Web Server Security

Forum Moderators: phranque

Message Too Old, No Replies

Web Server Security

Do I need sshd? General security questions.

rsgalloway

2:37 am on Nov 15, 2005 (gmt 0)

I'm just looking in my LogWatch and I'm noticing a lot of attempted hacks on my system. For example:

Failed logins from these:
a\361a/password from <snip>: 3 Time(s)
aaron/password from <snip>: 2 Time(s)
abe/password from <snip>: 2 Time(s)
....etc forever.

**Unmatched Entries**
Illegal user lpd from <snip>
Illegal user lpd from <snip>
Illegal user lpd from <snip>
....etc forever.

My question is, do I even need sshd running on my web server? I log in using webmin and don't ever telnet or ssh into the sytem. Are there any other systems which use sshd or can I just turn it off?

How about other servers (like telnet, ftpd, etc)? What is a cheap and quick way to safeguard against hacking? Firewalls, don't count, not being cheap.

Thanks for any advice.

[edited by: physics at 7:22 am (utc) on Nov. 15, 2005]
[edit reason] No specific IPs please. [/edit]

physics

7:19 am on Nov 15, 2005 (gmt 0)

You should turn off whatever services you don't use. Note though that webmin is probably a bigger security worry than sshd.
There are free software firewalls like Bastille.
If you want to get into details read the O'Reilly book Building Secure Servers with Linux [oreilly.com]

zCat

7:45 am on Nov 15, 2005 (gmt 0)

That's an automated password-guessing attack, been happening a lot recently. Nothing too much to worry about unless you have really weak passwords.

My question is, do I even need sshd running on my web server? I log in using webmin and don't ever telnet or ssh into the sytem. Are there any other systems which use sshd or can I just turn it off?

SSH is your emergency access point to your system. Webmin will only be there as long as your webserver is running, and if it decides to fail one day (it's not impossible) you'd need alternative access.

How about other servers (like telnet, ftpd, etc)?

If you don't use them, lose them.

What is a cheap and quick way to safeguard against hacking? Firewalls, don't count, not being cheap.

With SSH, a basic precaution is to turn off root logins. Every system has a user "root", which makes it a potentially easy attack vector. Before you do this, make sure there is at least one normal user with SSH access though!

Dunno whether Webmin and the like have a facility for doing this; otherwise you'll need to edit the file "/etc/ssh/sshd_config" and set the entry "PermitRootLogin no". Then restart the SSH daemon with "rcsshd reload" (all this logged in as root - I'd experiment with a test system first if you've never done this kind of thing before).

zCat

7:48 am on Nov 15, 2005 (gmt 0)

Note though that webmin is probably a bigger security worry than sshd.

I'd agree with this (this kind of software is always the first service I nuke on a new server), and would add that currently, vulnerabilities in web applications are probably the biggest security worry.

rsgalloway

5:08 pm on Nov 15, 2005 (gmt 0)

Thanks, all.

I'm going to talk to my host and see if they can help me setup Bastille.

I'll also look into turning off sshd for root and setup one emergency account with a strong password. Probably will end up turning off ftpd, telnet, etc. Does anyone know how webmin is able to access the server? Does it use any of these servers?

I find webmin really useful in administrating my server. I don't think I would be able to get much done without it. Does anyone know of ways to make it more secure?

netscan

6:42 pm on Nov 15, 2005 (gmt 0)

I'd lean towards APF w/ BFD, it's pretty robust and will automatically block access to the ip with repeated ssh access attempts.

Leosghost

7:35 pm on Nov 15, 2005 (gmt 0)

Disable all services which are not running the very latest PHP..