Almost there (LEMP server)

I am almost there; moving my first website from shared-hosting to self-hosting on Ubuntu LEMP. Think I will leave email handling to Google apps for the time being.

I have some questions left:

SSH:

I use ssh with keys, no root login. Will add an AllowUsers entry. Is there anything else I can do or is there anything to gain by choosing a different port? If yes, how to choose a free port?

ISPConfig:

Is this worth the time and trouble for a server with a couple of sites? I think it is overkill. ~~[http://www.howtoforge.com/perfect-server-ubuntu-11.10-with-nginx-ispconfig-3" target="_blank">](http://www.howtoforge.com/perfect-serve … spconfig-3">http://www.howtoforge.com/perfect-server-ubuntu-11.10-with-nginx-ispconfig-3](

Nginx:

Think my knowledge of Nginx is good enough. PHPMyAdmin, Munin, and stats are in password protected directories and the passwords are very strong. I guess this is safe enough.

How to limit the number of requests per IP in case of a DOS?

For a wordpress site I have enabled both http and https (with a self created certificate). The idea was that visitors access the site via http, but that I can login via https, but sooner rather then later it switches back to http by itself. From the server block in the config file:

listen   80;
listen   443 default_server ssl;
ssl_certificate    /etc/nginx/server.crt;
ssl_certificate_key    /etc/nginx/server.key;

Security

I use Fail2Ban and LogWatch

iptables looks difficult. As far as I can guess I only need ports 22, 80 and 443 for incoming. The output of iptables -L is:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
fail2ban-ssh  tcp  --  anywhere             anywhere            multiport dports ssh 

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain fail2ban-ssh (1 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere    

Output of nmap (from desktop to server):

Starting Nmap 5.21 ( http://nmap.org ) at 2011-11-11 10:22 CET
Nmap scan report for www.example.com (66.66.66.66)
Host is up (0.037s latency).
Not shown: 996 closed ports
PORT    STATE    SERVICE
22/tcp  open     ssh
25/tcp  filtered smtp
80/tcp  open     http
443/tcp open     https

Nmap done: 1 IP address (1 host up) scanned in 7.07 seconds

I think this looks good. It is more the output of netstat that has me worried (part of active internet connections):

udp        0      0 server1.myserver:33367 ntp1.exa-networks.c:ntp ESTABLISHED
udp        0      0 server1.myserver:40586 ntp3.0x00.lv:ntp        ESTABLISHED
udp        0      0 server1.myserver:56097 www.clipsure.com:ntp    ESTABLISHED
udp        0      0 server1.myserver:42466 ns1.blazing.de:ntp      ESTABLISHED

Why are there connections to those sites? I understand that ntp stands for network time protocol, but clipsure is an adtracker. All I have are a couple of dummy wordpress installations on my server.

Postfix:

I only use postfix for LogWatch and sending message in case someone comments on one of the blogs. So only outgoing. Is there a way to block incoming mail connections. Occasionally I get messages like the following in LogWatch:

****** Detail (1) ******************************************************************************** **
      1   Connections lost (inbound) --------------------------------------------------------------
      1      After CONNECT
    144   Delivered -------------------------------------------------------------------------------
    144      myserver.example.com
      3   Sent via SMTP ---------------------------------------------------------------------------
      3      mysite.net
      1   Hostname verification errors ------------------------------------------------------------
      1      Address not listed for hostname
      1         178.79.187.64    nbi.guv.ph
=== Delivery Delays Percentiles ============================================================
                   0%       25%       50%       75%       90%       95%       98%      100% 

The myserver.example.com and mysite.net are mine, but nbi.guv.ph has no business on my server.

Still lots to learn, but I would like to start self-hosting this month. I have resources to further study Nginx, Bash, … but can you recommend books/sites for iptables and security (keeping hackers out and what to do if they got in, and how to detect that).

Thanx,

pannix

5 Replies

> Nginx:

How to limit the number of requests per IP in case of a DOS?

