Security discussion - How do you protect your server?

Discussion in 'Systems Administration' started by we67iop, Mar 29, 2017.

  1. Foxvific

    Supporter

    • Fail2Ban
    • Remote root login disabled
    • SSH keys with passwords disabled
    • Different port
    I have a two-factor auth plugin for SSH as well, and if I'm being lenient with the setup I'd usually white list my home IP. This is the security I place on nearly all of my machines, never hurts to be safe.
     
  2. electronicboy

    IRC Staff

    Well, I have noticed that some ISPs are pretty good with persisting IP addresses, however these are generally on a standard lease, if the address wasn't used for x amount of time, there is always the chance it would be thrown back into the pool for some reason, for some people the chance of that happening is high, my favorite ISP over here, you could keep your IP so long as you kept on top of the bill, the ISP my family switched to at one point, your IP would change whenever the router crashed itself... (which, was more often than not a daily occurrence...)

    Well, I always suggest that if you're going to use something like iptables, you should sure as heck install something to make them persistent, that way should your machine have to reboot because of your host doing maintenance, your machine isn't left unprotected because you forget to resetup the rules... even if updating the persisted rules is manual, it's better to have something than nothing...

    The IP of a VPS or any rented service shouldn't change, so long as you're using a service that doesn't do weird stuff with IP addresses, e.g. services like google use private IP addresses which are then 1:1'd (or practically port-forwarded depending on how their firewall works), OVH don't do that, but it's weary to be aware that services that don't guarantee that you have a real persistent IP between runtimes of the machines are in existence.

    but, the major concern is that you never know if and when your IP address could potentially change, especially when v6 takes off properly and v4 sorta falls into the bed of practical death (well, if that ever happens....), you're not guaranteed a static IP address, that's just a benefit of your ISPs setup meaning that you practically have one, so it's more a case of risk assessment in some cases, it does always make sense to have some form of backup, however; as I've suggested, a cheap crappy VPS from a reputable seller.

    for the regards of vlans, it's generally safe to say that if somebody can plug themselves into your network, they can do whatever the heck they want within the grounds of your setup. e.g: arp spoofing means that I can get a machine to hijack one of the IP addresses on your vlan if you don't have some form of setup to stop that, it's generally safe to say that if your network is vulnerable, so is any IP whitelisting you have on there

    Also, depending on what type of server you have, the reboot button is actually forceful and can cause more harm than good, nothing like a nice set of freshly corrupted mysql tables....
     
    • Winner Winner x 1
  3. It would take more energy than exists in the observable universe to brute force an SSH key.
     
    • Agree Agree x 1
    • Optimistic Optimistic x 1