Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Ask Slashdot: Security Digests For the Home Network Admin?

timothy posted more than 2 years ago | from the next-week-we-cure-all-known-diseases dept.

Security 123

New submitter halcyon1234 writes "I'm currently cutting the webhost cord, and setting up a simple webserver at home to host a couple hobby websites and a blog. The usual LAMP stuff. I have just enough knowledge to be dangerous; I know how to get everything set up and get it up to date, but not enough to be sure I'm not overlooking common, simple security configurations. And then there's the issue of new vulnerabilities being found that I'm not even aware of. The last thing I want is to contribute to someone's botnet or spam relay. What readings/subscriptions would you recommend for security discussions/heads up? Obviously I already read (too much) Slashdot daily, which I credit for hearing about some major security issues. Are there any RSS feeds or mailing lists you rely on for keeping up to date on security issues?"

cancel ×

123 comments

Sorry! There are no comments related to the filter you selected.

Reliability testing... (4, Insightful)

Idbar (1034346) | more than 2 years ago | (#40340421)

When you're done with your setup. Post a story on Slashdot linking to your website, that's a fairly good stress test.

Bonus points if you add something like "My awesomely new bulletproof website!". That should kick off the reliability test engines from /.

Re:Reliability testing... (1)

gallondr00nk (868673) | more than 2 years ago | (#40340481)

When you're done with your setup. Post a story on Slashdot linking to your website, that's a fairly good stress test.

Not so much these days. Seeing a site get Slashdotted has been quite a rare thing recently.

Re:Reliability testing... (0)

Anonymous Coward | more than 2 years ago | (#40340591)

Uhm.... yeah. What were you saying? Just had a looong outage from Slashdot. Seems like you brought the pest! :P

Re:Reliability testing... (3, Insightful)

achlorophyl (2205676) | more than 2 years ago | (#40340601)

if you wanna read about security, read Security Warrior. Hacking Exposed is good. Unix and Linux System Administration covers a lot. Masterminds of Programming has language guys talking about security.

Re:Reliability testing... (2)

datavirtue (1104259) | more than 2 years ago | (#40341913)

Dude...get ready for a full-time job. I hope you have a decent firewall just to start. It will cost you thousands of percent more money to secure and host your own site, but if you are into it there can be great fun. Get ready to battle Chinese and Russian assholes nonetheless.

Re:Reliability testing... (3, Informative)

DarwinSurvivor (1752106) | more than 2 years ago | (#40342469)

What part of "simple webserver at home to host a couple hobby websites and a blog" did you miss? It doesn't sound like he's planning to run a forum or high-traffic site here.

@halcyon1234 Honestly, all you *really* need to do at the OS security level is get a router and only forward the web and ssh ports then use iptables to block problem-ips. Just make sure you set up keypair login for ssh and DISABLE password login completely. Of course you'll need to secure your website itself, but you hopefully already did that when running on the shared server.

If you tend to get a fair bit of traffic (or attract unruly visitors), put your private lan on a second router that is connected to the one with the server (so the server has no access to the rest of your network). This way if the server DOES get compromised, your network is still safe :)

Re:Reliability testing... (1)

linuxwebadmin (694411) | more than 2 years ago | (#40343441)

+1 on this comment. Don't forget the hosting providers who seem to "look the other way" while their co-located/vps/whatever scans the internet for weeks on end.

try this (5, Informative)

Anonymous Coward | more than 2 years ago | (#40340423)

http://www.securityfocus.com/

Re:try this (1)

spazdor (902907) | more than 2 years ago | (#40340641)

Seconded. This is almost all the security news you'll ever need to stay on top of as a UNIX adminustrator.

Re:try this (0)

Anonymous Coward | more than 2 years ago | (#40341569)

Agreed. SecurityFocus.Com is good. There's a mailing list too, if you find you can't the time to check daily.

Well.... (1)

jawtheshark (198669) | more than 2 years ago | (#40340449)

The same sources as those you use when you this professionally. Not much of a choice there really.

Check your Internet Acceptable Use documents (4, Insightful)

GeneralTurgidson (2464452) | more than 2 years ago | (#40340451)

Most ISPs do NOT allow this kind of stuff. While it might fly under the radar, there is always the possibility they will shut off your access. Besides, with a dynamic IP any change to it will take your website offline until DNS catches up. Hosting is cheap, I don't see why you'd want to cancel it unless it's hurting the bank.

Re:Check your Internet Acceptable Use documents (4, Informative)

vux984 (928602) | more than 2 years ago | (#40340625)

Most ISPs do NOT allow this kind of stuff. While it might fly under the radar, there is always the possibility they will shut off your access. /em

In my experience, most ISPs really don't care. And if your hobby site/blog goes offline for a couple days... its not the end of the world.

Also, in my experience with both the large local ISPs as well as 2 smaller ones, dynamic ip... on most broadband is essentially the same as static (*). You'll probably have the same IP address for years at a time (**) and they only change when they replace/upgrade the network and even if you are on static you will be assigned a new address occasionally as well due to network upgrades.

So in practice, dynamic ip addresses changes only slightly more often than static ones, and the only difference is that with static ones they'll usually make an effort to give you a few days notice that you'll be getting a new address before it happens. But you still have the downtime as DNS propagates.

(*) - I'm talking about static ip service on broadband. The static IP you get with a co-located server or T1 tends to be somewhat less likely to change than the static ip you get with a "Business ADSL" package, which still allocates your IP via DHCP, and the only difference real between static and dynamic is, as I said, they make some effort to give you a heads up before they change it on you.

(**) - As an aside, this fact makes tracking users/households by ip address for advertising purposes fairly reliable.

Try again? (2, Informative)

Anonymous Coward | more than 2 years ago | (#40341137)

Most ISPs offer business accounts that you can do whatever you want(to a degree).

Re:Try again? (1)

Larryish (1215510) | more than 2 years ago | (#40341453)

lowendbox.com

lurk for a month, pick the cherries, and you can have 3 or 4 different vps in various countries for anywhere from 2 to 6 dollars per month apiece

Re:Check your Internet Acceptable Use documents (4, Interesting)

LordLucless (582312) | more than 2 years ago | (#40340677)

Most American ISPs. The only Australian ISP I'm aware of who has this in their AUP is Telstra, and nobody who knows how to configure a setup like that would be using Telstra anyway. That's one of the advantages of a metered system - because the ISP gets paid more the more data you use, they have absolutely no motivation to try and limit your ability to move data. Whereas the US ISPs seem to spend more of their time figuring out how to block data-heavy protocols than actually trying to provide a service.

