Page 3 of 4 FirstFirst 1234 LastLast
Results 21 to 30 of 35

Thread: Server Tutorial

  1. #21
    Join Date
    May 2007
    Location
    Phoenix, Arizona USA
    Beans
    2,909
    Distro
    Ubuntu 8.04 Hardy Heron

    Re: Server Tutorial

    Quote Originally Posted by rcrcomputing View Post
    Google "brute force ssh"

    You'll notice other programs giving major access to the system limit access attempts by default. And example is webmin.
    If you have your ssh set up correctly, you will NEVER have this problem. I do this professionally for a living and I do not have either one of these installed nor do I plan on it. Use of good secure passwords (read that phrases and not dictionary words) goes a long way in security. Even better yet is setting up passwordless login using public and private keys. Not allowing root login via ssh is another must have.

    It's fine to express your doubts but if you do not have knowledge of an application it's best to refrain from making broad generalizations such as you did. ssh is extremely secure without the use of any other tool if set up and used correctly. Koen is right in asking you why you would say something like this.

    -Tim
    www.pcchopshop.net

    Hard to find and obsolete PC and server parts. "If we can't find it, it probably doesn't exist"

  2. #22
    Join Date
    Nov 2006
    Location
    Belgium
    Beans
    3,025
    Distro
    Ubuntu 10.04 Lucid Lynx

    Re: Server Tutorial

    Quote Originally Posted by windependence View Post
    If you have your ssh set up correctly, you will NEVER have this problem. I do this professionally for a living and I do not have either one of these installed nor do I plan on it. Use of good secure passwords (read that phrases and not dictionary words) goes a long way in security. Even better yet is setting up passwordless login using public and private keys. Not allowing root login via ssh is another must have.

    It's fine to express your doubts but if you do not have knowledge of an application it's best to refrain from making broad generalizations such as you did. ssh is extremely secure without the use of any other tool if set up and used correctly. Koen is right in asking you why you would say something like this.

    -Tim
    Thanks, my point exactly.

  3. #23
    Join Date
    Dec 2008
    Beans
    12

    Re: Server Tutorial

    Hi, have installed webmin using the following tutorial
    http://onlyubuntu.blogspot.com/2007/...in-ubuntu.html

    NOTE : this is webmin 1.340 but READ ALL the follow up notes at the bottom before proceeding for the updated version

    After the install, I could not locate/login to webmin using the suggested url, in my case https://ubuntuServer:10000/ so I typed the ip address in of that machine eg https://192.168.1.2:10000/ (answered a few security questions from my browser) then got the log in screen.

    OK so now I have INSTALLED the sever and a gui control panel (webmin), now I will move on to webserver,mysql etc - speak soon perhaps!

    I will follow up all other links - thanks alot

    Thanks for the help in the meantime - A

  4. #24
    Join Date
    Feb 2005
    Beans
    30

    Re: Server Tutorial

    I was aware his question was a "sandbagger" question and was aware I was about to have this conversation.
    If you have your ssh set up correctly, you will NEVER have this problem.
    Hmm, you just said, set up "secure shell" and then "secure" it. Shouldn't it have minimal security embedded?
    Ok, lets tell the new guy setting his server up, he got compromised in the first 24 hours and it is "his" fault for not setting ssh up correctly. Wonder why other programs are "set up correctly" out of the box. Even windows, when passworded limits attempts.

    I do this professionally for a living and I do not have either one of these installed nor do I plan on it. Use of good secure passwords (read that phrases and not dictionary words) goes a long way in security
    .
    No offense, but I would not hire you.
    With unlimited attempts ANY password can potentially be brute forced. Oh and make sure all your users have these unguessable wonder passwords. And why would you want the brute force attempts in your logs and the loss of bandwidth due to the attempts?

    Even better yet is setting up passwordless login using public and private keys.
    As you must be well aware, this is not always possible for travelers. And use of key's have their own issues.

    Not allowing root login via ssh is another must have.
    And now your machine is just compromised as a user. It now runs brute force attacks on others. Hopefully it's not in a "trusted" part of your domain and has key's set up for other servers.

    It's fine to express your doubts but if you do not have knowledge of an application it's best to refrain from making broad generalizations such as you did.
    If you would like to continue the discussion elsewhere, I'd be happy to test my knowledge against yours. Obviously, you've missed the fact that multiple layers of security should be used.

    ssh is extremely secure without the use of any other tool if set up and used correctly.
    You have missed the point entirely. That is your choice to do so.

    To those that have not tired of this thread, please take away from this conversation that you must secure ssh. Do not believe the previous post that a good password will do it etc.. By it's design, it allows multiple attempts unlimited. You should use multiple layers of defense including:

    Use a firewall and allow only those domains you are likely to connect from.
    Install fail2ban as a secondary. These two methods are your first defense.

