SoylentNews is people
SoylentNews
from the cat-and-mouse-and-dogged-determination dept.
A couple years ago I set up a simple brochure-ware site for the School Board in the district here in Brooklyn, hosted on a VPS instance on Linode, to publicize the dates of public meetings, meeting minutes, etc. The VPS doesn't contain any sensitive information so I locked down the ports to 80, 443, and 22, hardened the SSH with measures like fail2ban, kept the system updated every week or so, and called it a day.
Last week, though, the site was compromised. Blowing the instance away and re-creating it from physical backups is not a problem, but in poring through the system to figure out how it was breached I realized both that my own security chops aren't deep enough and that standard best security practices might not be good enough anymore, anyway, given the many vulnerabilities exposed in the last year and realities like the NSA trove that Shadow Brokers leaked.
So the question for the more experienced security professionals in the Soylent community is, can they recommend a good guide and/or site to hone linux security chops and forensic skills that's current?
(Score: 0) by Anonymous Coward on Sunday June 04 2017, @02:45AM
no reason to use default ssh port. why make it easier for bots to find your ssh daemon that has some vuln to exploit? password auth is not best practice nor is it acceptable, imho. again, no good reason. use large keys(4096+ though people say 2048 is fine.). this makes brute force highly impractical. fail2ban is obsolete due to this fact. disable multiple attempts if you want, though, they will be trying to use a password so it really shouldn't even matter.
i don't know which exact guide you used and what portion of it (there seems to be several of the guide you mentioned). Nothing against the fine folks at bind who seem to stay on top of vulns that are found, but it's too large an attack surface for small servers. use dnsmasq or something. i'm assuming you didn't set up apache and ISPconfig? or maybe you were already running apache? you didn't mention what web server you used but depending on config that could still be the vector. maybe not the static code but the server software itself or it's config, though i'm used to running php so maybe not. If it's only a static site then you can be super paranoid with the config and it won't hurt anything. Regarding the mail server, if it's just postfix, dovecot and mariadb then there's nothing wrong with that, but without a snapshot of your clean system to compare to now (various options exist) i doubt you'll find the lurking malware, though i'm no security expert. I just try to be security aware. One mistake on the mail server config or perms, and they/it could get in that way.
at any rate, it was most likely the config of one of the public facing services (doubtful it was a zero day) unless the linode server your vps is on got hacked through it's proprietary vps management gui or the stack it uses for virt? (? i don't remember what linode uses.)
If you used a windows box to connect to your server like the other poster suggested, then you should be banished from the Nerddom immediately! and may Linus and RMS have mercy on your soul! :)
as far as tutorials and resources, i would say use the arch and gentoo wikis and other places where they are supposed to know what they are doing or about security. maybe openbsd blogs or something. other guides on places like hosting companies and question/answer sites can be taken into consideration but should be viewed with skepticism. the people generally mean well but many are too lax or the info is outdated or they make uniformed decisions about the software they use. usually, if you do enough reading and are paranoid about your examination of the resources you will be able to determine who knows what they are talking about through cross reference, etc. that's what i try to do, FWIW. IOW, one does not simply "pick a tutorial"! :)
good luck to you.