[SATLUG] Questions about home server security

Wes Henderson whendersonii at gmail.com
Sun Feb 10 14:57:20 CST 2013


Personally my home server runs: Samba, Apache, SSH, and CUPS, but only
Apache and SSH are open to the internet.

SSH: I run SSH on a non-standard port with complex passwords, root cannot
log in via SSH, and I use
Google-Authenticator<http://www.howtogeek.com/121650/how-to-secure-ssh-with-google-authenticators-two-factor-authentication/>
(open-source
and does not "call home").

Apache: I obfuscate server info from the HTTP header, obfuscate 404 error
server info, CGI execution if off, server side "includes" are off, and I do
not allow directory browsing. I am playing with the idea on installing
Nginx on my Raspberry Pie and setting up a reverse proxy for my Apache
server. Any thoughts on hardening Apache or on using Nginx would be
much appreciated.

Router: Runs DD-WRT with heavy logging and I have many types of requests
blocked.

Additionally, head here <http://www.grc.com/intro.htm> and verify what
ports are open.


On Sun, Feb 10, 2013 at 1:46 PM, Alex Bartonek <bartonekdragracing at yahoo.com
> wrote:

> Run stuff on a non-standard port, thats what I do.  On my server (running
> Solaris), I have unnecessary ports closed and I also have IPFilter
> implemented.  Use iptables under Linux to block what goes out also, so if
> you do get hacked, its localized.
>
> --- On Sun, 2/10/13, Frank Huddleston <fhuddles at gmail.com> wrote:
>
> From: Frank Huddleston <fhuddles at gmail.com>
> Subject: [SATLUG] Questions about home server security
> To: satlug at satlug.org
> Date: Sunday, February 10, 2013, 12:35 PM
>
> Greetings,
>
>   I am wanting to set up a small server (Raspberri Pi with an attached
> hard drive), to serve mostly as remote backup/personal cloud, at my
> son-in-law's house. I'm concerned about the security implications, and
> don't want to expose his home computers to undue risk as a result. He
> doesn't run any servers at this time: only wirelessly connected laptops and
> cell phones.
>   I've had a home server exposed to the internet for some time, and from
> time to time I see hacking attempts, but so far nobody has broken in (as
> far as I know). I use port-forwarding, and have only exposed the ports I
> think are necessary to the things I run: ssh, http, icecast, mpd/mpc,
> Subsonic. It's possible that I'd want a few more, and maybe drop a few I
> have now, but that gives you a general idea.
>   I haven't done anything special to secure my servers: previously I ran
> NetBSD on one, but now they are Debian
> (the Pi runs a variant called, I think, Raspian). I see there is an option
> on on his router to put a computer in the DMZ, but it says this should only
> be temporary, to test something out.. I don't have a DMZ on my own home LAN.
>   So what can you tell me? I guess I really mean, what can I tell him? Is
> this relatively safe for his LAN? Is there something I should do to make it
> safer?
>
> Thanks,
>
> Frank Huddleston
>
>
> -- _______________________________________________
> SATLUG mailing list
> SATLUG at satlug.org
> http://alamo.satlug.org/mailman/listinfo/satlug to manage/unsubscribe
> Powered by Rackspace (www.rackspace.com)
> --
> _______________________________________________
> SATLUG mailing list
> SATLUG at satlug.org
> http://alamo.satlug.org/mailman/listinfo/satlug to manage/unsubscribe
> Powered by Rackspace (www.rackspace.com)
>



-- 
*Wes Henderson*
IT Consultant
Email: whendersonii at gmail.com

Find me on my website: weshenderson.info
And elsewhere -
     Google+ <https://plus.google.com/u/0/118217301983867537201/posts>
     Linkedin <http://www.linkedin.com/pub/wes-henderson/41/3b7/a96>
     Twitter <https://twitter.com/intent/tweet?screen_name=whendersonii>

"Unix is simple, but it takes a genius to understand the simplicity." -
Dennis Ritchie


More information about the SATLUG mailing list