[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
On 22/06/10 11:22, James Fidell wrote:
On 22/06/10 10:38, Gordon Henderson wrote:Control interactive access - ssh - firewall it, make sure it's ssh v2 and don't use passwords - tricky to setup in the first instance, but once setup it's relatively easy from there. If you do insist on passwords, then it's still not a bad thing, but firewall it, if posible, so it can only be accessed from known loations. (and thus for that, you need a static IP address)Wot Gordon said. Some people like to run ssh on a different port for this, or to use some form of "port-knocking". Depending on your level of paranoia, you may want to think about those. Don't allow remote root logins in any case.
Yep, I'll look into this. The VPS has got root enabled, I was hoping to use a key to login, maybe with a password on top for extra security. I'll also change the ssh port number too (since it's reasonably simple to do).
FTP is another one to avoid unless you have absolutely no choice.
I don't think it'll need FTP, as far as I know the only requirement is Shoutcast (I'd have preferred to use Icecast but hey, they want Shoutcast).
You can also look at using something along the lines of fail2ban to firewall IP addresses that look like they're up to no good.
Okay, that sounds good.
Keep on top of security patches, and not just immediately remotely exploitable ones.
Yep.
Join the "announce" list for any software packages you're using that aren't directly supported by the distribution maintainer.
Didn't think of that one, I will do.
Consider firewalling outbound traffic as well as inbound -- there's probably no good reason for the server to be making outbound connections to the usual IRC ports, for instance, and it might even be possible to disable outbound FTP/HTTP except for those times you're doing updates.
Another thing I didn't consider.
If you're using PHP, disable the PHP engine for upload directories where possible and remove index generation and all options for directories writeable by apache. Disable opening of remote files in PHP if possible. Check that upload directories only contain files of types you expect to be there, on a regular basis. Consider installing mod_security.
I don't think it'll be running PHP. I gather his web site is hosted on another server anyway. I'll have a word with him and find out his exact requirements.
Rob -- The Mailing List for the Devon & Cornwall LUG http://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/linux_adm/list-faq.html