Re:Check your Internet Acceptable Use documents (2)

The Mighty Buzzard (878441) | more than 2 years ago | (#40340817)

It's not really an under the radar thing. That particular language is mostly a leftover from days of lower speed unlimited plans. Even going back to dial-up. Today, none of the major ISPs care if you run a website on a home server as its impact is insignificant compared to seeding one or two popular torrents.

Re:Check your Internet Acceptable Use documents (1)

EdIII (1114411) | more than 2 years ago | (#40340949)

It is highly likely that it is against the TOS.

The dynamic IP is not a problem. Most routers these days have DDNS support and DynDns will allow you to specify amazingly small TTL's. I use it quite a bit for business since it is cheap (~$20/year) and a static IP change (some ISPs are retarded bastards that don't even tell you) does not have me rushing around changing VPN policies everywhere. Not to mention it makes it easier to configure a lot of services, such as security cameras, etc.

The whole reason for the TOS though is that upstream bandwidth, and bandwidth that needs to be paid for due to peering/transit, is expensive to the ISP. Not much more complex of a reason.

So if you really are running a hobbyist website that is using very little bandwidth I sincerely doubt the ISP will even notice or care. They are far more pissed off when you are seeding a 50GB BluRay release to a couple dozen people at once maxing out your bandwidth over a 24 hour period.

Small little webserver hits are a welcome relief to the ISP when you consider that.

Re:Check your Internet Acceptable Use documents (1)

Bengie (1121981) | more than 2 years ago | (#40341703)

My local ISP claims no bandwidth caps and has nothing against P2P while openly flaunting their symmetrical speeds. At the same time, they state that hosting servers of any kind are against the ToS.

Another interesting note is the openly claim that they will not monitor any of your data-streams unless it is pointed to them that your may be doing something illegal; And only then will they look for just the offending service, assuming it exists.

Because they have no caps, don't care about P2P, and openly claim that they will not monitor your data, I believe they have this clause only so they have a leg to stand on if shit hits the fan.

Re:Check your Internet Acceptable Use documents (1)

chrylis (262281) | more than 2 years ago | (#40341999)

So name your ISP!

Re:Check your Internet Acceptable Use documents (1)

sasquatch989 (2663479) | more than 2 years ago | (#40342347)

Sounds like a honeypot of an ISP

Re:Check your Internet Acceptable Use documents (5, Interesting)

StormReaver (59959) | more than 2 years ago | (#40341129)

Hosting is cheap, I don't see why you'd want to cancel it unless it's hurting the bank.

Simple: control.

I used pghoster for a while, because they provided PostgreSQL hosting. The service was fine until:

1) They switched my hosting from Linux to BSD. That unnecessarily broke all my cron jobs, which I fixed with a fair amount of grumbling about time I didn't have.

2) They made another infrastructure change. That unnecessarily broke all my cron jobs, which I fixed with a fair amount of grumbling about time I didn't have.

3) They made some other change which broke my PHP, which I fixed with a fair amount of grumbling about time I didn't have.

The bottom line was that they did not seek my input about what to change and when to change it. And their business model probably doesn't allow them to do so. After all, they have a lot of different users with a lot of conflicting demands. It's just the nature of shared hosting. I have no bad will towards the service, but the requirements of shared hosting are just incompatible with the requirements I have on my time.

So I bought a cheap block of static IP addresses ($20 extra per month) that put me into the business class of customer; the class with the terms of service explicitly allowing me to run my own servers. I've been doing this for about six years now, and I would hate to ever have to return to shared hosting.

And for those wondering why I didn't use a dynamic DNS service: I did, and they suck, suck, suck. But more importantly, I didn't want to find my Internet access sporadically terminated for violating terms of service.

So yes, there are very good reasons for wanting to avoid the major hassles of shared hosting. For me, shared hosting's lack of of control was a deal killer.

Re:Check your Internet Acceptable Use documents (1)

rgbrenner (317308) | more than 2 years ago | (#40342011)

you've used pghoster too? I had an account about 8 years ago. they were unreliable back then.. I see they haven't changed anything.

Re:Check your Internet Acceptable Use documents (1)

rgbrenner (317308) | more than 2 years ago | (#40342193)

and to actually add something to the topic....

I never was able to find a good shared hosting company.. just kept moving from one to another to another. Seems like they all have problems. Eventually you learn that it's a waste of time, and you should just lease a server. Here are my recommendations:

Softlayer - if you want a server to yourself (was there 7 years, can only think of one problem -- when an NTT router failed and blocked autorize.net for about a day)
Rackspace cloud servers - starts @ 12.50/mo
Amazon EC2

Re:Check your Internet Acceptable Use documents (1)

jandersen (462034) | more than 2 years ago | (#40342707)

Simple: control.

Another simple reason: they may not have the facilities you want - like GlassFish3 in my case.

Re:Check your Internet Acceptable Use documents (3, Interesting)

phantomlord (38815) | more than 2 years ago | (#40341131)

My ISP expressly bans servers in their TOS, yet I've been running web/ftp/mail/ssh since my 24/7 connected dialup days at another ISP in the 90s and I've run various other servers for different uses over the years like anl IRC server where my friends and I would play networked AD&D games after I wrote some bots for various tools like dice rolling. I have a dynamic IP that changes every 12-24 months with the most frequent changes occuring about 6 years ago when it changed 3 times in one year.

My ISP has never complained and none of it has ever been an issue... and in return, I've gotten a ton of experience, albeit not full blown enterprise level experience, of how to manage and run such services myself, including, for their day, a pretty massive number of incoming hits from freshmeat and slashdot when I mentioned some software I had written a decade ago (sure, the numbers were small compared to what goes on at enterprise servers, but I got to learn about throttling and whatnot to keep my then meager 384kbps uplink usable in such a situation). On top of that, there was learning about how to build/maintain NFS, LDAP, keeping filesystems backed up over the network, syncing my development box with my server with rsync, writing scripts to do things like automatically update my IP if/when it changes or to insert iptable rules for people trying to break into ssh/ftp, etc.

Yeah, I could have just paid for hosting somewhere, but I would have learned a lot less... The hobby sites were mostly for fun but I had just as much fun learning how to handle the administrator side of it all. Chances are, those of us posting at slashdot are kinda nerdy like that and if we don't do it as a profession, we still might to want to learn such things as a hobby, at which point, doing it yourself is the best way. I also ran my own pre-LFS self-compiled/configured distro before eventually switching to gentoo to semi-automate it.

Re:Check your Internet Acceptable Use documents (5, Informative)

cayenne8 (626475) | more than 2 years ago | (#40341151)

Most ISPs do NOT allow this kind of stuff.

Do what I do...get a cheap business account with your ISP.

