GNHLUG
>
Org Web
>
InternetServer
>
ServerSecurity
(revision 4) (raw view)
Edit
Attach
Our InternetServer will need to be protected against all the Internet nasties (which are legion). ---++ Account Restrictions * All admins have their own account on the system. * Disallow root access, except via sudo. * Disallow sudo <shell> access. Yes, this make things more difficult, but traceability is needed when there are multiple admins. Note: I could be coaxed off this requirement if sudo would fire up a capture program (like script) when 'sudo <shell>' is used. * I much prefer autostarting script if 'sudo shell' is run - flexible and easy. Creating time/original user named logfile in standard location would be ideal. (e.g. 2006_02_10_11_53_billm.log) -- Main.DrewVanZandt - 10 Feb 2006 * Some things that require shell redirection don't work without this - however those can be put into a script and run 'sudo script'. But then the script is fungable after the run, so what's been gained is worth debating. -- Main.BillMcGonigle - 08 Feb 2006 ---++ Firewall * iptables - unless there is some other level of firewalling available to us. * even if there is a hardware firewall, don't trust it. To expound, only allow incoming access on the minimum number of ports to get us going. We should restrict ssh access to a limited number of IP's to avoid being DDOS'ed with ssh scans. -- Main.BillMcGonigle - 09 Feb 2006 * Allowed Ports From Anywhere * 25/tcp * 80/tcp * 443/tcp * 53/udp * Allowed IP's for port 22 ssh * 217.160.248.65 -- Main.BillMcGonigle - 09 Feb 2006 * Recommend moving SSH to nonstandard port. Scripted attacks only hit 22. -- Main.DrewVanZandt - 10 Feb 2006 * Allowed Ports for our backup DNS, currenly LINUX.CODEMETA.COM (199.125.76.10) * 53/tcp ---++ Remote Access * SSH - Require public key authentication, require entries in !AllowedUsers in sshd_config. Inconvenient for adding new accounts, but the number of accounts will be very low and we don't have time to deal with getting cracked. * Suggest running SSH on a nonstandard port -- Main.ColeTuininga - 10 Feb 2006
Edit
|
Attach
|
Watch
|
P
rint version
|
H
istory
:
r21
|
r6
<
r5
<
r4
<
r3
|
B
acklinks
|
V
iew topic
|
Raw edit
|
More topic actions...
Topic revision: r4 - 2006-02-10
-
DrewVanZandt
Org
Log In
or
Register
Org Web
Create New Topic
Index (Page List)
Search this Web
Recent Changes
RSS Feed
Site Tools
Search site
Site changes
Webs
GNHLUG
Main
Org
TWiki
Contact GNHLUG
All content is Copyright © 1999-2024 by, and the property of, the contributing authors.
Questions, comments, or concerns?
Contact GNHLUG
.
All use of this site subject to our
Legal Notice
(includes Terms of Service).