Security Advice For Server Owners

Main.SecurityAdviceForServerOwners History

Hide minor edits - Show changes to markup

Changed lines 23-30 from:

2b. For ssh logon - do not allow username/passwords based access at all.

Do not allow for Root logon!

Do not allow for username/password logon - make it key-based only! Move away from default port!

to:

2b. For ssh logon - best to not allow username/passwords based access at all.

Make it key-based only. Do not allow for Root logon.

Move away from default port. Obscurity is no security, but it gets you rid of a lot of automated dumb attack traffic and random script kiddie connects.

Deleted line 33:
Changed lines 40-43 from:

Moving away from the default port is of course merely cosmetic, no real security - but it gets you rid of 100,000s of random script kiddie connects.

to:
Changed line 44 from:

2d. all relevant web services that allow for login, excahnge of credentials, etc - over https only - NOT http

to:

2d. all relevant web services that allow for login, exchange of credentials, etc - over https only - NOT http

Changed lines 19-21 from:

2a. If you need password based access of nay kind - make the passwords strong! You know how, right?

to:

2a. If you really really need password based access of any kind - make the passwords strong! You know how, right? It is better to not allow for any username/password based access.

Changed lines 47-49 from:

2d. all relevant web services over https only - NOT http

to:

2d. all relevant web services that allow for login, excahnge of credentials, etc - over https only - NOT http

Changed lines 61-63 from:

your machine from outside - pls ask me!

to:

your machine from outside - pls ask!

researchIT_(you know what an email looks like ...)_itu.dk

Added lines 1-60:

These are some very general remarks and recommendations on server security, e.g. for owners of research servers.

1. Be aware that every machine visible on the internet is being hammered with logon attempts - always, from second one, constantly :)

if you wanna check you own server, run a

% grep failure /var/log/*

or equivalent.

2. What can/should you do?

2a. If you need password based access of nay kind - make the passwords strong! You know how, right?

2b. For ssh logon - do not allow username/passwords based access at all.

Do not allow for Root logon!

Do not allow for username/password logon - make it key-based only! Move away from default port!

e.g.

% edit /etc/ssh/sshd_config

        Port <some high port number>
        PermitRootLogin no
        PasswordAuthentication no

Moving away from the default port is of course merely cosmetic, no real security - but it gets you rid of 100,000s of random script kiddie connects.

2c. no ftp, no telnet - ever!

2d. all relevant web services over https only - NOT http

2e. install, understand and configure these tools:

% apt-get install denyhosts fail2ban ufw

the first two will ban/deny any possible intruders, the latter is an easy to use interface to iptables

3. in case of any questions, or in case you would like us to firewall your machine from outside - pls ask me!