Results 1 to 10 of 10

Thread: Beste practice with new clean DA server

  1. #1
    Join Date
    Jan 2009
    Posts
    11

    Beste practice with new clean DA server

    Hi,

    Since 2 weeks we have a new server running CentOS and DA, but last week we immediately fell victim to the RoundCube expoit. Since nothing was running on the server yet, I've asked them for a fresh install, and they will deliver in the next days. Which brings me to my question... when the fresh install is done, what is the best practice to secure our new server, and to make sure it is uptodate?

    Of course updating RoundCube through custombuild, but are there any other things I should update, or worry about?

    Let me make a list of things I'll do

    - Block ssh access except for own ip's
    Last edited by bigEsmurf; 01-20-2009 at 05:37 AM.

  2. #2
    Join Date
    Mar 2005
    Posts
    5,270
    There will probably be lots of advice about specific things to do. But remember security is an ongoing process. Roundcube for example was not a security threat 2 months ago. So 2 months ago nobody would have told you to upgrade roundcube. Its up to you to continually monitor security alerts.

    There are also different levels of security. Some here will be very strict and others not so strict. You have to determine what is best for you. For instance some will say to not allow root login through ssh. That is a good practice but its not convenient. I don't want to sacrifice my convenience so I block all ssh access except for my ip. That way I can login as directly root but not fear that somebody else is going to be able to brute force a root login.

    You need to listen to all the advice here and then determine what is best for you. And again its not like you can do these things and then you are done.
    Floyd Morrissette Little Creek Solutions
    Web Hosting Solutions. XEN Virtual Private Servers, VMWare .....
    DirectAdmin Administration and Support
    Our focus is on quality customer support

  3. #3
    Join Date
    Jan 2009
    Posts
    11
    Thanks for the ssh tip, that's definitely a good idea. I understand that I constantly need to monitor security alerts. Does DirectAdmin.com have a specific page for that?

  4. #4
    Join Date
    Jun 2003
    Location
    California
    Posts
    26,123
    Install a firewall. You didn't say what OS you're using, so it's impossible to be specific about that.

    Update all software managed by the OS management system often. We run yum update every night; your mileage may vary. Then set custombuild to warn you when new packages are available, and update according to either a schedule, or based on the reaons why new packages are available.

    Jeff
    +1 951 643-5345
    Third-Party DirectAdmin administration and support
    Dedicated Servers, Dedicated Reseller Accounts
    NoBaloney Internet Services div. Qnito Incorporated
    848 North Rainbow Blvd., Suite #3789
    Las Vegas, NV 89107-1103

  5. #5
    Join Date
    Mar 2005
    Posts
    5,270
    Since bigEsmurf wanted to know about security and firewall has been brought up I have a question that may interest bigEsmurf as well so I will ask it here.

    With a firewall you can deny access to certain ports (ip addresses as well but you usually don't do that unless you are being attacked). But if no software is listening on those ports what is the benefit of blocking ports that are not listening anyway?

    So how would you configure a firewall?
    Floyd Morrissette Little Creek Solutions
    Web Hosting Solutions. XEN Virtual Private Servers, VMWare .....
    DirectAdmin Administration and Support
    Our focus is on quality customer support

  6. #6
    Join Date
    Jun 2003
    Location
    California
    Posts
    26,123
    One reason would be to keep people who can login to your server (intentionally or otherwise) from using those ports.

    You can also use a firewall to drop traffic; that looks very different to an attacker than a closed port.

    Jeff
    +1 951 643-5345
    Third-Party DirectAdmin administration and support
    Dedicated Servers, Dedicated Reseller Accounts
    NoBaloney Internet Services div. Qnito Incorporated
    848 North Rainbow Blvd., Suite #3789
    Las Vegas, NV 89107-1103

  7. #7
    Join Date
    Mar 2005
    Posts
    5,270
    Quote Originally Posted by jlasman View Post
    One reason would be to keep people who can login to your server (intentionally or otherwise) from using those ports.
    Like one of the many php script exploits out there that can allow people to upload their own script running as apache. They could set up something to listen on a port that you would otherwise not be using.
    Floyd Morrissette Little Creek Solutions
    Web Hosting Solutions. XEN Virtual Private Servers, VMWare .....
    DirectAdmin Administration and Support
    Our focus is on quality customer support

  8. #8
    Join Date
    Jan 2009
    Posts
    11
    Thanx jlasman

    Our new server is running CentOS 5... is it easy to install a firewall under CentOS 5?

  9. #9
    Join Date
    Mar 2005
    Posts
    5,270
    A firewall is already installed by default. Its called iptables. Its very effective.

    I have found Webmin good to manage iptables.
    Floyd Morrissette Little Creek Solutions
    Web Hosting Solutions. XEN Virtual Private Servers, VMWare .....
    DirectAdmin Administration and Support
    Our focus is on quality customer support

  10. #10
    Join Date
    Jun 2003
    Location
    California
    Posts
    26,123
    Note that inexperienced systems administrators should be very careful when using Webmin; it's extremely easy to completely break your server since webmin will allow you to make changes inconsistent with what DirectAdmin needs.

    Two easy to use firewalls for CentOS and all other Linux distributions are KISS and APF; you can find them both discussed in these forums.

    Jeff
    +1 951 643-5345
    Third-Party DirectAdmin administration and support
    Dedicated Servers, Dedicated Reseller Accounts
    NoBaloney Internet Services div. Qnito Incorporated
    848 North Rainbow Blvd., Suite #3789
    Las Vegas, NV 89107-1103

Similar Threads

  1. Best practice on backups
    By bareare in forum General Technical Discussion & Troubleshooting
    Replies: 5
    Last Post: 07-20-2008, 03:48 PM
  2. Replies: 2
    Last Post: 07-17-2007, 07:50 AM
  3. sys Backup Best Practice
    By Mark_S in forum Admin-Level Difficulties
    Replies: 7
    Last Post: 05-16-2007, 07:56 PM
  4. How clean is a clean install?
    By emmanuel in forum Installation / System Requirements
    Replies: 5
    Last Post: 05-13-2007, 07:10 AM
  5. Backup best practice
    By Vpower in forum General Technical Discussion & Troubleshooting
    Replies: 3
    Last Post: 03-22-2006, 06:19 AM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •