GNHLUG> Org Web>InternetServer>ServerSecurity (revision r1.2)EditAttach
Our InternetServer will need to be protected against all the Internet nasties (which are legion).

Account Restrictions

  • All admins have their own account on the system.
  • Disallow root access, except via sudo.
  • Disallow sudo access. Yes, this make things more difficult, but
traceability is needed when there are multiple admins. Note: I could be coaxed off this requirement if sudo would fire up a capture program (like script) when 'sudo ' is used.
    • Some things that require shell redirection don't work without this - however those can be put into a script and run 'sudo script'. But then the script is fungable after the run, so what's been gained is worth debating. -- BillMcGonigle - 08 Feb 2006

Firewall

  • iptables - unless there is some other level of firewalling available to us.
    • even if there is a hardware firewall, don't trust it. To expound, only allow incoming access on the minimum number of ports to get us going. We should restrict ssh access to a limited number of IP's to avoid being DDOS'ed with ssh scans. -- BillMcGonigle - 09 Feb 2006
    • Allowed Ports From Anywhere
      • 25/tcp
      • 80/tcp
      • 443/tcp
      • 53/udp
    • Allowed IP's for port 22 ssh
      • 217.160.248.65 -- BillMcGonigle - 09 Feb 2006
      • Recommend moving SSH to nonstandard port. Scripted attacks only hit 22. -- DrewVanZandt - 10 Feb 2006
    • Allowed Ports for our backup DNS, currenly LINUX.CODEMETA.COM (199.125.76.10)
      • 53/tcp

Remote Access

  • SSH - Require public key authentication, require entries in AllowedUsers in sshd_config. Inconvenient for adding new accounts, but the number of accounts will be very low and we don't have time to deal with getting cracked.
Edit | Attach | Watch | Print version | History: r21 | r4 < r3 < r2 < r1 | Backlinks | Raw View | Raw edit | More topic actions...
Topic revision: r2 - 2006-02-10 - DrewVanZandt
 

All content is Copyright © 1999-2024 by, and the property of, the contributing authors.
Questions, comments, or concerns? Contact GNHLUG.
All use of this site subject to our Legal Notice (includes Terms of Service).