« The IT Crowd is Back!
Creating a Debian Package for Wifidog »

Protecting Against Server Attack

Given the current fun and games with the community managed Ubuntu LoCo servers I’ve been thinking recently about server security.

Personally, any web servers that I’d ever run in my ‘day job’ would never have remote administration services like SSH/FTP etc open to the web (and more often than not, not at all), and would only ever have the minimum necessary port/s open on the firewall anyway.

Unfortunately, I realise that in a community effort it’s probably impossible to aspire to the ‘access at the server room only’ ideal. Volunteers need to remote admin servers from many different locations, so we need to keep those vulnerable services facing the web. The question really is ‘how do we secure our servers against attack?’

Given the seriousness of the matter, protection against attack often seems to be pretty far down in the pecking order when people go down the ‘teach yourself to be a linux sysadmin’ route, and it doesn’t seem to get that much discussion.

So – What sort of tools do you recommend for toughening your linux server?

By tools, I mean something in addition to the usual default install. For instance, I use denyhosts to stop SSH dictionary attacks on hobby/volunteer servers I run.

I’d be really interested to learn what works for you, and any interesting stories you have about security.

Don’t be shy ;-)

Posted by Chris

Post to del.icio.us Post to del.icio.us

Post to Slashdot Post to Slashdot

Digg this Digg this

This entry was posted on Thursday, August 16th, 2007 at 10:54 pm and is filed under . You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

2 Responses to “Protecting Against Server Attack”

  1. Kirrus Says:
    August 17th, 2007 at 12:24 pm

    Firehol, Openvpn, and some blacklist custom-written scripts to blacklist (drop all trafic from) refferal spamers.

    Firehol: as a rule, our servers are only open to those addresses that they must be. No ssh access to the world, but ssh access on the public ports from our networks for example.

    OpenVPN: Build an encrypted network. Effectivly, join private networks accross the internet. (At its default, best used per computer, athough you can use route &/or masqurade to link your networks properly with firehol.)

    The only gotcha with firehol is, it doesn’t work out of the box with Feisty. See bug report: https://bugs.launchpad.net/ubuntu/+source/firehol/+bug/78017

  2. chris Says:
    August 17th, 2007 at 12:32 pm

    Would you advocate using Feisty as a server then Kirrus, or would you tend to stay with an LTS edition?

Leave a Reply