    Others include,
    strong passwords
    disable password sign on (this can be a pain)
    disable root sign-on (secondary method, you don't want them in on any account)

  5. #25
    Join Date
    May 2007
    Location
    Phoenix, Arizona USA
    Beans
    2,909
    Distro
    Ubuntu 8.04 Hardy Heron

    Re: Server Tutorial

    Quote Originally Posted by rcrcomputing View Post
    I was aware his question was a "sandbagger" question and was aware I was about to have this conversation.

    Hmm, you just said, set up "secure shell" and then "secure" it. Shouldn't it have minimal security embedded?
    Ok, lets tell the new guy setting his server up, he got compromised in the first 24 hours and it is "his" fault for not setting ssh up correctly. Wonder why other programs are "set up correctly" out of the box. Even windows, when passworded limits attempts.
    This doesn't even warrant an answer. You are supposed to be an ADMIN. I am fond of saying that this is the SERVER forum. Most of the time that implies you have SOME experience with the OS. It IS his fault if he didn't do some planning and research before putting a production server on the web.


    Quote Originally Posted by rcrcomputing View Post
    No offense, but I would not hire you.
    With unlimited attempts ANY password can potentially be brute forced. Oh and make sure all your users have these unguessable wonder passwords. And why would you want the brute force attempts in your logs and the loss of bandwidth due to the attempts?
    Well since unwanted packets are discarded at my BSD gateway, I'm not losing any bandwidth. Just FYI, been doing this for over 10 years and never been hacked nor have any of my customers. Of course I have multiple layers of security in place. the point here was that using a dictionary word for a password will get you compromised in less than 5 minutes. With a good strong password it could take days or even weeks, and that is with a constant connection which a good admin would surely have noticed. Care to try to break in to one of my OpenBSD servers?


    Quote Originally Posted by rcrcomputing View Post
    As you must be well aware, this is not always possible for travelers. And use of key's have their own issues.
    Why would it be an issue if your traveler has his own laptop? The keys stay with him all the time. A passphrase could also be used.


    Quote Originally Posted by rcrcomputing View Post
    And now your machine is just compromised as a user. It now runs brute force attacks on others. Hopefully it's not in a "trusted" part of your domain and has key's set up for other servers.
    You would be assuming that the user accounts are also easily compromised. You're also assuming that the compromised account goes undetected. Ever heard of intrusion detection software?


    Quote Originally Posted by rcrcomputing View Post
    If you would like to continue the discussion elsewhere, I'd be happy to test my knowledge against yours. Obviously, you've missed the fact that multiple layers of security should be used.
    Obviously you posted this as flamebait, and I don't have time to get into a pi**ing contest with you. I only wish I had time to set up a server for you to break into.


    Quote Originally Posted by rcrcomputing View Post
    You have missed the point entirely. That is your choice to do so.

    To those that have not tired of this thread, please take away from this conversation that you must secure ssh. Do not believe the previous post that a good password will do it etc.. By it's design, it allows multiple attempts unlimited. You should use multiple layers of defense including:

    Use a firewall and allow only those domains you are likely to connect from.
    Install fail2ban as a secondary. These two methods are your first defense.

    Others include,
    strong passwords
    disable password sign on (this can be a pain)
    disable root sign-on (secondary method, you don't want them in on any account)
    Well we agree on one thing, you should secure ssh just like you should secure any other application on any OS. I still have no plans to install fail2ban or any of that other junk as I don't need yet another layer of complexity for the little benefit I will gain.

    -Tim
    www.pcchopshop.net

    Hard to find and obsolete PC and server parts. "If we can't find it, it probably doesn't exist"

  6. #26
    Join Date
    Nov 2006
    Location
    Belgium
    Beans
    3,025
    Distro
    Ubuntu 10.04 Lucid Lynx

    Re: Server Tutorial

    Quote Originally Posted by rcrcomputing View Post
    I was aware his question was a "sandbagger" question and was aware I was about to have this conversation.
    If you'd just explained that you don't like it that ssh doesn't put a limit on login attempts, and that fail2ban is your way of dealing with that, ...

    Calling the program "flawed in its very design" because of that, and which is only an issue for password authentication, not for the other authentication methods ssh supports, is a just not right, and gives the wrong impression to the beginner you're trying to help. That's all.


    Other than that, windependence covered most of it. Yes, security is layered, and should be seen as a system, where one measure complements or enhances another. And if you're going to run public servers and/or setup remote administration, you better know what you're doing.

  7. #27
    Join Date
    Feb 2005
    Beans
    30

    Re: Server Tutorial

    You are supposed to be an ADMIN. I am fond of saying that this is the SERVER forum. Most of the time that implies you have SOME experience with the OS. It IS his fault if he didn't do some planning and research before putting a production server on the web.
    ok, he's learning to admin, yet he's supposed to be an admin? Have you missed the fact that this thread is named "Server Tutorial"?

