News:

Happy New Year! Yes, the current one, not a previous one; this is a new post, we swear!

Main Menu

What do servers need?

Started by iago, July 02, 2008, 08:19:15 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

iago

I'm working on rebuilding my servers right now. I've done a stripped down install of Slackware 12.1. Right now, I'm working on setting up the base image that I'll copy to make the other images.

Besides default software/services (hard to provide a list..), I've installed:
- hping3 (troubleshooting)
- nmap (troubleshooting)
- vmware tools
- automatic time updating
- back up tools/accounts

Any other ideas for things that are required across the board? I want to get this set up right before I finalize it.

Joe

Quote from: Camel on June 09, 2009, 04:12:23 PMI'd personally do as Joe suggests

Quote from: AntiVirus on October 19, 2010, 02:36:52 PM
You might be right about that, Joe.


iago

Linux is obvoius.

Only the Web server needs Apache/PHP

Only the database server needs MySQL

rabbit

cron?  Also, don't forget ssh for the database and site servers, and FTP on the website server.  You also can't forget about RCRS (or can you?)  Maybe ident too, though I'm not sure.

iago

ssh is there, that's a default. I don't (and won't) use FTP, so that's a non issue.

RCRS, I'm not worried about.

What good is ident? I've never installed that, but I wouldn't be opposed to it if it could be useful.

Sidoh

I know you're trying to keep this lightweight, but it seems uses for quick perl scripts pop up in tons of situations.  If you think this might be the case, I'd install CPAN on all of your servers.

I'd be shocked if Slackware didn't come with the Python stuff, but you'd want that too.

I'd also look into something that monitors and takes action on failed login attempts via SSH.  I have a python program running on my server that watches for failed login attempts in the log files and blocks IP addresses after they fail some number of times (I think it's 7 by default).  It also removes the blocks after a set amount of time.

There's another cool concept called "graylisting" where you block every attempt to connect via SSH the first time, and allow all other attempts through.  This makes most brute force bots give up.

I'm pretty sure you already know about those things, but I figured I'd throw them out there since they seem pseudo-important from a security standpoint. :)

iago

Quote from: Sidoh on July 02, 2008, 09:50:59 PM
I know you're trying to keep this lightweight, but it seems uses for quick perl scripts pop up in tons of situations.  If you think this might be the case, I'd install CPAN on all of your servers.
Came with Slackware

Quote from: Sidoh on July 02, 2008, 09:50:59 PM
I'd be shocked if Slackware didn't come with the Python stuff, but you'd want that too.
Ditto, I installed all the dev tools.

Quote from: Sidoh on July 02, 2008, 09:50:59 PM
I'd also look into something that monitors and takes action on failed login attempts via SSH.  I have a python program running on my server that watches for failed login attempts in the log files and blocks IP addresses after they fail some number of times (I think it's 7 by default).  It also removes the blocks after a set amount of time.
Not a bad idea, I thought about doing that before, but hadn't gotten around to it.

Quote from: Sidoh on July 02, 2008, 09:50:59 PM
There's another cool concept called "graylisting" where you block every attempt to connect via SSH the first time, and allow all other attempts through.  This makes most brute force bots give up.
Obscurity. It only works till lots of people do it. :)

Quote from: Sidoh on July 02, 2008, 09:50:59 PM
I'm pretty sure you already know about those things, but I figured I'd throw them out there since they seem pseudo-important from a security standpoint. :)
Heh, yeah.

Speaking of security, I was thinking of putting traffic monitoring software on each server, and pulling the stats back to one server (possibly the backup server). Not sure if I'm going to bother, though.

Newby

Some sort of data encryption on the hard-disk? I dunno. I'd say NetHack but you couldn't take me seriously. :P
- Newby
http://www.x86labs.org

Quote[17:32:45] * xar sets mode: -oooooooooo algorithm ban chris cipher newby stdio TehUser tnarongi|away vursed warz
[17:32:54] * xar sets mode: +o newby
[17:32:58] <xar> new rule
[17:33:02] <xar> me and newby rule all

Quote from: Rule on June 30, 2008, 01:13:20 PM
Quote from: CrAz3D on June 30, 2008, 10:38:22 AM
I'd bet that you're currently bloated like a water ballon on a hot summer's day.

That analogy doesn't even make sense.  Why would a water balloon be especially bloated on a hot summer's day? For your sake, I hope there wasn't too much logic testing on your LSAT. 

Sidoh

Quote from: iago on July 02, 2008, 10:04:08 PM
Obscurity. It only works till lots of people do it. :)

Obviously, but as long as you don't rely on it, I don't see the harm in exploiting it. :P

iago

I'm not sure that hard disk encryption would buy me anything on a vmware image. The only real attack avenue is somebody hacking the server, encryption wouldn't help much if they had physical access (could just pause/resume vmware images).

Here is the list of things so far:
- iptables with default deny all (I'm already firewalling at the router, but an extra layer couldn't hurt)
- ntop (traffic monitoring), if it works (wouldn't really work for me before)
- a way to update software (I'm thinking a folder that they'll install packages from if it's filled.. maybe require the packages to be signed by me? We'll see)
- deny hosts (ban ssh brute forcers)
- locked down root account (can't log in remotely as root, will make a different default account)
- nightly portscans scheduled, from the trusted zone, so I can see when services change
- empty /usr/local and /home folders, ready to have separate drives mounted

Other suggestions are good, I'm probably going to build this image this weekend.

Chavo

rsync is nice if you have a good place to put the backups

while1

Let's see.  I don't see any porn on your list.  No server can live without porn!  It serves you, but do you service it?
I tend to edit my topics and replies frequently.

http://www.operationsmile.org

Warrior

a server most of all requires tender love and care, someone to hug him when he's feeling blue..perhaps an occasional bedtime story.
when he's running a fever be sure to keep him nice and cool, he's forgetful so make backups of his data regularly

at times he may become frustrated with the amount of load he's put under, dont be mad at him he's trying his best.
One must ask oneself: "do I will trolling to become a universal law?" And then when one realizes "yes, I do will it to be such," one feels completely justified.
-- from Groundwork for the Metaphysics of Trolling

mynameistmp

I always used to install svn. I'd host one server on my LAN, and then install the client on all other machines I frequented. I used to have 4 or 5 machines that I'd switch between, so it eliminated redundancies. I would log in to desktop A as tmp, hack around for an hour or two on a variety of different things. Then I'd commit to the server repository and log out. svn would automatically tabulate all of the files modified during the session and store them for me. I could leave for lunch, log in via laptop from the restaurant, check a copy of my home directory out, and be exactly where I left off; down to the wall paper and xmms volume. Rinse, repeat. I was always surprised how few people it seemed exploited this functionality.

Another is vtund, but depending on which version of the kernel you selected you may not have the necessary module.

iago

Good call at svn, I meant to make sure that was installed. It came by default, but it won't run because I'm missing libldap. Will take care of that!

vtund doesn't sound like something I need, at least for this. :)