my front door although it's no substitute for iptables, denyhosts, and security updates. I also keep my photo albums on my home web server, I don't have the patience to upload pictures to flickr and the like. I also have a cron that does a yum update on all internet-facing services at regular intervals we well.

On Jul 20, 2011, at 1:04 PM, Kirk Gleason wrote:

> I have a couple of home servers, but none of them are publicly accessible anymore. I used to host DNS for myself and some friend off of my Comcast connection a few years ago, as well as a small mail domain for myself; but I got bored with it, so now I just have file and proxy servers at home.
>
> When I did run public services, I only allowed through what I explicitly needed from the outside -- smtp, DNS, and ssh. Every other service that I needed access to I would access through an SSH tunnel. I also would test my firewall frequently, and I used to ask my IRC friend to test it for me as well.
>
> Maybe I'll need to build myself up a new server, and give my son that web page he has been asking for ...
>
> Kirk

_______________________________________________
BLUG mailing list
BLUG@linuxfan.com
http://mailman.cs.indiana.edu/mailman/listinfo/blug

Re: [BLUG] How many of you run home servers?

I have a couple of home servers, but none of them are publicly accessible anymore. I used to host DNS for myself and some friend off of my Comcast connection a few years ago, as well as a small mail domain for myself; but I got bored with it, so now I just have file and proxy servers at home.

When I did run public services, I only allowed through what I explicitly needed from the outside -- smtp, DNS, and ssh. Every other service that I needed access to I would access through an SSH tunnel. I also would test my firewall frequently, and I used to ask my IRC friend to test it for me as well.

Maybe I'll need to build myself up a new server, and give my son that web page he has been asking for ...

Kirk

On Wed, Jul 20, 2011 at 12:22 PM, Steven Black <yam655@gmail.com> wrote:

I wanted to note:

Make sure you use Public Key authentication and disable system
password authentication. A lot of the SSH attacks are done by botnets.
This means blocking an IP after three unsuccessful login attempts does
absolutely nothing to actually help security.

Most of my available services are done via SSH port-forwarding. I get
to them, but random folks can not. Then again, the services I run on
my non-work servers are not for general consumption. When you can lock
it up with SSH port-forwarding, this is by far the best approach.

When you can use HTTPS (or another SSL-wrapped service) consider using
this instead of an unencrypted service. If it is an authenticated
service you're sending your password in clear-text if it isn't over
SSL -- and that is the case regardless of the protocol. Consider SSL
client certificates if your HTTP-based service has a limited audience.