    Well since unwanted packets are discarded at my BSD gateway, I'm not losing any bandwidth. Just FYI, been doing this for over 10 years and never been hacked nor have any of my customers. Of course I have multiple layers of security in place. the point here was that using a dictionary word for a password will get you compromised in less than 5 minutes. With a good strong password it could take days or even weeks, and that is with a constant connection which a good admin would surely have noticed.
    We are not talking about your servers or your experience in years (which is less than mine). We are talking about the choice in ssh design. It does not matter how you secure your server. That you excuse it because YOUR server is arranged to get around or lesson exposure makes no difference to the discussion.

    Care to try to break in to one of my OpenBSD servers?
    Why would I care to break into anyones server?

    Why would it be an issue if your traveler has his own laptop? The keys stay with him all the time. A passphrase could also be used.
    The reasons of not having your own laptop to access are many. Now we are back to passwords.


    You would be assuming that the user accounts are also easily compromised. You're also assuming that the compromised account goes undetected. Ever heard of intrusion detection software?
    Oh yeah, people learning to set up the server are already supposed to know and be familiar with snort?


    Obviously you posted this as flamebait, and I don't have time to get into a pi**ing contest with you. I only wish I had time to set up a server for you to break into.
    Nonsense. I simply stated my opinion of a design flaw in ssh. You started the pi**ing match. And YOU keep it going. You came on and said you were the big admin and I shouldn't talk about things I do not know about. You keep going off on tangents not related to the subject. Mine was a simple statement to alert users of a design flaw in ssh.


    Well we agree on one thing, you should secure ssh just like you should secure any other application on any OS.
    ssh is not "just another application".

  8. #28
    Join Date
    Feb 2005
    Beans
    30

    Re: Server Tutorial

    Quote Originally Posted by koenn View Post
    If you'd just explained that you don't like it that ssh doesn't put a limit on login attempts, and that fail2ban is your way of dealing with that, ...

    Calling the program "flawed in its very design" because of that, and which is only an issue for password authentication,
    Your kidding right? So how would you design such a program that you were going to call "secure shell"?

    not for the other authentication methods ssh supports, is a just not right, and gives the wrong impression to the beginner you're trying to help.
    While there was no intent to imply anything other than "password verification design flaw", I stand by my statement.

    And if you're going to run public servers and/or setup remote administration, you better know what you're doing.
    Hmm, right after reading the tutorial.. haha That's funny. You guys keep telling them "you better know what you are doing" when they are asking how to do it...

    In any regard, if either of you would like to start another thread to further this discussion, please do so and invite me. You and I have completely managed to trash the intent of this "ubuntu tutorial" thread. Any other posts in this thread by me shall be limited to the subject at hand.

  9. #29
    Join Date
    May 2007
    Location
    Phoenix, Arizona USA
    Beans
    2,909
    Distro
    Ubuntu 8.04 Hardy Heron

    Re: Server Tutorial

    OK if ssh is so flawed in your opinion, then use something else. This argument is pointless.

    -Tim
    www.pcchopshop.net

    Hard to find and obsolete PC and server parts. "If we can't find it, it probably doesn't exist"

  10. #30
    Join Date
    Nov 2006
    Location
    Belgium
    Beans
    3,025
    Distro
    Ubuntu 10.04 Lucid Lynx

    Re: Server Tutorial

    Quote Originally Posted by rcrcomputing View Post
    Your kidding right? So how would you design such a program that you were going to call "secure shell"?
    The ssh faq explains in detail what the 'secure' in secure shell stands for.
    http://www.openssh.com/faq.html#1.1
    http://www.openssh.com/faq.html#1.2
    It's worth a read, if you're interested in facts rather than assumptions.

    Quote Originally Posted by rcrcomputing View Post
    While there was no intent to imply anything other than "password verification design flaw", I stand by my statement.
    Fine; I'll just conclude that "flawed in its very design" to you is just a synonym for "I assumed it limits the number of login attempts but it doesn't, and I wish it would". I'll keep your tendency to exaggerate and generalize in mind for the next time I see you post an opinion.


    Quote Originally Posted by rcrcomputing View Post
    Hmm, right after reading the tutorial.. haha That's funny. You guys keep telling them "you better know what you are doing" when they are asking how to do it...
    I merely reacted to your unsubstantiated opinion on ssh, so in this particular thread, this remark of yours is meaningless. Glad you found it funny. I find it funny that you advise to install fail2ban, without explaining what it is, what it does, or how to use it.


    Quote Originally Posted by rcrcomputing View Post
    In any regard, if either of you would like to start another thread to further this discussion, please do so and invite me.
    yYou and I have completely managed to trash the intent of this "ubuntu tutorial" thread. Any other posts in this thread by me shall be limited to the subject at hand.
    That's the 2nd time you propose to take this outside. Sorry, not interested. I've said what I had to say, and as a result, this thread now contains some background on ssh and some general pointers about what sort of things to pay attention to when setting up a server. That's near-topic enough if you ask me. If in your opinion it's trash, ah, well, ...

Page 3 of 4 FirstFirst 1234 LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •