Server Security 101

I know Chad mentioned that it was generally a bad idea to run home servers but I thought I'd write up a bit of help for those who would like to try.  I'm not going to give step by step instructions as any administrator can tell you learning to search for things on the web is a necessary skill.  I'll just point you in the right direction to start learning.

• Learn how to use your hosts.allow and hosts.deny file.  Deny everything and then just allow http for visitors and on ssh only allow your internal network to connect.  The more specific you can be the better
• Firewall, Firewall, Firewall! Linux can be cracked.  It's harder than windows but still possible.  A firewall will keep out the script kiddies/ amatures.  Having a firewall on your home router and one on your machine is even better.  It's called Defense in Depth and is the industry standard.  To give you a general idea Banks normally run an external router and then a firewall into the DMZ and then another firewall or two and another router before it goes into the internal network.  Even with all of that Banks can be hacked, you just don't hear about it, but those who work in the security field do as we tend to study those things.  Your home router and then a firewall on your box is two layers and is considered safe for a low profile home network.  If your server is exposed you may want to add a Smoothwall, Astaro, or IPcop box for additional protection.
• Be a hard target.  Most script kiddies won't waste time on a hardened network they'll just keep scanning with bots for an unprotected machine.
• If you have to use ssh externally into your network then change it to a non standard port.  It's even easier to do with most home routers as you can foward your external port 2222 or whatever you use to your internal port 22.  Most bots scan networks for open ssh severs and try to brute force them.
• Install Fail2ban on your machine.  If a bot does find you then three failed attempts to log in on ssh will get them added to the hosts.deny list.
• If you have servers installed on your box that you don't use then uninstall them!  The more services you have that accept external connections the easier it is to find a way into your machine.
• Keep your machine up to date!  Security holes are found all the time and if you don't keep your machine up to date you may fall victim to them.  This is how worms spread, though mainly an IIS problem Apache occasionally has a hole found.  This isn't just for web.  I can't tell you how many boxes we crack in audits because they use an old version of ssh or ftp and getting in is as simple as running a modified client that will drop us to a root prompt.
• The program Tripwire is your friend! It will tell you if someone has gotten into your box and changed something though learn what files will change on their own because of system use or updates and don't freak over them.
• Strong Passwords... seriously the majority of the machines that get hacked are because of weak passwords.  Your password should be at least ten or so characters long and not anyting found in a dictionary.  Something like...  $99SunnyM0on#  That uses special characters, capitals, and numbers.  Better yet is a  pass phrase that is unique to you and easy to remember.  You can even take the first two letter out of each word of a phrase.  An example would be.  The quick brown fox jumped over the lazy dog would turn into !ThQuBrFxJuOvThLaDo1@ With a number and special characters added.  I know it can be a pain but with Ubuntu your password is even more vital as anyone who gets it essentially gets root access.
• SSH keys for remote access.  Do a search on how to set up a passwordless login to SSH and then when it asks put in a password instead of hitting enter.  Then no one can log into that account without the proper key.
• Keep your private files encrypted.  GPG is great though Truecrypt is also a very good program to learn and use.  I point back up to the strong passwords entry here.  You really need more than 20 characters so type out a phrase this time.  If someone does crack your system then they don't get your financial or personal data.
• Backups!  Chad mentioned it and it's true that it's only a matter of time.  My site changed because Bluehost somehow corrupted the install and luckily I had my database backed up.  It was frustrating but at least I didn't loose anything.   You might also want to look into using truecrypt or some other method to encrypt these if you travel.
• Use encryption on your laptops if you travel at all and have anything you care not to have stolen on it.
• Deleting something does not mean it's still not there.  There are methods to recover data overwritten many many times but the more times it's overwritten the more costly it becomes to recover.  Wipe is a good linux program that's in the Ubuntu repositories.

 
Well that's a good start.  I'll probably end up doing a podcast on it later.
 
What do I use?
I have a Cisco 1811 series integrated services router as my border router that goes into my DMZ switch and then a Vyatta firewall/router (www.vyatta.com commercial but they have an open source community edition ) to my internal network.  They're on seperate networks subnetted down from the 10.0.0.0 private range.  There is no route from the DMZ into the internal network.  If any connections are made it's out of the internal network to a machine in the DMZ.  I'm looking to add a Cisco PIX firewall later.  Paraniod? not really I work with security and my network is like my home lab with VMs set up to test things.
 
-Chayak AKA Brandon
www.linuxresonance.com