Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ask Slashdot: Security Digests For the Home Network Admin?

Posted by timothy on from the next-week-we-cure-all-known-diseases dept.

New submitter halcyon1234 writes "I'm currently cutting the webhost cord, and setting up a simple webserver at home to host a couple hobby websites and a blog. The usual LAMP stuff. I have just enough knowledge to be dangerous; I know how to get everything set up and get it up to date, but not enough to be sure I'm not overlooking common, simple security configurations. And then there's the issue of new vulnerabilities being found that I'm not even aware of. The last thing I want is to contribute to someone's botnet or spam relay. What readings/subscriptions would you recommend for security discussions/heads up? Obviously I already read (too much) Slashdot daily, which I credit for hearing about some major security issues. Are there any RSS feeds or mailing lists you rely on for keeping up to date on security issues?"

8 of 123 comments (clear)

  1. try this by Anonymous Coward · · Score: 5, Informative

    http://www.securityfocus.com/

  2. most distros have a security list by Xtifr · · Score: 4, Informative

    You said LAMP--well, most L distros have a security list you can subscribe to to keep up-to-date on this sort of thing. Also, Linux Weekly News (lwn.net) regularly posts security announcements from most major distros

  3. Re:Check your Internet Acceptable Use documents by vux984 · · Score: 4, Informative

    Most ISPs do NOT allow this kind of stuff. While it might fly under the radar, there is always the possibility they will shut off your access. /em

    In my experience, most ISPs really don't care. And if your hobby site/blog goes offline for a couple days... its not the end of the world.

    Also, in my experience with both the large local ISPs as well as 2 smaller ones, dynamic ip... on most broadband is essentially the same as static (*). You'll probably have the same IP address for years at a time (**) and they only change when they replace/upgrade the network and even if you are on static you will be assigned a new address occasionally as well due to network upgrades.

    So in practice, dynamic ip addresses changes only slightly more often than static ones, and the only difference is that with static ones they'll usually make an effort to give you a few days notice that you'll be getting a new address before it happens. But you still have the downtime as DNS propagates.

    (*) - I'm talking about static ip service on broadband. The static IP you get with a co-located server or T1 tends to be somewhat less likely to change than the static ip you get with a "Business ADSL" package, which still allocates your IP via DHCP, and the only difference real between static and dynamic is, as I said, they make some effort to give you a heads up before they change it on you.

    (**) - As an aside, this fact makes tracking users/households by ip address for advertising purposes fairly reliable.

  4. Not too hard by sirsnork · · Score: 4, Informative

    The best place to start is here

    http://www.us-cert.gov/cas/signup.html

    then onto the security announce list of whatever distro you use.

    Those two alone will probably give you enough information to keep your system safe

    --

    Normal people worry me!
  5. So, what is security? by Beeftopia · · Score: 4, Informative

    First: The only way to connect to your system is over a logical port. So, learn netfilter / IPtables and shut down all ports you don't need. The book "Running Linux" by Dalheimer and Welsh has a pretty good section on netfilter / IPtables. My recommendation - just leave port 22 and 80 (maybe 443 if you're having people log into your web application remotely). Default policy is drop packets unless it matches one of those ports.

    Second: Turn off remote root login, typically found in sshd_config. This'll stop much of the probing.

    Third: You don't want to allow someone to relentlessly try passwords. Get a program like Fail2ban. This will allow a certain number of login attempts before it bans the IP, just dropping the packets and not letting the password authentication module test them.

    Fourth: Strong username/password combinations. The attacker has to guess the correct combination. Get jiggy with it. Unusual username and unusual passphrase password. Especially for the root user.

    Fifth: Stop having Apache broadcast all of its version information. When someone is looking at response headers, they should see just that it's Apache and not Apache version XYZ. Apache loads several config files and reads them as one long config file (they're broken up for easier management). There's a setting in Apache to do that.

    Sixth: In Apache's config files, turn off directory listings. Again, a simple configuration text file setting which eludes me at the moment. Apache The Definitive Guide by Laurie and Laurie is a good book to have. This info is also available on the web.

    Seventh: Read your log files regularly. auth.log, error.log are very informative ones. Doing a lastlog command on a regular basis helps.

    Finally - What is security?
    1) You don't want people writing to where they shouldn't be writing.
    2) You don't want people reading what they shouldn't be reading.
    3) You don't want people executing what they shouldn't be executing.

    Set up permissions well. Don't change them willy-nilly but if reading/writing most stuff on your box requires being part of the root group, that's pretty good security.

    Finally, finally - keep reading various technical sites on the web for new security problems. Address as necessary.

  6. Re:Good starting list by Bitsy+Boffin · · Score: 4, Informative

    Because there will come a time when you are away from home and will think
    "if only I had made SSH accessible I could fix the server right now using my mobile to ssh in, instead of having to go home"

    --
    NZ Electronics Enthusiasts: Check out my Trade Me Listings
  7. Re:Check your Internet Acceptable Use documents by cayenne8 · · Score: 5, Informative

    Most ISPs do NOT allow this kind of stuff.

    Do what I do...get a cheap business account with your ISP.

    I have had mine with Cox cable business for about a decade now...even moving around different places, they move it for me.

    It is only about $70/mo...I get about 10-15 down, and usually about 5-6 up for speed.

    I can run whatever servers I want...web, email, you name it, no ports blocked. I also have no data caps.

    I even get a low level SLA.....and the few times I"ve had trouble, I call in..if there is any wait, I just leave my name/number and usually it has never been more than about 6-10 minutes for them to call me back. Once..I found my connection had gone down a bit after midnight. I called, not expecting much...but damned if when we figured it WAS a line problem, they had a truck out there on the pole near my house in about an hour...freaking after 1am!??! The problem was solved that night (early morning).

    Frankly, I dunno why most people bother with the consumer level ISP crap...just pay a few more dollars and get a real connection that you can do with as you please.

    --
    Light travels faster than sound. This is why some people appear bright until you hear them speak.........
  8. Re:Reliability testing... by rdwulfe · · Score: 4, Informative

    And move SSH off of the default port. It's amazing how much that cuts down on automated hacking attempts. It goes from a constant, 24 hour thing to... well, when I did it a year ago, I've seen perhaps 2 attempts made since.