Security discussion - How do you protect your server?

Discussion in 'Systems Administration' started by we67iop, Mar 29, 2017.

  1. I'm feeling a bit paranoid as I only have fail2ban (protects against brute force) installed and am pretty clueless about security. I'm running Debian 3.2.84-2

    I'm just wondering how you guys protect your server, mainly:

    What steps have you taken to secure your server

    What operating system are you using and does it take up a lot of space? (I only have 40gb)

    Would you recommend I switch to a different operating system?

    Any other tips


    Thanks in advance!:p
     
  2. PhanaticD

    Patron

    its basically whatever programs you have that access the internet that you need to secure

    you have SSH -> fail2ban, disable remote root, use keys and disable passwords, use another port

    mysql -> disable remote logins for root, if you need external logins make sub accounts with access only to the databases it needs, firewall it off to only the IPs that need it

    minecraft server with bungee -> firewall the spigot servers so only bungee can access

    same thing with anything else you install and you should be good, other things are just common sense like dont give your friends access to the console if its not needed, dont use same password twice etc
     
    #2 PhanaticD, Mar 29, 2017
    Last edited: Mar 29, 2017
    • Agree Agree x 3
    • Like Like x 1
    • Winner Winner x 1
  3. Thanks for the reply!

    I'll have to do some googling to figure out how to do those things but I should figure it out eventually!

    Also Kudos on having a blacklisted server that still has over 150 people!
     
  4. PhanaticD

    Patron

    its not blacklisted lol
     
  5. Silly me!

    I just saw your SquidHQ banner on your website and jumped to assumption.

    Honestly though, the only domains that are still blacklisted are troll domains such as *.blacklistthisifyousupportrape.host

    https://blocklist.tcpr.ca/
     
  6. I suggest securing in-game exploits.
    First off , block the command //calc
    It can crash a server is it is used to do so.
    Second off , block the server ports . Be sure to leave ssh,bungee,website port open for you to connect.

    That should get you decent on the security list
     
    • Like Like x 1
  7. I care about my Server-Security

    Software:
    - Fail2Ban (SSH Brute-Force | Blocking after 2 Failed Logins)

    My Firewall Policy:
    Input > allow 25565 (Minecraft [BungeeCord])
    Input > allow 80, 443 (Webserver HTTP and HTTPS)
    Input > Port 22 - whitelist
    Input > deny all

    Whitelisting for Port 22 is made using a Webinterface

    Every Website access is being scanned.
    TOR, Proxy, VPN and Bad WebBots are 99% detected and gain only limited access
    Only 3 Countrys are whitelisted for Login to the Webinterface.

    Gameserver Security:
    - Software Updates every Day
    - Every Server got his own User and his own Directory (to prevent exploit's and minimize damage)
     
    #7 FurRail, Mar 29, 2017
    Last edited: Mar 29, 2017
  8. Completely agreed, but one addition: You should IP whitelist your SSH. Either simply your home IP address (depending on where you live & how often it can change) or buy a very small VPS for a few bucks and use it as VPN.

    Also, doesn't spigot disallow non-BungeeCord joining users anyway? (when its enabled obviously)
     
  9. It does.. but you can setup your own BungeeCord Listener on your Computer and then you can join.
     
  10. PhanaticD

    Patron

    if you use key auth whats the point of doing that other than inconveniencing yourself
     
  11. Fail2ban, but make sure you follow guides online (DigitalOcean has great guides), and it'll get you started on turning on all available jails.

    Lynis is great for auditing security.

    SSH should be handled with public keys. For Fail2Ban, I'd recommend whitelisting a block of IPs that your ISP should assign you, given you change your IP (or your ISP does it for you).
     
  12. Good practice here would also be to remember to make new Mysql users/databases on a per server /global plugin basis. So if somehow database login information is compromised on server1 it wont give access to databases used on your other servers.

    So something like:
    Hub-server - DB: database1, User: user1, Password: somepass1
    Server1 - DB: database2, User: user2, Password: somepass2
    Server2 - DB: database3, User: user3, Password: somepass3

    Make separate databases for plugins like LiteBans if it needs to be connected across your network or is accessed from web so again if your website is compromised it wont give access to anything else in your databases on the network.

    Just remember not to overdo it as every database/user will require its own connection to the database when running (but that's another talk about tuning performance) ;-)

    And consider setting up a host checker like BungeeHostLimiter* where you give key staff a separate personal hostname (subdomain) to connect via. Will disable most chances of anyone getting on your network with a hacked/cracked staff account as they will not only need the account info or Minecraft/Mojang authorized token but also know the exact subdomain to connect to your network via. ;-)

    -* https://www.spigotmc.org/resources/bungeehostlimiter.13036/

    //Don
     
  13. Just used your guide to switch from Debian to Ubuntu Server. Very helpful.

    I've had some trouble installing SSH keys. Could you point me in the direction of a guide that you reccomend?