Cheers,
Steven Black

On Mon, Jul 18, 2011 at 3:52 PM, David Ernst <david.ernst@davidernst.net> wrote:
> There are countless ways to try to break into a server. But in my
> experience, the only one I've ever seen actually used - and I've seen
> it a LOT of times - was people exploiting known security problems on
> installed software. In other words, the server maintainers were
> guilty of what Jonathan confesses to below: not applying security
> updates. I should also confess that I have made this mistake before
> and paid the same price.
>
> It's definitely overstatement to say "just keep your system software
> up to date and you'll never get hacked." So, I won't say that.
> However, I think I can stand by this: "if you have a publicly
> accessible server that is running out-of-date software on a publicly
> accessible port, you WILL get hacked". All of the best password
> selections and firewall policies and such will do you no good if
> you're running a version of apache with a security hole in it. Or
> something like that.
>
> Next best advice: do not open any ports that you aren't intentionally
> offering services on. Many many people will want to run SSH and HTTP
> and nothing else. Some maybe just HTTP. Use a port scanner like nmap
> to see which ports are available on your machine. The theory is
> simple: it's fewer software programs that might be entry points to
> your system if security holes are discovered in them.
>
> But, once again, I'll just say: keep your software up to date. Ubuntu
> makes this really easy. Lots of other distros do too. So, do it.
>
> David
>
>
>
> On Mon, Jul 18, 2011 at 03:37:48PM -0400, Jonathan North Washington wrote:
>>I run a server out of my house too, and have been doing so for about
>>10 years. Actually, these days it's run out of my parents' house,
>>ever since I was out of the country for a year and needed it to stay
>>up; before that I ran it out of my own apartments and dorm rooms (with
>>the exception of one year--see below).
>>
>>The server hosts a handful of sites for various people, mostly for
>>myself (firespeaker.org , jnw.name) and my father
>>(salonaexploration.com , northeasterngeoscience.org).
>>
>>I'm also curious about the questions Ben asks, though I suppose I can
>>add some of my own experience to the conversation.
>>
>>In about 2005, when my server was hosted for a little over a year out
>>of Brandeis University's LUG (also BLUG :)'s server room, it got
>>rooted. This was partly my own fault for not running debian security
>>updates very often and allowing root ssh (which reminds me that I need
>>to check that again). This is the only real problem I've had, besides
>>thunderstorms and wind taking the server down at my parents' house
>>from time to time. While Comcast doesn't seem to be providing a
>>static IP address service, the IP address does not seem to have
>>changed at all in the last four years (since I started hosting it at
>>my parents' house).
>>
>>--
>>Jonathan
>>
>>On 18 July 2011 15:20, Ben Shewmaker <ben@shewbox.org> wrote:
>>> I've been running a server on my home machine for some time now and
>>> was just curious how many others out there do the same? And I'm also
>>> wondering about security of my home machine. I'm running AjaxXplorer
>>> on this machine to serve up some photos/videos from my home computer,
>>> and, while it does us https, I wonder sometimes about how wise it in
>>> terms of a security risk. I also use Dyndns so I don't have to worry
>>> about my changing IP and wonder if having a domain redirect from a
>>> dyndns hostname makes me more of a target? I like to imagine that
>>> spyware and viruses on my windows machine are a much bigger threat
>>> than someone trying to hack into my little ubuntu server machine, but
>>> I thought I'd ask anyone out there if they have any opinions?
>>>
>>> Thanks, and I hope everyone's A/C is working well both for your sanity
>>> and any little home servers you may be running!
>>>
>>> Ben
>>> _______________________________________________
>>> BLUG mailing list
>>> BLUG@linuxfan.com
>>> http://mailman.cs.indiana.edu/mailman/listinfo/blug
>>>
>>
>>_______________________________________________
>>BLUG mailing list
>>BLUG@linuxfan.com
>>http://mailman.cs.indiana.edu/mailman/listinfo/blug
> _______________________________________________
> BLUG mailing list
> BLUG@linuxfan.com
> http://mailman.cs.indiana.edu/mailman/listinfo/blug
>

_______________________________________________
BLUG mailing list
BLUG@linuxfan.com
http://mailman.cs.indiana.edu/mailman/listinfo/blug

--
Kirk Gleason

Re: [BLUG] How many of you run home servers?

I wanted to note:

Make sure you use Public Key authentication and disable system
password authentication. A lot of the SSH attacks are done by botnets.
This means blocking an IP after three unsuccessful login attempts does
absolutely nothing to actually help security.

Most of my available services are done via SSH port-forwarding. I get
to them, but random folks can not. Then again, the services I run on
my non-work servers are not for general consumption. When you can lock
it up with SSH port-forwarding, this is by far the best approach.

When you can use HTTPS (or another SSL-wrapped service) consider using
this instead of an unencrypted service. If it is an authenticated
service you're sending your password in clear-text if it isn't over
SSL -- and that is the case regardless of the protocol. Consider SSL
client certificates if your HTTP-based service has a limited audience.

