running a home server , what security measures should i take
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
running a home server , what security measures should i take
well after running smooth a few weeks , someone been poking around , seen it in my error.log
and now someone has estanblished an connection , as i speak for to long to me
tcp 0 0 10.0.0.9:1580 66.35.251.22:9000 ESTABLISHED
i'm not paranoia , but want to make shure , "evil" folks don't compromise people who ( i ask to)come on my site their pc's , through getting their MAC adress and such
I have a DHCP server
i'm busy with iptables and installed nmap, noticed arpwatch
so i'm reading ,
but what i want is some advice for a newcomer (who's proudly running a simple webserver)
i just want to say that from the last 3/4 thread/questions i posted , i only got a answer that wasn't needed,
i asked about starting a server, not even a hint , after a week i was going to give up , i woke up and the 8th day did it all myself ,
cause actually nothing is too difficult ,
read and do and learn is my method
my question is , should i keep on posting or should i just read threads on the internet and done
i know that one not always gets an answer , but i was wondering , cause lately it feels like , whatever
This is probably how i experience it and has nothing to do with others,
maybe my questions aren't clear or so
any mod can remove this post ,
just a little dissapointed
i shouldn't have started this thread, i guess , i'm better reading the threads anyway
I'm sorry to see you're disappointed. Most of the time it has nothing to do with *you*. LQ is a volunteer-driven community effort relying on its members to supply answers when they can and want to. You can't nor shouldn't rely on it for 24/7 OTF replies. I'll check in later today since I gotta run right now.
Well, here is a start that might be helpful. Port 9000 looks like it is related to something called CSlistener. The only thing I could find out about it, is might have to do with Websphere - but not really any good info out there at first glance. The IP(66.35.251.22) is owned by a company called SAVVIS, INC. (http://whois.sc will tell you that type of info)
As for Firewalls, if you are new to Linux/Networking and use a GUI for your server - Firestarter might be a good option for you. Also might want to read over the thread that is sticky'd in this section about Failed SSH attempts.
And when it comes to security Paranoia is your friend.
Use firestarter or Guarddog to manage your firewall. These GUI helper apps will make it easier for you to configure your firewall securely if you are unfamiliar with iptables.
fail2ban - a program that monitors your services (SSH, FTP, etc..) for failed login attempts, and then modifies firewall rules on the fly to block login attempts from malicious users.
not sure how far you want to go with this, so that's a few suggestions for you to look at.
You can cut-out an awful lot of things just with a firewall router, immediately downstream from your cable or DSL box. Yep, the "stateful firewalls" that they provide out-of-the-box are usually quite good.
Beyond that, you need to carefully consider ... exactly what programs you intend to run on your box; exactly what ports will be used and for what purpose; and by what means an outsider might somehow be able to obtain a shell session or its equivalent on your box, however briefly.
If you take simple precautions and "simply plan," you can stop most intruders long enough to make them simply wander on in search of "easier pickings." When there are millions upon millions of systems out there that are utterly unprotected, they play the numbers.
Thnx guys , i had a look into iptables , cheops, Rootkit Hunter and played with the "permissions" chmod of certain directories like logs etc., just to start somewhere
Right now it's a basic webserver, but i'm thinking on , ftp, mail and other
was thinking on the GUI firestarter , see if I can apt-get that, but i'm a little familiar with linux os's , i was thinking on writing a script or so , there are many , also on this forum.
Well, about security , i've been getting stuff like this in my error.log
127.0.0.1 - [17/Oct/2007 05:17:41 -0400] [error 404] Not Found /favicon.ico
127.0.0.1 - [18/Oct/2007 17:24:42 -0400] [error 404] Not Found /images/public/cc-GPL-a.png
127.0.0.1 - [18/Oct/2007 17:24:55 -0400] [error 404] Not Found /pics/tbt-wheel.png
127.0.0.1 - [18/Oct/2007 17:24:55 -0400] [error 404] Not Found /pics/impakt.png
127.0.0.1 - [18/Oct/2007 17:24:55 -0400] [error 404] Not Found /pics/jetsetwilly.png
127.0.0.1 =localhost
i never tried finding these things on my server, what's up with this ,
busy securing server, hopefully i'm not too late ,
Getting 403's and 404's is pretty normal, and nothing to be worried about. Getting traffic from localhost is a valid concern, if and only if you are neither browsing from the webserver itself nor browsing via an ssh proxy. If you're browsing your own site from localhost, those 404's are broken links on pages.
Getting spurious requests for things that don't exist is pretty normal background noise, and nothing to panic about.
What you need to be more concerned about is vulnerable webapps (eg: old exposed versions of awstats, old versions of phpbb), exploitable versions of listening services (eg: misconfigured samba, very old apache versions, very old php versions), and weak user passwords on your sshd.
/favicon.ico this is the icon for your site that will show up in the URL bar of the browser, or next to the bookmark for the site, IF you have created this icon and placed it on the web server. so this is definitely normal for it to be missing if you have not created one.
Is Bastille Front END based or what
I just had a fresh debian etch 4.01 install followed the howto setup perfect debianetch document
webserver (apache),ftp,ssh,msql, is what i have setup
I have no GUI and not thinking on adding one
is a new area for me so my questions can sound silly
but apache works ,ill have to see wether i can setup an static ip ,webredirect to url, and i trying first if i have anymore Q? i checked with IP address, I
'll post in server forum
i'm proceeding in this thread ,with these Q if I should start another pls let me know
i'm trying to install rkhunter on my (GUI'less)server ,
i'm having problems using the ./installer.sh to install the program ,and isn't that for systems with GUI , i think i read something like that , i never installed using that,
secomd questions need advice on options for installing samhain ,is the default ok ?, i'm a noob so that's why the question, i'll read ,but in the meanwhile some clarity (advice) will do
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.