I have had mine with Cox cable business for about a decade now...even moving around different places, they move it for me.

It is only about $70/mo...I get about 10-15 down, and usually about 5-6 up for speed.

I can run whatever servers I want...web, email, you name it, no ports blocked. I also have no data caps.

I even get a low level SLA.....and the few times I"ve had trouble, I call in..if there is any wait, I just leave my name/number and usually it has never been more than about 6-10 minutes for them to call me back. Once..I found my connection had gone down a bit after midnight. I called, not expecting much...but damned if when we figured it WAS a line problem, they had a truck out there on the pole near my house in about an hour...freaking after 1am!??! The problem was solved that night (early morning).

Frankly, I dunno why most people bother with the consumer level ISP crap...just pay a few more dollars and get a real connection that you can do with as you please.

Re:Check your Internet Acceptable Use documents (2)

green1 (322787) | more than 2 years ago | (#40341743)

Problem is that where I live consumer 15 meg package costs me $40/month. Business 2.5 meg package costs $80 (and that's still a dynamic IP, for static it goes up to $120)
VPS is $15/month for more than I could possibly use, and it doesn't affect my home connection, doesn't eat my electricity, and is more reliable.

For me it was a no brainer.

Re:Check your Internet Acceptable Use documents (1)

datavirtue (1104259) | more than 2 years ago | (#40341959)

Where in the hell do you get a VPS for $15?! I think they put you on a shared plan and called it VPS.

Cheap VPS (3, Informative)

Mawen (317927) | more than 2 years ago | (#40342625)

I've been using a VPS for $3/month from 123systems.net. I haven't done much with it yet, and I don't know how consistent it is, but so far I have no complaints. buyvm.net was another I was looking at that I believe has an even cheaper option ($15/yr!). Like someone else said, check out http://www.lowendbox.com/ [lowendbox.com] to become informed about the options. Of course, you get only a pittance of ram/cpu for these bargain basement prices (and often limited availability -- buyvm sounds like a bit of a lottery), but it is still nice to have full control over a linux system that I can pack it up and deploy it to another linux server with more resources/consistency if/when I need to, while playing around with it for cheap now. It's also nice to have a far away offsite backup in case my city gets EMP'ed / destroyed by aliens / etc.

Also, like someone else mentioned, I have run ssh/www for about 15 years on my home ISP since whenever I got broadband with no complaints from my ISP.

Re:Check your Internet Acceptable Use documents (1)

green1 (322787) | more than 2 years ago | (#40342647)

My old VPS was with vpsville.ca for $19/month, I actually just switched to a buyvm vps for $5/month instead. (and I now get about 5 times as much resources as before too.

As for a "Shared plan and called it a VPS"... I'm not sure what you mean exactly, but VPS is shared, that's the "virtual" part of it. I have a slice of a box, with specifically dedicated amounts of RAM/CPU/bandwidth.

I previously shoehorned my VPS in to a very small package with vpsville by using some very lightweight server daemons (no apache on that one!) but I'm now on a large enough plan that I can run basically anything I want.

Much cheaper than hosting it myself once I pay for the static IP and electricity, and it's more reliable too. (This also gives me a server located in a different country which can come in handy to VPN through on occasion)

Re:Check your Internet Acceptable Use documents (1)

cayenne8 (626475) | more than 2 years ago | (#40342141)

Wow..where do you live?

What are the provider choices you have there? I forgot to mention I have a static IP for the price I listed too.

What's in your area for cable? DSL?

Re:Check your Internet Acceptable Use documents (1)

green1 (322787) | more than 2 years ago | (#40342635)

That was DSL, cable is less reliable, and their "static" IPs are not very static.

Re:Check your Internet Acceptable Use documents (1)

the eric conspiracy (20178) | more than 2 years ago | (#40341285)

Most is not the same as all. For example Cablevision allows some types of servers including web if you are in a tier above their base service. They even offer help dealing with a dynamic dns service.

Re:Check your Internet Acceptable Use documents (-1)

Anonymous Coward | more than 2 years ago | (#40341455)

I'm sure everyone here knows this.. go preach to people who care..

Re:Check your Internet Acceptable Use documents (1)

LSDelirious (1569065) | more than 2 years ago | (#40341847)

Hosting is cheap, but so is a commercial account on many ISPs. My cox business account is only $20 more (40 vs 60) than residential. Plus, even though the advertised speeds are the same my business account speed is faster, and when i complain about any service disruptions they respond alot faster since its affecting my "business". You cam certainly get hosting cheaper than $20 a month, but not with 100% control over the host server...

Re:Check your Internet Acceptable Use documents (1)

DarwinSurvivor (1752106) | more than 2 years ago | (#40342753)

Not everyone is lucky enough to have dirt-cheap ISP's like you. Pretty much anyone can rent from any VPS provider though.

Re:Check your Internet Acceptable Use documents (-1)

Anonymous Coward | more than 2 years ago | (#40342361)

You're the kind of unfunny troll that always hates every idea. So what if his ISP doesn't allow him to host a server. Nobody cares, and and it isn't relevant. Shut up.

Re:Check your Internet Acceptable Use documents (1)

CAIMLAS (41445) | more than 2 years ago | (#40342445)

Besides, with a dynamic IP any change to it will take your website offline until DNS catches up.

That may be true, but my ISP hasn't changed my home IP in the past 4 years. The only times I've had IP changes is when I've either moved or had a service level/type change, with multiple providers. With mail being able to be down for up to 3 days or so before things start to bounce, it's not really a problem. Generally, if the ISP isn't blocking it, it's considered good to go, despite any ISP documentation. (If you're causing security problems, that's another matter.)

Good starting list (2, Informative)

Anonymous Coward | more than 2 years ago | (#40340453)

You may (or may not) know to do these things:

Only allow SSH pubkey access for maintenance. Turn off remote passwords altogether in sshd_config.
Move SSH to some non-standard port (away from 22). Just makes it harder for outsiders to find the port.
Run something like denyhosts to kick off people trying brute force passwords on your server and to log their activity.
Consider only allowing SSL (port 443) access to the webserver and close down all other ports in iptables.

Just a few things (which may be obvious) to get you started.

Re:Good starting list (2)

Xtifr (1323) | more than 2 years ago | (#40340525)

If you're running a box on your own network inside your own house, why even have public-facing sshd at all? Just limit ssh access to machines on your own network.

