For a side project that I've been working on, I've setup an Ubuntu Server (10.04 LTS) in a Virtual Machine running on my standard Kubuntu install. Since this is work related and I often need to check in on things from work, load new data into the server from work, and whatnot, I've opened up 80 and 22 on the my home router to outside traffic (80 since the regular user interface is web based, and 22 for obvious reasons), and am forwarding it to my VM. Since I only have a consumer level router, I set up SSH on my main machine on a different port, and 80 is not open on that side.
I am completely ignorant when it comes to networking in general, let alone network security, and although the VM actually comes from a company that "should" have somewhat hardened the server, I do want to make sure that's the case. Since it's just a VM, I don't necessarily care if it gets hosed as I can just reload a new image. It would be very suboptimal (to say the least) as I'm sure I'll end up losing some of my work. But, some of my big concerns are attackers being able to get to my main box from there via ssh, problems with my ISP due to illicit traffic, and things like that. The big problem is that I'm completely in over my head when it comes to the coding that I'm trying to do, and I've had to spend every free minute I can trying to figure out and learn the scripting necessary, and really don't have enough brain cells left to process this networking and network security language.
I've tried to read up some on the network security stuff out there, and to be honest, a lot of it is over my head. I've been monitoring the log files, and I see tons of failed ssh attempts, with occassional big warning like (the source URL completely cracked me up!):
Apart from only having needed ports open on the server VM, and only having 80 and 22 open on my router, plus a fairly strong password on all my systems, what can I do to make sure I at least make it somewhat challenging for an attacker to get in and do something bad? I know that UFW is inactive on the system currently. However, I'm not quite clear on what that would do that my router would not. I've also had a look, and it seems that the vendor has not setup any iptables rules. I had a look at the Community Docs (https://help.ubuntu.com/community/IptablesHowTo), and again, it's a little over my head at the moment. It seems it would be better to configure this, I would imagine, but I'm really not too sure about how to go about this.Code:Nov 4 07:29:25 TSVMware sshd[24507]: reverse mapping checking getaddrinfo for webserver.1800hairextensions.com [206.217.199.18] failed - POSSIBLE BREAK-IN ATTEMPT!
Another thing that I thought of is that maybe it's bad to use an ssh key rather than a password between my server VM and my host machine. The two have different passwords, and I'm thinking that it may be more secure to have to use a password to get through to the host rather than being able to automatically connect if one can guess the user name. Would that make sense?
I've also find this nice guide to some security tools and settings that one should consider. However, I feel like I completely lack the time and the knowhow to learn all of this and appropriately set it up:
http://www.thefanclub.co.za/how-to/h...-part-1-basics
Can anyone offer some advice on the best way to make sure this VM server is somewhat safe, maybe an abject and total moron's (a few steps below idiot I would imagine) guide to Ubuntu Server Security? Apart from actually changing the Ubuntu Server version, I think (or probably hope is more like it) that I should be able to do what needs to be done without affecting the rest of the setup. I sincerely appreciate anyone who can point me in the right direction!
Bookmarks