New linux user, is this setup secure?
I use Ubuntu at work but only for desktop use so im not very experienced with ubuntu server.
Im interested in your views on my setup;
Ubuntu 10.04 LTS
pptp vpn connect which gives a 192.168.X.- address
ufw firewall default deny
ssh default port allow from anywhere
(root login disabled, denyhosts running)
pptp default port allowed from anywhere
ftp default port only allow from 192.168.X.*
phpmyadmin default folder only allowed from 192.168.X.*
webmin default port only allowed from 192.168.X.*
whitelist on manager.linode.com
Wordpress installation with SSL on admin login.
I use VPN to connect to ftp, phpmyadmin and webmin/virtualmin
Any other things i should think about?
Thanks .
10 Replies
I hope your ssh is restricted to public keys not password authentication, having it open to anyone on the default port means you're going to experience brute force attempts.
Do you really need ftp? can't use you sftp (transferring files over ssh), one less bit of software to worry about.
Do you also need phpmyadmin? I find
i also moved ssh port to non-default. Will generate keys and disable
password login.
About sftp, is that the same as scp?
would i connect to my ssh port with my scp/sftp program?
Will look into your phpmyadmin alternative.
I really appreciate your input
scp/sftp use the same ssh protocol, yes you would connect to your ssh port with the same credentials you use for ssh.
If you're on a mac then cybderduck is a good sftp client, on windows winscp is good, linux just check your repositories.
Will try to upgrade to l2tp from pptp, seems tricky though.
@obs:
You may want to change the vpn ip addresses to one of the other private net blocks, linode uses the 192.168 range for their private network, you may find clashes should you ever choose to use it.
I hope your ssh is restricted to public keys not password authentication, having it open to anyone on the default port means you're going to experience brute force attempts.
Do you really need ftp? can't use you sftp (transferring files over ssh), one less bit of software to worry about.
Do you also need phpmyadmin? I find
http://wb.mysql.com/ is a better alternative.
Wouldnt i have to open up mysql port to use your suggested app? Wouldnt that be more unsafe than using a protected phpmyadmin directory? Im not really using phpmyadmin much except for when importing / exporting databases.
Another problem i have now, i have disabled ftp service on my server and "used ufw deny 21" to close ftp port. When running nmap on another computer to my domain name the port still lists as open. How is this possible?
PORT STATE SERVICE
21/tcp open ftp
53/tcp open domain
80/tcp open http
443/tcp open http
Try checking nmap on another machine, if I use nmap on any IP it always say port 21 is open, something weird to do with my ISP (I imagine they filter incoming ftp traffic). Maybe your isp does the same.
If you pop on irc someone there could scan for you.
@JshWright:
Do you still have an "allow" rule for port 21? The first rule that matches is applied, so you may need to delete a conflicting rule to actually close the port.
No, i have no allow rule for 21. Its weird though. When running nmap from certain networks to my linode it does not show port 21 as open which makes me believe obs is wright in that some ISP is to blame. i cant connect to 21 (even when i have proftpd started at 21). I guess i can drop my concern about this.
Thanks a bunch for all your great replies!