Re:Good starting list (4, Informative)

Bitsy Boffin (110334) | more than 2 years ago | (#40340851)

Because there will come a time when you are away from home and will think
"if only I had made SSH accessible I could fix the server right now using my mobile to ssh in, instead of having to go home"

Re:Good starting list (1)

Electricity Likes Me (1098643) | more than 2 years ago | (#40343105)

SSH is also a pretty razor-thin vulnerability anyway. Most of the stories I've heard of getting "hacked" by SSH are nothing more then leaving password login turned on, and a really weak (say, "root" "root") password on a well known user account name.

Turning off password authentication fixes that completely.

Any web service you run is always going to be the far bigger problem.

Re:Good starting list (1)

fa2k (881632) | more than 2 years ago | (#40343277)

Also, specify AllowUsers in the SSH config. Only allow your username to log in.

most distros have a security list (4, Informative)

Xtifr (1323) | more than 2 years ago | (#40340463)

You said LAMP--well, most L distros have a security list you can subscribe to to keep up-to-date on this sort of thing. Also, Linux Weekly News (lwn.net) regularly posts security announcements from most major distros

Re:most distros have a security list (1)

TheRaven64 (641858) | more than 2 years ago | (#40343221)

Doesn't it do it automatically? With FreeBSD, there is, by default, a daily security report emailed to the root user - you can forward this to another account if you want. This includes things like login failures and installed software with known vulnerabilities (if you have portaudit installed).

Re:most distros have a security list (1)

rgbrenner (317308) | more than 2 years ago | (#40343255)

FreeBSD daily security log does not include OS vulnerabilities discovered. You can though setup:

portaudit - to keep up with application vulnerabilities, and
freebsd-update - to keep up with the OS vulnerabilities

portaudit will run with the daily security log. freebsd-update needs to be added to cron.

you still won't know what freebsd-update is patching, and you won't know about any holes until a patch is released. For the actual security announcements, you have to subscribe the freebsd mailing list.

Re:most distros have a security list (2)

mpol (719243) | more than 2 years ago | (#40343259)

Agreed. And running updates regularly on a supported distro should keep you mostly in the clear.

Another thing, the software you install manually, like your CMS for blogging, you will want to keep that updated as well. You can follow those projects on twitter or facebook, so you'll keep uptodate with security fixes.
I think this software is the most common attack vector.

I had a Joomla 2.5.0 install that I forgot to update, and just a week ago someone broke into that and added user accounts to it. And it's just software that's half a year old.

Standard Distro + Virtualmin (0)

Anonymous Coward | more than 2 years ago | (#40340475)

Use a standard distro like Ubuntu or CentOS... install Virtualmin (http://www.virtualmin.com/) on it and keep your packages up to date with yum or aptitude. You can follow security bulletins for your specific distro since you will only be loading things from their repositories. This will be a lot easier than worrying about things compiled from source.

I have the answers! (-1, Flamebait)

For a Free Internet (1594621) | more than 2 years ago | (#40340477)

First, what is security? It is the feeling of being secure in yourpossessions, in your dogs, and in the SOUL. Now is the soul an art, or a horse? Everyone knows it is neither, but it is a craft consisting of three aspects: Horses, Fish, and UNCLES. Now how do these relate to security? When they are all doing thier proper jobs, and not being all uppity and democratic and evil, they are most likely to be secure and have upright, well-educated and polite children. Especially do not porst on slashdort in the morning, or in the adfternoon, and do not read any books by ROBERTO her is the DEVIL!!!!!!!!!!!!!!!!! Finally, America needs to take a stand and kick the Italians off our inter-net. These nefarious Italian islamocommunist terrorists are boing coddled by their satrap Obama, and it has to stop. We need more beef, more emails, and less internet, or the emails will beyonce the internet forever and the Italians will win. God bless you, and GOD BLESS MAURITANIA, good-night.

Upstream project lists (0)

Anonymous Coward | more than 2 years ago | (#40340491)

My recommendation wouldn't be to look around specifically for security lists, but rather to sign up for the development or users mailing lists of the software you are using. For example, if you are running LAMP, then you might sign up for batch mailings of Apache, MySQL and PHP. Chances are if anything really nasty shows up it will get posted to those lists. Likewise, you may find your distribution has a security or updates mailing list.

Re:Upstream project lists (1)

DarwinSurvivor (1752106) | more than 2 years ago | (#40342769)

Many distributions have their own list that will post security warnings for software they distribute. FreeBSD (technically not Linux), does a GREAT job of that with not only a mailing list, but a special utility (portaudit) that just checks for warnings about the software you have installed. Many FreeBSD people have portaudit run in cron and e-mail them any problems (so you don't have to sift through all the warnings for software you don't use).

Use a long random password (2)

ODBOL (197239) | more than 2 years ago | (#40340509)

I am running a LAMP server (only the LA part active) with a few Web pages on my obsolete home desktop, with a slow ADSL connection. I don't have anything of serious value on the machine, so presumably an attacker would only benefit by using me as a bot. The system logs show regular access by the indexing services: Google, Yahoo, ... and lots of what looks like simple-minded dictionary attacks, and some probes for SQL/PHP features that are not available. None of the login attacks appears to have found my user name, much less hit the password. I use a long password, generated by a random generator. That seems to be enough.

There is some chance that I am owned by someone I can't detect. But I never notice much activity on the CPU nor on the network, and my ISP doesn't complain that any bad behavior comes from my connection. If I suspected a problem, I would power off while considering my response.

I have tripwire installed, but every time I try to check it I get confused by the pass-phrase management and put it off.

Re:Use a long random password (3, Informative)

HFShadow (530449) | more than 2 years ago | (#40340535)

"That seems to be enough"

Until you don't upgrade your kernel/sshd/apache and get hit by an exploit. Long password won't help you when there's an application exploit, which if you're using secure passwords, is the exploit you're likely to see.

I subscribe to oss-security which is quite useful in keeping abreast of things, but may be overkill for a home webserver.

Re:Use a long random password (0)

Anonymous Coward | more than 2 years ago | (#40341105)

I have been running mine since 2004. DSLExtreme has no problem with a server. They give me 8 static IP addresses for $49.95 a month. Other services would ask you to sign up for business class service. I use maybe 1.5 to 4GB a month. One month was 11GB. I have FAIL2BAN and have it set to =2.

Re:Use a long random password (1)

DarwinSurvivor (1752106) | more than 2 years ago | (#40342775)

If You're talking about ssh login attempts, don't even use passwords. Set up public-private keys and disable password login entirely.

The Attempts are Expensive (1, Informative)

Anonymous Coward | more than 2 years ago | (#40340517)

I used to do this and stopped because there are so many attempts on a domain it seemed to slow down my internet connection. This was a long time ago, and it is possible there were some strategies I could have used with my router, but generally, it was pretty disruptive even though no actual breach occurred.

Of course, that doesn't mean you shouldn't try. Good luck!

