The great thing about Rimuhosting's servers (besides their fanatical support) is that you have complete root access. The tricky part about their servers is that you can complete root access. They give you ample rope, to as they say, shoot yourself in the foot with.
I finally got around tonight to spending a few minutes making sure my server wasn't embarrassingly (and dangerously) wide open. Here's what I did...
- Upgraded the OS and tools. Rimuhosting couldn't make this any easier if they tried. I ran:
sudo apt-get update sudo apt-get upgrade
(I mention Rimuhosting because these commands are pulling from their repository - so I assume they have at least some hand in this magic) - I ran an nmap to see what ports were open. Luckily, all I had to deal with were http, smtp and sshd.
- http was the easiest - I need that open, so I just left it as is.
- smtp was a bit trickier. I edited /etc/postfix/main.cf and set: inet_interfaces = localhost. Now my local box can send mail, but the mail server is closed to the outside world. (Real mail is handled for me by Google Apps).
- sshd was where I got a bit fancier. From my logs, I can tell that there's an endless supply of bots trying to break into my server (what a nasty place the net can be!). I could setup ssh to only listen for some IP addresses. But that means that I won't be able to access my server from random places like internet cafes (remember, we are thinking nomadic). Instead, I changed a few settings in /etc/ssh/sshd_config. They are:
UsePAM no PasswordAuthentication no PermitRootLogin no
The permit root login is especially nice, because now all those bots who are trying to break into the root account are guaranteed to fail. I also turned off password authentication. To log in, I'm forcing myself to use ssh keys. Not only is this more secure, but my guess is that most bots don't even attempt to break in using an ssh key (an extremely tall order). Again, the whole horde of them should be locked out. Ideally, I'd also like to setup S/Key - but that will have to wait for another day.
That's pretty much it for now. I would hardly call my setup hacker proof - but I do believe that the easy exploits have been taken off the table. Besides pulling the plug, what else could I do to secure my box?
These are good steps to take for sure. Congrats on closing yet another potential security hole in the web.
ReplyDeleteI once installed a new version of linux on my home server and was shocked to find tons of network traffic bogging down my cable modem days later. The guy on the phone couldn't tell me what was going on. I just assumed somebody overseas was launching DOS attacks against me. I had no idea why. He suggested we change my IP and see if the problem goes away.
It worked. For about a week. Then the onslaught of traffic returned. I eventually tracked the activity down to apache. I noticed tons of the requests hitting my server for web pages I didn't host. (Everything from porn to extreme porn.)
Eventually I learned that Mandrake 9.2 had shipped with proxy server turned on in Apache by default. This allowed any client to request any page from my poor little server and it would fetch the page and serve it up. Somehow the bot networks involved in some sort of click fraud found me and added me to their lists. After I plugged the hole it took about a day for them to realize I wasn't available anymore to serve their nefarious purposes and they left me alone.
Rough couple of days though....not even support could help.
-ben
I've so been bitten the the open proxy issue!
ReplyDeleteIt's amazing, because your server just begins to crawl - yet, it's not really obvious what's going on.
Makes you appreciate just how nasty the net can be.
And who are all these people who are using open proxies? I feel like there's a whole other world out there, I just can't appreciate.
If you don't want to have ssh listening on a port open to the world, but also want to be able to access it from anywhere, try knockd.
ReplyDeleteAdditionally, I try to remember to make use of ssh tunneling whenever possible. For example, I run bincimapd on my mail server, but only on the loopback interface. To connect to it from my local machine, I just tunnel a port on my local to 127.0.0.1:143 on the mail server, setup my mail client to access IMAP on that local port, and voilĂ , I have access to my mail.
Ooh, knockd looks really cool - thanks for the pointer!
ReplyDeleteYeah, I always forget about the possibilities with ssh tunneling.
Thanks for the suggestions, they're great ones.
I have been SSH tunneling with VNC for years. Always felt like something was lacking since Remote Desktop performs so much better than VNC.
ReplyDeleteThen it hit me....even though it feels SO wrong, why not SSH tunnel my Remote Desktop connection? I was able to set it with only slightly more effort than the VNC tunnel. Been working great for months.
I would much rather demo something to a client via remote desktop than VNC.
Ben -
ReplyDeleteThanks the ssh tunneling hack. I always forget about ssh tunneling and how handy it can be.
-Ben