Cheers,
Steven Black

On Mon, Jul 18, 2011 at 3:52 PM, David Ernst <david.ernst@davidernst.net> wrote:
> There are countless ways to try to break into a server. But in my
> experience, the only one I've ever seen actually used - and I've seen
> it a LOT of times - was people exploiting known security problems on
> installed software. In other words, the server maintainers were
> guilty of what Jonathan confesses to below: not applying security
> updates. I should also confess that I have made this mistake before
> and paid the same price.
>
> It's definitely overstatement to say "just keep your system software
> up to date and you'll never get hacked." So, I won't say that.
> However, I think I can stand by this: "if you have a publicly
> accessible server that is running out-of-date software on a publicly
> accessible port, you WILL get hacked". All of the best password
> selections and firewall policies and such will do you no good if
> you're running a version of apache with a security hole in it. Or
> something like that.
>
> Next best advice: do not open any ports that you aren't intentionally
> offering services on. Many many people will want to run SSH and HTTP
> and nothing else. Some maybe just HTTP. Use a port scanner like nmap
> to see which ports are available on your machine. The theory is
> simple: it's fewer software programs that might be entry points to
> your system if security holes are discovered in them.
>
> But, once again, I'll just say: keep your software up to date. Ubuntu
> makes this really easy. Lots of other distros do too. So, do it.
>
> David
>
>
>
> On Mon, Jul 18, 2011 at 03:37:48PM -0400, Jonathan North Washington wrote:
>>I run a server out of my house too, and have been doing so for about
>>10 years. Actually, these days it's run out of my parents' house,
>>ever since I was out of the country for a year and needed it to stay
>>up; before that I ran it out of my own apartments and dorm rooms (with
>>the exception of one year--see below).
>>
>>The server hosts a handful of sites for various people, mostly for
>>myself (firespeaker.org , jnw.name) and my father
>>(salonaexploration.com , northeasterngeoscience.org).
>>
>>I'm also curious about the questions Ben asks, though I suppose I can
>>add some of my own experience to the conversation.
>>
>>In about 2005, when my server was hosted for a little over a year out
>>of Brandeis University's LUG (also BLUG :)'s server room, it got
>>rooted. This was partly my own fault for not running debian security
>>updates very often and allowing root ssh (which reminds me that I need
>>to check that again). This is the only real problem I've had, besides
>>thunderstorms and wind taking the server down at my parents' house
>>from time to time. While Comcast doesn't seem to be providing a
>>static IP address service, the IP address does not seem to have
>>changed at all in the last four years (since I started hosting it at
>>my parents' house).
>>
>>--
>>Jonathan
>>
>>On 18 July 2011 15:20, Ben Shewmaker <ben@shewbox.org> wrote:
>>> I've been running a server on my home machine for some time now and
>>> was just curious how many others out there do the same? And I'm also
>>> wondering about security of my home machine. I'm running AjaxXplorer
>>> on this machine to serve up some photos/videos from my home computer,
>>> and, while it does us https, I wonder sometimes about how wise it in
>>> terms of a security risk. I also use Dyndns so I don't have to worry
>>> about my changing IP and wonder if having a domain redirect from a
>>> dyndns hostname makes me more of a target? I like to imagine that
>>> spyware and viruses on my windows machine are a much bigger threat
>>> than someone trying to hack into my little ubuntu server machine, but
>>> I thought I'd ask anyone out there if they have any opinions?
>>>
>>> Thanks, and I hope everyone's A/C is working well both for your sanity
>>> and any little home servers you may be running!
>>>
>>> Ben
>>> _______________________________________________
>>> BLUG mailing list
>>> BLUG@linuxfan.com
>>> http://mailman.cs.indiana.edu/mailman/listinfo/blug
>>>
>>
>>_______________________________________________
>>BLUG mailing list
>>BLUG@linuxfan.com
>>http://mailman.cs.indiana.edu/mailman/listinfo/blug
> _______________________________________________
> BLUG mailing list
> BLUG@linuxfan.com
> http://mailman.cs.indiana.edu/mailman/listinfo/blug
>

_______________________________________________
BLUG mailing list
BLUG@linuxfan.com
http://mailman.cs.indiana.edu/mailman/listinfo/blug

Wednesday, July 20, 2011

Blog Archive