Re:The Attempts are Expensive (2)

green1 (322787) | more than 2 years ago | (#40341747)

Problem is, once it gets to your router, it's too late, your bandwidth is already gone.

Re:The Attempts are Expensive (1)

DarwinSurvivor (1752106) | more than 2 years ago | (#40342783)

Not really. If they are only hitting your router, then they use a little bit of download bandwidth and a little bit of upload bandwidth. If they hit the SERVER and it responds, then you are also wasting a TON of upload bandwidth (the expensive bandwidth).

Ugh! (3, Funny)

Anonymous Coward | more than 2 years ago | (#40340587)

Where's the MyCleanPC guy when you need him?

CERT (1)

Anonymous Coward | more than 2 years ago | (#40340597)

CERT?
Can check http://www.us-cert.gov/current/ daily or get it in an RSS feed.
There is also a mailing list.

Virtual Server provider (0)

Anonymous Coward | more than 2 years ago | (#40340611)

Go with a virtual server, hosted by some server provider. There are plenty. From Rackspace cloud to things like Virpus or FDC virtual servers.

Do not run your http or similar server accessible from the world on your home line. Normal traffic could easily DOS it, never mind some twit with grudge. Just pay $5 or $10/mo and be done with. You'll have full root access to your environment, can install and manage whatever you want.. Frankly, that can even be cheaper than electricity to run your own dedicated server in some jurisdictions.

Re:Virtual Server provider (1)

Bengie (1121981) | more than 2 years ago | (#40341729)

Not if you already have a 50Tb file server cluster sitting at home. A bit of network traffic is nothing for electrical costs.

Get an AWS Micro Site (2, Informative)

Anonymous Coward | more than 2 years ago | (#40340633)

Forget running it at home, get an Amazon AWS Micro site; it's free and the default config is as secure as possible. IPTABLES is easy to configure via the AWS web gui or you can manually create better rules once on the system. AMZN keeps track of updates, you just have to remember to ssh in every once in a while.

Re:Get an AWS Micro Site (2)

green1 (322787) | more than 2 years ago | (#40341775)

While I agree that a VPS provider is the way to go, saying that AWS is free is a bit of an exaggeration, their free tier has lots of limits, the most noticeable of which is that it's a limited time trial that expires after a year.

Some links and tips? (3, Informative)

bobstreo (1320787) | more than 2 years ago | (#40340657)

some sites:

http://www.securitywizardry.com/radar.htm [securitywizardry.com]
(a little heavy on the java)

https://isc.sans.edu/ [sans.edu]

You could subscribe to the CERT messages, but they kinda lag. There are some good security related mail lists which
I can't remember at the moment...

Check available updates for packages and kernel...
Look at mod_security for apache

If you're running wordpress or some other CRM app, be careful on how much you rely on third party packages

If you have phpadmin or webadmin installed, you may want to limit what IP's have access to it.

If you're running sshd, you may want to block bruteforce attempts after a certain number of bad tries, You should
probably just use certificate based authentication instead of passwords.

Not too hard (4, Informative)

sirsnork (530512) | more than 2 years ago | (#40340683)

The best place to start is here

http://www.us-cert.gov/cas/signup.html [us-cert.gov]

then onto the security announce list of whatever distro you use.

Those two alone will probably give you enough information to keep your system safe

So, what is security? (4, Informative)

Beeftopia (1846720) | more than 2 years ago | (#40340691)

First: The only way to connect to your system is over a logical port. So, learn netfilter / IPtables and shut down all ports you don't need. The book "Running Linux" by Dalheimer and Welsh has a pretty good section on netfilter / IPtables. My recommendation - just leave port 22 and 80 (maybe 443 if you're having people log into your web application remotely). Default policy is drop packets unless it matches one of those ports.

Second: Turn off remote root login, typically found in sshd_config. This'll stop much of the probing.

Third: You don't want to allow someone to relentlessly try passwords. Get a program like Fail2ban. This will allow a certain number of login attempts before it bans the IP, just dropping the packets and not letting the password authentication module test them.

Fourth: Strong username/password combinations. The attacker has to guess the correct combination. Get jiggy with it. Unusual username and unusual passphrase password. Especially for the root user.

Fifth: Stop having Apache broadcast all of its version information. When someone is looking at response headers, they should see just that it's Apache and not Apache version XYZ. Apache loads several config files and reads them as one long config file (they're broken up for easier management). There's a setting in Apache to do that.

Sixth: In Apache's config files, turn off directory listings. Again, a simple configuration text file setting which eludes me at the moment. Apache The Definitive Guide by Laurie and Laurie is a good book to have. This info is also available on the web.

Seventh: Read your log files regularly. auth.log, error.log are very informative ones. Doing a lastlog command on a regular basis helps.

Finally - What is security?
1) You don't want people writing to where they shouldn't be writing.
2) You don't want people reading what they shouldn't be reading.
3) You don't want people executing what they shouldn't be executing.

Set up permissions well. Don't change them willy-nilly but if reading/writing most stuff on your box requires being part of the root group, that's pretty good security.

Finally, finally - keep reading various technical sites on the web for new security problems. Address as necessary.

Re:So, what is security? (3, Informative)

whoever57 (658626) | more than 2 years ago | (#40341611)

Second: Turn off remote root login, typically found in sshd_config. This'll stop much of the probing.

Instead of disallowing root logins, turn off password-based authentication and use certificates instead. Also move your ssh port from 22 to a high unused port. Then install fail2ban (as the parent post suggested) or a set of iptables rules to ban excessive ssh connections.

Seventh: Read your log files regularly. auth.log, error.log are very informative ones. Doing a lastlog command on a regular basis helps.

Install logwatch and have it filter out much of the harmless information in the logs and report the interesting stuff to you.

Re:So, what is security? (1)

rgbrenner (317308) | more than 2 years ago | (#40343279)

Second: Turn off remote root login, typically found in sshd_config. This'll stop much of the probing.

Instead of disallowing root logins, turn off password-based authentication and use certificates instead. Also move your ssh port from 22 to a high unused port. Then install fail2ban (as the parent post suggested) or a set of iptables rules to ban excessive ssh connections.

Have we all forgotten the server is IN HIS HOME. Why have SSH enabled at all? (I'll second your suggestions for a remote server)

Re:So, what is security? (3, Informative)

Anonymous Coward | more than 2 years ago | (#40342991)

Third: You don't want to allow someone to relentlessly try passwords. Get a program like Fail2ban. This will allow a certain number of login attempts before it bans the IP, just dropping the packets and not letting the password authentication module test them.

