[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
On 22/06/10 10:38, Gordon Henderson wrote:
Control interactive access - ssh - firewall it, make sure it's ssh v2 and don't use passwords - tricky to setup in the first instance, but once setup it's relatively easy from there. If you do insist on passwords, then it's still not a bad thing, but firewall it, if posible, so it can only be accessed from known loations. (and thus for that, you need a static IP address)
Wot Gordon said. Some people like to run ssh on a different port for this, or to use some form of "port-knocking". Depending on your level of paranoia, you may want to think about those. Don't allow remote root logins in any case. FTP is another one to avoid unless you have absolutely no choice. You can also look at using something along the lines of fail2ban to firewall IP addresses that look like they're up to no good. Keep on top of security patches, and not just immediately remotely exploitable ones. Join the "announce" list for any software packages you're using that aren't directly supported by the distribution maintainer. Consider firewalling outbound traffic as well as inbound -- there's probably no good reason for the server to be making outbound connections to the usual IRC ports, for instance, and it might even be possible to disable outbound FTP/HTTP except for those times you're doing updates. If you're using PHP, disable the PHP engine for upload directories where possible and remove index generation and all options for directories writeable by apache. Disable opening of remote files in PHP if possible. Check that upload directories only contain files of types you expect to be there, on a regular basis. Consider installing mod_security. James -- The Mailing List for the Devon & Cornwall LUG http://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/linux_adm/list-faq.html