# New Server

## SnackMasterX

Hello,

I am planing on bringing a new server up primarily for experimental purposes. My first goals are to have it host FTP, SSH, Web and remote access services (something similar to RDP, not sure what I can use for that with linux). I have a box thats a little out of date but was originally setup as a desktop PC so I'm wondering if there are any changes I can make to it so it will be ready for public internet connected strait to it. I will not be using a router, any firewalls will have to be through the OS which is the main reason I'm making this post. I need to know what I can do to ensure security of my box and that only authorized users can access the machine.

Thanks in Advance!

----------

## TJNII

First off, old-school FTP uses plain test passwords.  If you want security, you don't want FTP.  Don't use FTP unless absolutely necessary.

So, I'll start with a couple general pointers:

*) Minimize attack vectors.  Minimize your open ports and public services.

*) Thwart the script kiddies: Run services on non-standard ports if possible

*) Use strong passwords.  Weak passwords will be exploited by robots.

*) Keep your box patched.

*) Don't use "out-of-the-box" web apps lile phpmyadmin or phpbb if possible.  Thousands of robots scan for them.  They will be exploited.

That said, your box will be attacked.  Plan for it.  Likely it will all be bots trolling for exploits.

For your web requirement, apache2 is stable and strong.  If someone breaks in through the web it is likely to be through something running on top of apache, like a php site.  Make sure you evaluate everything you put on your site.

As for everything else, just use ssh.  Move the port off 22 if possible to stop automated attacks.  Some bots will still find your new port, but this will be rare.  Use good passwords to keep the few that find it out.  You can use sftp in place of ftp for secure file transfers.

As for a "RDP" service, I use VNC.  (TightVNC and TigerVNC, depending on my ARCH)  The problem is not all VNC servers implement encryption, so this has the same problem as FTP.  However,  you can loop the unencrypted traffic inside the end machines and tunnel it within SSH so your traffic is secure.  There are guide on that, it isn't hard.

You're likely to have services running that are not meant to be public.  Many daemons will allow you to select which IP to bind to.  Use this feature to help limit public accessibility to these services.  Block all ports but necessary at the firewall.  You're going to be using iptables for your firewall.  I recommend the shorewall wrappers to make administering them easier.

Since this is likely to be headless, I also recommend 2 NICs.  Not for security per-se, but more so that if you botch the settings for the WAN NIC you can get in through the LAN NIC and vice versa.

Hope that gets you on the right track.  If you don't do something dumb, chances are your box will be fine.

----------

## SnackMasterX

Sounds like alot of great advice, thanks alot! Had one other question in terms of bots, what can I use for a logging system to track brute force attacks or any kind of access attempts at all? I want to see what methods are being used to try and break into my box in case someone should decide to give it a try.

----------

## TJNII

 *SnackMasterX wrote:*   

> Sounds like alot of great advice, thanks alot! Had one other question in terms of bots, what can I use for a logging system to track brute force attacks or any kind of access attempts at all? I want to see what methods are being used to try and break into my box in case someone should decide to give it a try.

 

Your system logger will handle the logging for you.  You can set different log levels in your daemons depending on how much you want to know.

You may also be interested in fail2ban.  Some swear by it, I've had mixed luck.  You can also do ip range filtering at your firewall.  I filter my VoIP ports to only allow ISPs that have legitimate clients on them.

----------

## SnackMasterX

Can you suggest anything for web management? Just looking for some basic statistics and possibly some kind of firewall program. I want to just block all ports and only open certain ports. Ideally I would like to be able to control port management through a web UI but unsure of what all my options are for managing the server, its users and services.

----------

## SnackMasterX

So despite system update status, my box got hacked last night and now I have to start from scratch, any suggestions for system security or a firewall? I would like to be able to block all ports by default and only allow specific ports and change all default port numbers to something non-standardized just to make it a bit more secure.

----------

## TJNII

 *SnackMasterX wrote:*   

> any suggestions for ... a firewall? 

 

iptables.  See my first post.

 *Quote:*   

> change all default port numbers to something non-standardized

 

This is done on a per-daemon basis, not at the firewall.  This doesn't add any security, though.  Thorough attacks will portscan the box.

 *Quote:*   

> my box got hacked

 

Define "hacked?" Since you're still asking about firewalls I'll assume all services were publicly visible.  What services were you running with what daemons?  Were your passwords long and secure?  If you were running Apache, were you running anything on top of it and, if so, what?

 *Quote:*   

> Can you suggest anything for web management

 

No.  I don't use GUIs as I find them to be more of a burden than a blessing.

----------

## SnackMasterX

 *Quote:*   

> iptables.  See my first post.

 

Ok I'll do some research on how to use it.

 *Quote:*   

> Define "hacked?" Since you're still asking about firewalls I'll assume all services were publicly visible.  What services were you running with what daemons?  Were your passwords long and secure?  If you were running Apache, were you running anything on top of it and, if so, what?

 

It was a desktop system (I have never built a server before and know literally nothing about securing my box aside from what we have discussed in this thread) and I threw it on a public IP during the update process. Last night I left it updating and when I woke up this morning it had a failed build. I tried running revdep-rebuild and after that failed about 2 times portage stopped working all together and when I say that I mean that any portage command I entered to the system instantly went to a new line for a new command after pressing enter, it just did nothing. I tried extracting an original copy of portage from the stage3 tarball and it worked then, so I ran 'emerge -u1 portage' since it was out of date and instantly after it completed the update of portage it began to remove critical system packages and I had not instructed it to do this. My belief is that someone rooted my box and had fun while I was sleeping. Also never used apache though I am interested in setting this up with FTP services and having some kind of web site for users to access and have personal login with their own web profile which would allow them to browse and queue for download files available on the FTP portion of the server, also their profile login would grant them access to the FTP portion of the server so maybe that could just be some kind of HTTP download though I also want uploading to be an option.

 *Quote:*   

> No.  I don't use GUIs as I find them to be more of a burden than a blessing.

 

Fair enough I can see that being true, its much easier and faster to just use a command line but I'm thinking more for others to use. I want some kind of web interface so I can have my friends log into the server and gain remote access though I suppose that wouldn't necessarily have to be some form of web management app.

Bottom line short I know nothing of linux servers or securing them and I am mostly using this box as an experimental/learning box, I have no intention of keeping critical data though hosting a minecraft server would be pretty awesome  :Smile: 

----------