I stopped using fail2ban a few years back when botnets had become so large that every attempt from an obviously coordinated attack came from a different IP address. To get rid of the flood of log messages about failed login attempts I added some simple rules to my iptable config:

iptables -A INPUT -p tcp --dport http -m string --algo kmp --string 'GET /some/page' -m recent --set --name KNOCK
iptables -A INPUT -p tcp --dport ssh -m recent --rcheck --seconds 30 --name KNOCK -j ACCEPT

This results in the ssh port being closed unless you have accessed a certain page on my web site (which doesn't actually have to exist) within 30 seconds before making the ssh connection from the same IP address. While it doesn't add any real security (it certainly is not a replacement for ssh authentication) it is very effective in fooling the botnets. To get in:

wget my.domain/some/page
ssh user@my.domain

The single most useful thing (5, Interesting)

taustin (171655) | more than 2 years ago | (#40340707)

On a publicly visible web server is to set up set the directive for the default web site (the first one in the virtual host list) to default deny to everyone. Then put your web site on a different virtual host. 99.9% of the scans I see come in by IP address, which gets them the default site. Any legitimate traffice will come in by domain name. This set up not only denies the script kiddes access to any PHP forms you've got, it convinces their 'bots to give up very quickly, which means less of a toll on your bandwidth.

(As someone noted, the standard consumer highspeed account prohibits running servers. Many commercial accounts do, too, unless you told them you're running a server of some kind. You may also have to get them to unblock port 25 if you want to run your own mail server - be very careful if you do that, though. You don't want to be a spamfest rathole without knowing it.)

Patch often, and protect your services (3, Insightful)

BooRadley (3956) | more than 2 years ago | (#40340731)

Your distro will have a regular patch channel that will address most vendor-introduced vulnerabilities. Patch religiously, and often. At least once per week. It's not like you're responsible for SLA's or regression testing. If you somehow uncover a bug when you patch, muscle through it, and keep going.

Use a firewall and only expose necessary ports. Protect the ports with strong authentication, encryption where applicable, and possibly a reactive blocker such as fail2ban to keep the script kiddies at bay. If you must run an external SSH server, run it as a seperate process, and only allow key auth, and only for a single user.

Get on whatever mailing lists or errata lists support your distro and apps, and try and keep up with them. If your apps are maintained as source, try and use the repos to update your apps instead of just relying on standard stable packages. You'll get bug fixes faster (probably bugs as well. See above)

Use something like logwatch and read the daily mails.

Also use something like rkhunter to alert you in case something changes.

Don't re-invent the wheel (-1)

Anonymous Coward | more than 2 years ago | (#40340733)

http://www.webmin.com/

for everything your doing this will make it all easier.

Don't forget (1)

SuperTechnoNerd (964528) | more than 2 years ago | (#40340735)

Don't forget to be sure your isp does not block port 80. As mine does.. So nice of them. There are ways around it however..

Scanner (1)

machine321 (458769) | more than 2 years ago | (#40340769)

I know Tenable has a free version of their Nessus scanner for home/research use, probably others do too. Download them and test them out and see what holes they find.

Stop reading slashdot for security. (1)

mallyone (541741) | more than 2 years ago | (#40340773)

Slashdot was created to tell the world about the fabulous world of super efficient solar cells that never make it to market, not security silly bunny.

Secure web software (0)

Anonymous Coward | more than 2 years ago | (#40340819)

Keeping your system up-to-date with security fixes is going to take care of nearly all your ills on the actual level of your LAMP stack. Any decent distribution (Debian Stable, CentOS) can be configured to automatically install security updates.

What is more important is application level security. Are the web frameworks your websites are built on vulnerable to SQL injections?

As mentioned above, leaving the MP off of the LAMP, if possible, is going to greatly reduce your vulnerability surface.

As a sysadmin in charge of security for numerous LAMP servers, I'd recommend using Denyhosts [sourceforge.net] and PSAD [github.com]

The ISP issues are variable. Mine doesn't have any problems with what I'm uploading to. Worst case you'll have to redirect your port through a service like no-ip.

Biggest thing (-1)

Anonymous Coward | more than 2 years ago | (#40340821)

Don't host services on the same box you use personally so if it is rooted you won't be.

Security (1)

tuxrulz (853366) | more than 2 years ago | (#40340863)

You should check a Hacking/security book that covers your installed OS. In terms of knowing any security issues, that is a little more complicated. Most Linux distributions are tied to version freeze where they do not include new version of packages, they only back-port security patches. For example, in Debian 6 (Squeeze) the latest (as today) version of php5 is 5.3.3-7+squeeze13, which in fact may give the assumption is outdated (latest in 5.3 branch is php 5.3.14), but it have been patched with all known released security patches. The problem with that approach (which RedHat Enterprise and clones also do btw), is that some security apps that check for vulnerabilities in packages may report false positives.

In short, you should trust the distribution you use, keep updated, and read both distribution site, and lwn.net for new vulnerabilities on a daily basis.

Also the server is more about maintenance than installation. You need to keep an eye on resources, logged sessions, watch logs, list of process running, updates.

1 (one) tip for you (3, Informative)

ReginaldBarclay (37949) | more than 2 years ago | (#40340951)

It's called "staging".

F*ck comments. F*ck all the other interactive "web 2.0" sh*t. Do your Wordpress or whatever, then suck it out of the DB, convert to static HTML, and put it on the external webserver.

Problem (pretty much, well 99%) solved.

Re:1 (one) tip for you (2, Interesting)

spatley (191233) | more than 2 years ago | (#40341503)

Even better: use octopress http://octopress.org/ [octopress.org] and do commenting with disqus. And then run the smallest webserver you can find and turn everything else off. The best security is the simplest security.

Some suggestions (1)

jd (1658) | more than 2 years ago | (#40341011)

  1. Get a security scanner or two (Nessus and eEye are good choices) and make sure your system is thoroughly vetted by them.
  2. Install AIDE or some other host intrusion detection software, and regularly verify nothing has been modified.
  3. Run everything at minimum privileges. Including the OS. If the OS doesn't need it, use capabilities to remove it.
  4. Minimize exposure, always. (If the only thing that needs to see the DB is the web server, then nothing else should know the server is even there.)
  5. Keep logs on a logging filesystem, as that makes log tampering considerably harder. (Logging, not journaling.)
  6. If you've spare capacity, run Snort or something similar alongside your LAMP to detect suspicious activity.
  7. There are many MySQL forks now, pick the most secure and not the most fashionable.

