Protect your home server from external attacks.

@Jlcmux

5 minutes

Today, I will give you some tips on how to have a more secure home server (or a little bigger). But before they tear me apart alive.

NOTHING IS TOTALLY SAFE

With this well-defined reservation, I continue.

I am going to go by parts and I am not going to explain each process very carefully. I will only mention it and clarify one or another little thing, so they can go to Google with a clearer idea of ​​what they are looking for.

Before and during installation

  • It is highly recommended that the server be installed as "minimal" as possible. This way we prevent services from running that we don't even know are there, or what they are for. This ensures that all setup runs on your own.
  • It is recommended that the server is not used as an everyday workstation. (With which you are reading this post. For example)
  • Hopefully the server doesn't have a graphical environment

Partitioning.

  • It is recommended that the folders that are used by the user such as "/ home /" "/ tmp /" "/ var / tmp /" "/ opt /" be assigned to a different partition than the system one.
  • Critical folders like "/ var / log" (Where all the system logs are stored) are put on a different partition.
  • Now, depending on the type of server, if for example it is a mail server. Folder "/var/mail I /var/spool/mail»Should be a separate partition.

Password.

It is no secret to anyone that the password of the system users and / or other types of services that use them, must be secure.

The recommendations are:

  • That does not contain: Your name, Name of your pet, Name of relatives, Special dates, Places, etc. In conclusion. The password should not have anything related to you, or anything that surrounds you or your daily life, nor should it have anything related to the account itself.  Example: twitter # 123.
  • The password must also comply with parameters such as: Combine uppercase, lowercase, numbers and special characters.  Example: DiAFsd · $ 354 ″

After installing the system

  • It's something personal. But I like to delete the ROOT user and assign all the privileges to another user, so I avoid attacks on that user. Being very common.
The / etc / sudoers file must be edited. There we add the user that we want to be ROOT and then we delete our old Super User (ROOT)
  • It is very practical to subscribe to a mailing list where security bugs of the distribution you use are announced. In addition to blogs, bugzilla or other instances that can warn you of possible Bugs.
  • As always, a constant update of the system as well as its components is recommended.
  • Some people recommend also securing Grub or LILO and our BIOS with a password.
  • There are tools such as "chage" that allows users to be forced to change their password every X time, in addition to the minimum time they must wait to do so and other options.

There are many ways to secure our PC. All of the above was before installing a service. And just mention a few things.

There are quite extensive manuals that are worth reading. to learn about this immense sea of ​​possibilities .. Over time you learn one thing or another. And you will realize that it is always missing .. Always ...

Now let's ensure a little more SERVICES. My first recommendation is always: "DO NOT LEAVE THE DEFAULT CONFIGURATIONS". Always go to the service configuration file, read a little about what each parameter does and do not leave it as it is installed. It always brings problems with it.

However:

SSH (/ etc / ssh / sshd_config)

In SSH we can do many things so that it is not so easy to violate.

For example:

-Do not allow the ROOT login (In case you have not changed it):

"PermitRootLogin no"

-Don't let passwords be blank.

"PermitEmptyPasswords no"

-Change the port where it listens.

"Port 666oListenAddress 192.168.0.1:666"

-Authorize only certain users.

"AllowUsers alex ref me@somewhere"   The me @ somewhere is to force that user to always connect from the same IP.

-Authorize specific groups.

"AllowGroups wheel admin"

Tips.

  • It is quite safe and also almost mandatory to cage ssh users through chroot.
  • You can also disable file transfer.
  • Limit the number of failed login attempts.

Almost essential tools.

Fail2ban: This tool that is in repos, allows us to limit the number of accesses to many types of services "ftp, ssh, apache ... etc", banning the ip that exceed the limit of attempts.

Hardeners: They are tools that allow us to "harden" or rather arm our installation with Firewalls and / or other instances. Among them "Harden and Bastille Linux«

Intruder detectors: There are many NIDS, HIDS and other tools that allow us to prevent and protect ourselves from attacks, through logs and alerts. Among many other tools. Exists "OSSEC«

In conclusion. This was not a security manual, rather they were a series of items to take into account to have a fairly secure server.

As personal advice. Read a lot about how to view and analyze LOGS, and let's become some Iptables nerds. In addition, the more Software is installed on the server, the more vulnerable it becomes, for example a CMS must be well managed, updating it and taking a good look at what kind of plugins we add.

Later I want to send a post on how to ensure something specific. There if I can give more details and do the practice.


Leave a Comment

Your email address will not be published. Required fields are marked with *

*

*

  1. Responsible for the data: Miguel Ángel Gatón
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.

  1.   elynx said
    ago 11 years

    Saved in favorites!

    Regards!

    Reply to Elynx
  2.   Ivan Barra said
    ago 11 years

    Excellent TIPS, well, last year, I installed in a "Important NATIONAL AIRLINE" several security and monitoring systems and I was surprised to learn that despite the several tens of millions of dollars in equipment (SUN Solaris, Red Hat, VM WARE , Windows Server, Oracle DB, etc), security NOTHING.

    I used Nagios, Nagvis, Centreon PNP4Nagios, Nessus and OSSEC, the root password was public knowledge, well, in a year all that was cleaned up, which was worth making a lot of money, but also a lot of experience in this type of thing. It never hurts to take into consideration all that you just explained.

    Greetings.

    Reply to Iván Barra
  3.   Blaire pascal said
    ago 11 years

    Nice. Direct to my favorites.

    Reply to Blaire Pascal
  4.   guzman6001 said
    ago 11 years

    Great article ... <3

    Reply to guzman6001
  5.   Juan Ignacio said
    ago 11 years

    Che, for the next you can continue explaining how to use ossec or other tools! Very Good the post! More, please!

    Reply to Juan Ignacio
    1.    Ivan Barra said
      ago 11 years

      In February, for my vacation, I want to cooperate with a Nagios post and monitoring tools.

      Greetings.

      Reply to Iván Barra
  6.   koratsuki said
    ago 11 years

    Good article, I had planned nothing else to repair my PC to write one a more comprehensive tilin, but you got ahead of me xD. Good contribution!

    Reply to Koratsuki
  7.   Arturo Molina said
    ago 11 years

    I would also like to see a post dedicated to intrusion detectors. Like this I add it to favorites.

    Reply to Arturo Molina