running a home server , what security measures should i take
 

well after running smooth a few weeks , someone been poking around , seen it in my error.log

and now someone has estanblished an connection , as i speak for to long to me

tcp 0 0 10.0.0.9:1580 66.35.251.22:9000 ESTABLISHED


i'm not paranoia , but want to make shure , "evil" folks don't compromise people who ( i ask to)come on my site their pc's , through getting their MAC adress and such
I have a DHCP server



i'm busy with iptables and installed nmap, noticed arpwatch

so i'm reading ,


but what i want is some advice for a newcomer (who's proudly running a simple webserver)

NO love right,



i just want to say that from the last 3/4 thread/questions i posted , i only got a answer that wasn't needed,


i asked about starting a server, not even a hint , after a week i was going to give up , i woke up and the 8th day did it all myself ,
cause actually nothing is too difficult ,
read and do and learn is my method

my question is , should i keep on posting or should i just read threads on the internet and done

i know that one not always gets an answer , but i was wondering , cause lately it feels like , whatever

This is probably how i experience it and has nothing to do with others,
maybe my questions aren't clear or so


any mod can remove this post ,
just a little dissapointed



i shouldn't have started this thread, i guess , i'm better reading the threads anyway

I'm sorry to see you're disappointed. Most of the time it has nothing to do with *you*. LQ is a volunteer-driven community effort relying on its members to supply answers when they can and want to. You can't nor shouldn't rely on it for 24/7 OTF replies. I'll check in later today since I gotta run right now.

that already made me feel a little better unSpawn,

>LQ is a volunteer-driven community effort relying on its members to supply answers when they can and want to.

I know

You can't nor shouldn't rely on it for 24/7 OTF replies. I'll check in later today since I gotta run right now

I understand , that's why I said , it's just me, today !

and there's a lot a reading material, so i shouldn't be dissapointed :)



:( ----> :)

thnx for the reaction



firedancer

Well, here is a start that might be helpful. Port 9000 looks like it is related to something called CSlistener. The only thing I could find out about it, is might have to do with Websphere - but not really any good info out there at first glance. The IP(66.35.251.22) is owned by a company called SAVVIS, INC. (http://whois.sc will tell you that type of info)

As for Firewalls, if you are new to Linux/Networking and use a GUI for your server - Firestarter might be a good option for you. Also might want to read over the thread that is sticky'd in this section about Failed SSH attempts.

And when it comes to security Paranoia is your friend. :)

Hope that helps

What services are running on your server ? Is it strictly a webserver ? FTP ? SSH ?

you could look at a solution to monitor file integrity on your server. these products will monitor your files for changes, and if they are changed it can put back the originals and notify you of the attempted change..
http://sourceforge.net/projects/tripwire/
http://www.la-samhna.de/samhain/
http://osiris.shmoo.com/


Use firestarter or Guarddog to manage your firewall. These GUI helper apps will make it easier for you to configure your firewall securely if you are unfamiliar with iptables.

fail2ban - a program that monitors your services (SSH, FTP, etc..) for failed login attempts, and then modifies firewall rules on the fly to block login attempts from malicious users.

not sure how far you want to go with this, so that's a few suggestions for you to look at.

this pdf has a pretty good checklist of things to run through and lock down. It's by no means complete, but it's a pretty good start IMHO

http://www.sans.org/score/checklists...9dd1a7bb22618c

Good call. I always forget about those guides when someone asks a question like this..

You can cut-out an awful lot of things just with a firewall router, immediately downstream from your cable or DSL box. Yep, the "stateful firewalls" that they provide out-of-the-box are usually quite good.

Beyond that, you need to carefully consider ... exactly what programs you intend to run on your box; exactly what ports will be used and for what purpose; and by what means an outsider might somehow be able to obtain a shell session or its equivalent on your box, however briefly.

If you take simple precautions and "simply plan," you can stop most intruders long enough to make them simply wander on in search of "easier pickings." When there are millions upon millions of systems out there that are utterly unprotected, they play the numbers.

Thnx guys , i had a look into iptables , cheops, Rootkit Hunter and played with the "permissions" chmod of certain directories like logs etc., just to start somewhere

Right now it's a basic webserver, but i'm thinking on , ftp, mail and other

was thinking on the GUI firestarter , see if I can apt-get that, but i'm a little familiar with linux os's , i was thinking on writing a script or so , there are many , also on this forum.







Well, about security , i've been getting stuff like this in my error.log

123.4.125.169 - [17/Oct/2007 08:56:31 -0400] [error 403] Forbidden http://bearbaby.s9.x-beat.com/ip.cgi
123.4.125.169 - [17/Oct/2007 08:56:32 -0400] [error 403] Forbidden http://bearbaby.s9.x-beat.com/ip.cgi
200.12.212.117 - [17/Oct/2007 18:23:35 -0400] [error 403] Forbidden http://localg4.techiemedia.net/env2.php

and that is not a good sign , that's the reason for my concern too, just noticed it in th log




i will check other measures like fail2ban or so


And many thanx to you, you (guys) cleared up many of my doubts,



firedancer

doesn't this look bad , i'm 127.0.0.1,
 

127.0.0.1 - [17/Oct/2007 05:17:41 -0400] [error 404] Not Found /favicon.ico
127.0.0.1 - [18/Oct/2007 17:24:42 -0400] [error 404] Not Found /images/public/cc-GPL-a.png
127.0.0.1 - [18/Oct/2007 17:24:55 -0400] [error 404] Not Found /pics/tbt-wheel.png
127.0.0.1 - [18/Oct/2007 17:24:55 -0400] [error 404] Not Found /pics/impakt.png
127.0.0.1 - [18/Oct/2007 17:24:55 -0400] [error 404] Not Found /pics/jetsetwilly.png





127.0.0.1 =localhost



i never tried finding these things on my server, what's up with this ,







busy securing server, hopefully i'm not too late ,


just reinstall then on the a$$!@LE THEN :)

Getting 403's and 404's is pretty normal, and nothing to be worried about. Getting traffic from localhost is a valid concern, if and only if you are neither browsing from the webserver itself nor browsing via an ssh proxy. If you're browsing your own site from localhost, those 404's are broken links on pages.

Getting spurious requests for things that don't exist is pretty normal background noise, and nothing to panic about.

What you need to be more concerned about is vulnerable webapps (eg: old exposed versions of awstats, old versions of phpbb), exploitable versions of listening services (eg: misconfigured samba, very old apache versions, very old php versions), and weak user passwords on your sshd.

/favicon.ico this is the icon for your site that will show up in the URL bar of the browser, or next to the bookmark for the site, IF you have created this icon and placed it on the web server. so this is definitely normal for it to be missing if you have not created one.

Is Bastille Front END based or what
I just had a fresh debian etch 4.01 install followed the howto setup perfect debianetch document
webserver (apache),ftp,ssh,msql, is what i have setup
I have no GUI and not thinking on adding one
is a new area for me so my questions can sound silly

but apache works ,ill have to see wether i can setup an static ip ,webredirect to url, and i trying first if i have anymore Q? i checked with IP address, I
'll post in server forum

Linux is not Mc Donalds but "I'm Loving IT" :)

i'm proceeding in this thread ,with these Q if I should start another pls let me know

i'm trying to install rkhunter on my (GUI'less)server ,
i'm having problems using the ./installer.sh to install the program ,and isn't that for systems with GUI , i think i read something like that , i never installed using that,

secomd questions need advice on options for installing samhain ,is the default ok ?, i'm a noob so that's why the question, i'll read ,but in the meanwhile some clarity (advice) will do

thnx in advance

firedancer