Re:Some suggestions (1)

fluffy99 (870997) | more than 2 years ago | (#40341233)

(Nessus and eEye are good choices)

Both suck, especially eEye Retina for Linux. They always report findings on Redhat RHEL and most other stable distros because it just looks at the package major version numbers, without understanding that Redhat backports fixes. It's also somewhat limited in that it just tells you if you've got outdated packages and checks a few config settings. It will NOT tell you if you did something retarded like not scrubbing inputs to a sql query.

I highly agree with the advice of removing anything non-essential. If the service or executable isn't needed, remove the package entirely. Or better yet don't do a full OS install like most newbs. Take advantage of things like mounting filesystems read-only and/or no-exec if you don't need to write or exec from them. IPTables to limit ports and foreign IPs and ban2fail will cut down a lot of scanning noise.

Use Debian stable (2)

martinvw (2663375) | more than 2 years ago | (#40341075)

My company supports about 700 Debian servers that are running at customer sites; as far as I can tell, not a single one of these has been compromised due to an unpatched security vulnerability in one of the Debian packages. Configure some kind of auto-update (e.g. cron-apt); Debian is by default configured to only install security updates and these are usually released within one or two days.

We did have a few servers that were compromised due to customer mistakes (unsafe root passwords especially) though. From what I've learned in these incidents, you can spot an infected machine by these symptoms:

  • apt installations are failing with strange errors. Rootkits often replace core utilites like ls with simpler versions that don't support the GNU extensions, and this causes many programs to visibly break.
  • rkhunter output
  • debsums -s output
  • duplicate uid 0 (grep in /etc/passwd)
  • folders that begin with a . in strange places like in /usr
  • folders that have names like ".. "

In theory, a rootkit could be hidden really well, but in practice, the attackers just don't seem to care to adapt their rootkits specifically to the distros. An experienced Linux admin should have no problem detecting them.

Re:Use Debian stable (2)

maitai (46370) | more than 2 years ago | (#40341167)

Funny enough most rootkits that replace ls, ps, etc also set those binaries immutable. Which is a pretty notable change.

a couple of security tips (1)

denverdavido (2663385) | more than 2 years ago | (#40341163)

SmallNetBuilder has some good articles: http://www.smallnetbuilder.com/security/security-howto [smallnetbuilder.com] For example, consider installing pfsense firewall in front of your DMZ. Also, if you run your OS on Ubuntu I recommend installing apticron, which will alert you to new patches. Stay fully patched.

Snort (0)

Anonymous Coward | more than 2 years ago | (#40341165)

I run Snort IDS on my WAN firewall. This reveals an incredible amt of information at a glance about all those infected winblows machines.

coralcdn might be of help (-1)

Anonymous Coward | more than 2 years ago | (#40341265)

http://www.coralcdn.org/

Bugtraq and Full Disclosure (3, Informative)

wirelessduck (2581819) | more than 2 years ago | (#40341467)

Bugtraq [wikipedia.org] and Full Disclosure [wikipedia.org] mailing lists are a good read. Almost all new vulnerabilities are posted to one of these lists. In addition, many Linux distros post their security notices here (Ubuntu used to, but now only posts on their own list). The CERT list mentioned by previous commenters is also good, even if it can be a little slow at getting the news out. Microsoft, Apple and others report their security notices through this list.

How about FAMP instead of LAMP? (0)

userw014 (707413) | more than 2 years ago | (#40341681)

I'm doing something like this myself - started on Comcast, went to AT&T DSL, and now I'm going back to Comcast. I've found my AT&T link to be very erratic, and now that they're trying to force Uverse on me, I've woken up from my consumer stupor and re-evaluating who does a better job at internet service.

I'm doing it from FreeBSD (My "F" in "FAMP".) I chose FreeBSD because I'd been using it at work, and because I liked a "distro" where I could be involved completely in the build process - or not. I have several modifications that I retain because they suit me, and the've been easy to maintain from FreeBSD 6 to FreeBSD 9. (It also gives me a ZFS based filesystem - which I'd like to think is handy, but have yet to actually take effective advantage of.)

My webserver serves up just static pages though. I didn't want to expose the server to possible compromises due to PHP flaws, or coding flaws (my own or some package or add-on.) That, and static web pages was good enough for my purposes - a kind of workstation and browser independent set of bookmarks.

I found myself constantly updating FreeBSD - but the server was doing little else, so that was no big deal. It gave me a very up-to-date system with all the latest security patches, etc.

I also use it as an OpenVPN server - and mount my home filesystems over the VPN when I'm at work or at some other wireless location (public library mostly - not big on internet cafes.)

One thing I really like about FreeBSD's host based firewall (it's also my NAT router) is that "ipfw" has "tables" - and I can dump huge numbers of networks into these tables without complicating the basic firewall ruleset. (I have some familiarity with Linux "iptables" - and miss that ability.)

On FreeBSD, I use a port called "ssh-guard" that manipulates my firewall rules to briefly block sites that try to login (and fail) too many times. You can do something similar in "iptables" (but I didn't write the rule-set that they use at work, and haven't really taken the time to memorize how it works.) Blocking "ssh" scans is kind of hopeless - most attacks these days are done by botnets rather than individual compromised machines, but it adds another thin layer to what should be a multi-layered approach to security.

I have configured the default entry on my webserver to throw up an error page - I've been thinking of harvesting IP addresses from THAT and adding those to my blocklists, but haven't taken the time to either do it or see if someone else has.

Some more tips (0)

Anonymous Coward | more than 2 years ago | (#40341801)

The NSA has some good linux hardening information here: http://www.nsa.gov/ia/_files/os/redhat/NSA_RHEL_5_GUIDE_v4.2.pdf

Security Now Podcast (0)

bill_mcgonigle (4333) | more than 2 years ago | (#40342027)

Steve Gibson's Security Now [twit.tv] podcast is worth listening to, and somewhat entertaining.

Besides the 15 minutes of SpinRite advertising in every episode, I actually hear him talking about stuff that's not covered here or most of the other news sites. I'm sure it can be found elsewhere, but he provides a good aggregator service.

apt-get update (1)

n3r0.m4dski11z (447312) | more than 2 years ago | (#40342481)

apt-get upgrade

Kept me running secure for 10 years +

also logwatch, tripwire for the paranoid...