    As for Fail2Ban. I'm going to re-install that onto my Ubuntu Server soon.
     
  14. Thanks for the help. I'll need to practice with MySQL. For some reason I couldn't get CoreProtect to connect to the database I made for it. I've reinstalled my VPS now, im going to go on a tutorial binge before I try anything.

    I will defiantly look into BungeeHostLimiter.
     
  15. So I should as a start block all port and only allow 25565(minecraft) and 22(SFTP) (I'm not running a webserver)?

    Thanks for the reply!
     
  16. Fail2ban, whitelisting, and port changing are all unnecessary. Use SSH keys.
     
    • Agree Agree x 1
    • Optimistic Optimistic x 1
  17. While port changing and whitelisting is security through obscurity, Fail2Ban is legitimately useful for mitigating brute-force attacks on a server (including Apache brute-force attacks), so I'd really recommend people to have Fail2Ban.
     
    • Agree Agree x 1
  18. And SSH Keys have some disadvantages.
    So...if i want to login to my Server from a different Computer (because.. i need to), then i cant, because im missing the Keyfile
     
  19. electronicboy

    IRC Staff

    Nothing really viable to brute force if you don't have passwords enabled...

    Fail2ban is nice, but it should not be something that you actually rely on, and it in itself can cause issues when you accidentally lock yourself out somehow, it's a nice tool to have at the side, but unless you're willing to configure it and adjust any filters as needed (hint: most people are not, so it's effectively false security to most people who can hardly maintain their servers in the first place... most people even just install it without even enabling the ssh rule....)

    cheap ass VPS to stand as a ssh proxy or something that you can just spin up and down as needed, in all instances you're relying on the fact that the machine in question hasn't been infected with malware/viruses or any form of keylogger (hint: in most sane parts of the world, schools have systems that will quite practically log everything you type, and generally have very little premise for security on student machines (the machines are there for working, not for personal usage)).

    The moment you enter your password/user details on a machine that isn't yours, you are putting 100% confidence in the admins of the machine to ensure that it's not running something malicious, and that you can actually trust them to not leak anything if they are running something themselves...

    or, create a second key, throw it on on an encrypted drive if you can, or any bog standard drive or any form of secure file service, and then you can get your key whenever. Just make sure you're using a second key that you can easily pull from machines if it's needed.

    IP whitelisting is a touchy subject in terms of security, yes; it's an ideal setup, but unless you're paying for a static IP address, this is how you end up in shit creak when your IP changes for some reason, you should only /ever/ enable a IP whitelist if you are sure that you have a viable way of accessing the machine should your IP change (e.g. recovery console over IPMI, or anything that a host provides such as a faux KVM), or if you actually have a fix IP address that cannot change (I'd still be weary of this on domestic providers, all it takes is for something stupid to happen with them and you're potentially screwed)

    Bungeecords "security" isn't actually security, there is no authentication between bungee and the server, and so it's essential that you use some form of firewall to restrict access to the servers, all bungeecord says is that "you must send me this additional info, or I'll disallow the connection".

    depends on your exact setup to the cause, but a user such as 'core'@'%' would allow access for all external connections (so long as you've configured mysqld to actually listen to the external network), but would not allow connections over localhost, which uses a socket connection, for that you must specifically create a user 'core'@'localhost'.
    a hint is that the error message will generally give you a massive clue in what area your issue is in, either connection or authentication issues are generally the major causes of mysql issues on this forum.
     
    • Winner Winner x 1
  20. I've heard that in countries such as USA, the IP addresses of someone's home can change pretty regularly. However, here in The Netherlands, I've had the same IP address for over 5 years. I'm not too worried about it switching, but I have already thought about what happens if it does: I'll simply get a small ass VPS and use it as VPN. That IP should never change, right? (OVH). Even if everything works against me and all my IP addresses would change for some reason and I locked myself out; a simple reboot will do.

    With almost (atleast mine) control panels, you can reboot the server. This will by default flush IP tables and allow me to SSH. I do still have Fail2Ban as a backup so people can't bruteforce it. I have a fairly small amount of servers at the moment, and the firewall configuration is backed up in a file, so in case of a complete lockdown it's not too much work at the moment to get myself back in.

    Question though: Would you use IPTables to whitelist SSH inside of a VRACK / VLAN, or is that simply overkill?