On Friday 03 September 2010 23:38:17 Orion Vianna wrote: > Hello, > > I have been searching for security tools and methods for my personal VPS. > My VPS is mostly used for LAMP (php & python). > > Some of the things I did: > - no root logins for sshd
Also look at the "AllowUsers" setting for ssh_config > - change sshd port (is it worth the extra trouble?) Yes it's worth changing the ssh port. Since doing so, all the cracker ssh login attempts I previously saw went to zero. The typical thought is that "attackers will just find the port using a scan", but that assumes that you're not also running a scan detector and using TCP cookies... If you want to keep ssh on the same port, another way to handle this securely is to set up 'fwknop' to "port knock" open the ssh port for /only/ the IP address that sent the correct knocking packet. [One of the things I learned from one of Francois Marier's talks at DebConf10.] > - key authentication and no password prompt for ssh This is good. Oddly enough you can also use GPG keys for passwordless ssh using 'monkeysphere'. [Found out about this at DebConf10.] http://web.monkeysphere.info/ > - automatic package updates with email notifications > - exim for sending email only. (server does not receive email) I take it you did a "all mail sent my smarthost; no local mail" setup, then. Even better is if you set up Exim4 to have all email sent to the smarthost via SMTP over TLS [assuming the smarthost has that available.] > - setup fail2ban - brute force detection and ip ban with email > notification. (how long should I ban for?) Usually some time less than a day is sufficient. You want to make it long enough to dissuade crackers, but short enough that you yourself can eventually get back in if you make a mistake. > - aide (Advanced Intrusion Detection Environment - file change > monitoring). I understand that the AIDE files (database, executable > files) should be hosted in another machine or a read only media. If the > VPS is compromised then AIDE could also be compromised, placing AIDE > outside the VPS could help correct? Also have a look at the 'osiris' package, which is an intrusion detection client-server setup where the osiris client reports checksums to a remote osiris server over an SSL-encrypted connection. Intrusion detection is good but you have to remember to update the IDS database every time you upgrade or make configuration changes to the system. I kept forgetting to do this (as well as how to do it), got sick of these 'nag emails', and eventually stopped running it. > Is there a site which can provide security notifications over email for > specific software. I like to keep track of a couple of packages I have > compiled. Well, there are programs that can scan local software for vulnerabilities, like 'flawfinder', 'debsecan' (for Debian boxes), 'rats', 'wapiti', etc. I've occasionally tried one of these. > osvdb.org provides RSS feed of searches and I have searches for package > names I need. I also have RSS feed for ubuntu packages www.ubuntu.com/usn > Is osvdb.org reliable? Are there alternatives? I always use 'apt-get search <description>' locally to search for packages I need. It was one of the things I got from Joe Apuzzo's "Advanced Ubuntu" talk one or two winters ago. > Things that I'm thinking of doing: > - Install snort - network intrusion prevention and detection ( I did > this years ago but IIRC it used to generate many false alerts) I tried it, found the same thing, and haven't run it since. I've heard it's gotten better since I last ran it, though. Last suggestion I have as you haven't mentioned it: install 'logcheck' Because the number one thing you want to know is if anything /odd/ is going on with your server, you don't want to have to read through all the logs yourself, and you only want the logs that stand out -- and that's what logcheck does. It'll send you an email of just the logs that are "odd". You will have to make some custom filter rules to get rid of any "noise", but after working that out it's really a great thing to have, and it'll give you peace of mind... and that's I think what you're actually looking for in asking what else to set up security-wise. -- Chris -- Chris Knadle [email protected] _______________________________________________ Mid-Hudson Valley Linux Users Group http://mhvlug.org http://mhvlug.org/cgi-bin/mailman/listinfo/mhvlug Upcoming Meetings (6pm - 8pm) MHVLS Auditorium Oct 6 - Creating Browser Extensions for Firefox and Chrome Nov 3 - Bug Labs Dec 1 - Dec 2010 Meeting
