A Little Security Goes a LOOOONG Way
December 3rd, 2009 by Ben FogtSecurity is only as secure as your weakest link. It’s tough to imagine and believe, but in this business you just have to suck it up and believe it. You can have 50 hardware and software firewalls, but if you have 3 year old exploitable php email form code, you’re as good as a DMZ server with no password. People go to school for security. There is no doubt that it’s a complex realm, but truth be told, it doesn’t have to be. We’ve all read “Secure Your Password” or Change Port” but I don’t think people really take it for what it’s worth. If you are like my parents and hate the idea of passwords and using them, let me be the first to tell you, you are in the wrong business. We have caught a lot of our customers with simple passwords and unfortunately it is after they have received three abuse complaints about IRC hack attempts. A few minor changes really will help and go a long way!
Don’t take it lightly when you see reminders to use a more complex password. I’m not saying you should use a 50 alpha numeric password, but a nice 8-digit password with at least one Uppercase, Number, and Symbol. If you’re not creative enough, there are plenty of random password generators out there. Brute forcing passwords is an old, but still used hack attempt these days and isn’t even the most popular way hackers get into servers.
The biggest step you can take to help protect your server is changing your default RDP/SSH ports, even your FTP and other program ports. I think a lot of admins don’t do this because they fear it’s a complex step. It’s not! For windows, it’s as simple as using regedit (OOOO SCARY!!, calm down and just be careful) Do the following for windows 2003:
Start->Run-> type regedit
Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp
In the right Pane, look for PortNumber
Simply change the port number to whatever you want. Usually I keep my birth date in my port number changes. e.g. 3371 (Not my real birth date, but you get the point.)
When you reconnect to the server just make sure you append the port number. e.g. xx.xx.xxx.xxx:3371
In Linux, it’s even simpler. All you need to do is edit the sshd_config. To do this you do the following:
Use your favorite text editor and edit /etc/ssh/sshd_config
At the very top of the config is your current port 22
#Port 22
#Protocol 2,1
Protocol 2
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
Simply uncomment by removing the ‘#’ and choose a new port. Idea, let’s go with the birth date method. e.g. 2271. So it will now look like:
Port 2271
#Protocol 2,1
Protocol 2
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
Now all you have to do is restart ssh (this process is different depending on your distro, just google restart ssh) To connect from another client using the new IP, do:
ssh -p 2271 root@xx.xx.xxx.xxx
Lastly, using a firewall really does help. The built in windows firewall works. It’s simple, basic and easy to use. Just make sure before you enable it to add your new RDP port. If you forget, you know where to reach us. The same goes with IPTABLES in Linux.
You might be surprised, but the majority of successful hack attempts are done through poor or outdated code. It’s the long lived battle of the programmer v. web-dude, but belief in what I said above will mean nothing if your code is vulnerable. The same goes with using your windows server to surf the web. DO NOT SURF THE INTERNET WITH YOUR WINDOWS SERVER. You are asking for trouble by doing so. Remote desktop has a file transfer program built into it for a reason.
In short,
-Use a more complex password
-Change your default ports
-Add a firewall
-Don’t use your server like a workstation to browse the web and download files.
Hope this helps.
Related Posts
Tags: firewall, linux, Windows Home Server