To start with move away from LAMP (1)

utkonos (2104836) | more than 2 years ago | (#40342547)

Build a FNPP. I understand that the acronym is inferior, but I assure you that the actual end product is far far superior:

FreeBSD
Nginx
Postgresql
PHP

You are then going to want to get the box configured properly with the following:
geli encrypted root partition
ZFS Filesystem
geli encrypted swap
Nginx in its own jail
Postgresql in a separate jail and only listening on localhost
the only network access to the main system (outside the jail) is through openssh
have ssh use three factor authentication: 1. Password. 2. Google Authenticator [google.com] . 3. Crypto Stick [privacyfoundation.de] .
Enable ipfilter, and read the FreeBSD handbook for how to set it up properly
make sure that Openssh restricts itself to AES/SHA
raise the kernel securelevel to 3
make sure that openssh has a 4096 bit key and is restricted to the only the authentication methods that you are using
set portsnap and freebsd-update to run nightly in cron
install ports-mgmt/portaudit
install OSSEC [ossec.net] from ports/security/ossec*

Follow these instructions and you will have a battle-ready hardened server.

fail2ban and lock the admin control panels down (1)

DrHappyAngry (1373205) | more than 2 years ago | (#40342801)

Install fail2ban, especially if you're going to leave SSH open. You can configure some stuff to catch common web exploit attempts as well. You can probably get configured on any service you want. It plugs into iptables and bans IPs for set time periods for too many bad logins in a short period of time, hitting certain URLs, etc. It's highly configurable for just about any service you could want to run, and you can whitelist IPs and subnets. If you're running any admin control panels, cpanel, phpmyadmin, webmin, or whatever, set it up with an htaccess file so those pages are only accessible from your lan. Also, do not allow root login over ssh. So long as you don't have too common of a username, it can make it very difficult to match up a nonstandard username with a password. Combin that with fail2ban, and that'll keep a lot of the baddies out.

home infosec (0)

Anonymous Coward | more than 2 years ago | (#40342987)

I get my security information for a few different places.

First off i like to monitor two RSS feeds in perticular. The are both seclists.org lists. The first one being Full Disclosure [seclists.org] , and Bugtraq [seclists.org] .

I have used trillian [trillian.im] for my IM'ing needs for a while now and found a nifty addon called Good News [irsoft.de] to monitor all of my those feeds. So i get a nice toast every 15 minutes are so with all the most recent entries to those lists.

Another place i like to monitor are some of the exploit site out there to see whats being publicly posted for the skids to download. One such site is exploit-db [exploit-db.org] . A single google search can yield a few more.

Ontop of that i like to check up on the twitter accounts of many of the high profile professionals from time to time.

If i find something in any of these places that pertains to my setup i immediately take action. Sometimes that means taking services offline until a patch can be applied. What i have learned is that once you put a service out ontop the public network from your own home IP, there is a new found respect for the security of you network. Keeping that in the back of my mind helps me stay proactive on my approach to the matter.

Harden and Patch (1)

t3gilligan (519619) | more than 2 years ago | (#40343591)

I would start out by choosing a very minimal linux distribution. Install the minimal build of CentOS, Ubuntu Server, etc. Don't install a GUI or any unneeded packages. Install only the base, and SSH. You can install what you need after that. You could visit CIS(http://www.cisecurity.org/) and download a benchmark to use for hardening your Linux system. They have benchmarks that can be used for basic Linux hardening (most distributions are covered, and even if not, the same practices apply across the board). Then you can also run through the CIS benchmark for the Web server/DNS/etc. itself. Hardening doesn't solve your problems, but it does reduce your attack footprint, and then it is up to you to be vigilant on patching what you do have facing the internet. Use iptables or another host based firewall to block off everything that should not be receiving traffic from the outside. Then I would use OSSEC (http://www.ossec.net/) to monitor for system changes, and monitor your logs. OSSEC is an excellent program and extremely useful. At the end of the day, you'll learn a lot through while applying the benchmarks (I advise creating a script to automate for future servers), but it comes down to hardening, patching (OS, Server(s), and CMS), and monitoring.

Nothing Replaces Being around Security Admins (0)

Anonymous Coward | more than 2 years ago | (#40344113)

Nothing Replaces Being around Security Admins.
Blogs are fine.
Books are fine.
but nothing replaces hanging out with people paid to hack into corporate systems. Find a local DC{areacode} group and get on their email-listsrv, follow them on twitter, go to a few meetings. Here's a list https://www.defcon.org/html/defcon-groups/dc-groups-index.html [defcon.org]

There are other system security groups too - search for "DevOps" and "OWASP" to find those. I've seen more on meetup.com than I would have expected.

If you live near a town with a vibrant admin/sec corporate culture, finding these is easy. In my metro area, we have at least 5 of these groups meeting monthly. Some are college students looking to learn to be a cracker, but most have real jobs for state, government, huge telecom and DoD companies. These guys keep up with all sorts of security issues from social engineering to the dumbest things they've seen at clients.

Have I got stories about security issues in some of the very largest companies ... you wouldn't believe what a very-well-know-flash-web-game company was doing. Money trumps intelligence all the time.

Short of all that, stay patched and don't do stupid things like running DNS, sendmail, or WebDAV. All inbound connections should be through a VPN - like OpenVPN. If you insist on running a web presence, please, please, please use a reverse proxy to block access to every URL except those you specifically want available to the outside world. Putting apache directly on the internet is foolish in the same way that putting any MS-Windows PC directly on the internet is foolish.

Another dumb thing people do all the time is use php-based programs. It appears that php attracks noob programmers. They are just happy that the functions work and can't be bothered with security. Clearly not every php program is insecure, but based on the recent core-Php security issues, I wouldn't trust these on the internet. You'll get a feel for which types of developers tend to have the most secure code by hanging out with the DC-xyz crowds. My local DC group is pretty vocal about never deploying php or java programs on their networks - or anything from Adobe.

Network architectures are the first stage of securing any system(s). It is best if most of your systems can't actually be reached from the internet - sorta like a DMZ and internal LAN that we see on corporate networks. That means you probably need another router or you need to get good at virtual networking.

Folks will say you need a firewall - that's true, but for a low-end website, the home router is probably enough when you first start out. Every Linux distro has a world-class firewall built-in. Learn to use it. A firewall does not replace a well designed network with security zones. Don't be confused about that.

Never trust anything that you've setup to be perfect. Rarely is that the case. Test it until you are **positive** it is verified.

Stay patched. An old OS (for anything) can be worse than a brand new, untested, beta OS from a security perspective. If you don't want to be tweaking the OS all the time, get on an OS with long term support - CentOS or Ubuntu LTS. I've got about (9) Ubuntu 8.04 LTS systems still running great here. They are patched weekly and have another year of support. I have 10.04 and a few 12.04 systems too. The 8-10 change was pretty big. The 10-12 change, not so much.

Following all the security issues for an OS is hard, but if you want to waste 30 minutes a day, use an RSS feed for the distro you choose and find their security issues list.
Ubuntu: http://www.ubuntu.com/usn [ubuntu.com]
This should make it clear why you don't want to run hobby distros. There are constant security issues for every OS, including Linux.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?