Does this look like a good anti-DDOS configuration? http://vpslife.blogspot.com/2010/02/ant … ation.html">http://vpslife.blogspot.com/2010/02/anti-ddos-nginx-server-configuration.html

Moving your ssh to a high random number will give your fail2ban/logwatch much less work to do. I'd say it's worth it just so you have smaller logs of all the bots it's blocked. Anything in the 7,000-65,000 range is fine.

You didn't mention ufw, the Ubuntu firewall, though your nmap looks good (except for postfix). Do a "ufw status" and you might need to turn it on with "ufw on". ufw can serve as a simple front end to iptables. For example, you can change your ssh from allow to limit and it'll limit the number of requests per minute through iptables, as in "ufw limit 21212/tcp" for your new random ssh port of 21212.

For the web admin stuff like phpmyadmin, I like using an alternate port as well. Create a new nginx server block with your domain but with a random listen port, for example 31313. Make it stop complaining about SSL on non-443 with a little nginx trick:

  error_page 497 =301 https://mydomain.com:31313$request_uri?;

Give it password authentication. Get your domain a real SSL certificate for free from startssl.com if you like. This way it can have its own root directory, its own php setup, and it will keep it from mingling with your actual sites. It will use your regular domain certificate, no need for a subdomain cert or subdomain dns record.

nginx has two limiters. One is requests per second per IP and one is connections per IP. http://wiki.nginx.org/HttpLimitReqModule and http://wiki.nginx.org/HttpLimitZoneModule Easy to set. Give it nice high limits at first. Odds are you won't get DOSed and you don't want people having problems. If you do have an attack it'll just be a matter of tweaking a number or two since it's already set up.

Change your Postfix config so that it's only listening on the loopback address 127.0.0.1 and not on your public IP. http://www.postfix.org/postconf.5.html#mynetworks I like to make my nginx servers listen on the specific public IP also. You can do an "ifconfig" to see your public IP and then change nginx to "listen my.ip.ad.dy:80; " That may be OCD, but hey, what if another linode customer scans you on the internal IP because you set it up?

Do a "netstat -plntu" to see all your listening ports. Things open to the world can be listed on your public IP. Things that are internal should be listed on the loopback IP, e.g. mysql on 127.0.0.1:3306, postfix(master) on 127.0.0.1:25. Generally I avoid things binding on all ports, i.e. 0.0.0.0.

Personally I wouldn't worry about an ad company running an ntp server. /etc/openntpd/ntpd.conf will list pool.ntp.org and admins just trust them.

It's probably not a good idea to run a security-critical service on a port greater than 1024… any user can bind to a port above 1024, so if your sshd keels over and someone can run arbitrary code on your system (e.g. by uploading a PHP script and convincing your web server to execute it), they could run their own sshd on that port. I personally stick with sshd on port 22 and run denyhosts to keep the logs clean, but any other nearby port should be fine.

I've also run into problems involving stateful firewalls with short timeouts… some "know" that sessions involving port 22 will be long-lasting, idle for long periods, and otherwise well-behaved, but will timeout ssh connections on arbitrary ports much too quickly. There are workarounds, of course, but you start wondering why you're going to so much effort to make it hard to use your system…

And yup, http://www.pool.ntp.org/ has more information on the NTP pool. It's legitimate, although most of the servers in the pool aren't single-purpose NTP servers, so you'll see some weird stuff. Especially if you leave off the www and go to http://pool.ntp.org/.

Interesting point about that hacking vector.

I found a long discussion on this issue at http://serverfault.com/questions/189282 … t-ssh-port">http://serverfault.com/questions/189282/why-change-default-ssh-port and opinions are mixed.

Thanks for the answers:

About NTP:

You are right, I don't have to worry about the servers that are selected by pool.ntp.org as NTP servers.

Port 25:

After installing ufw, I had a very secure server; all ports were closed. :wink: So I opened up 22, 80 and 443. As port 25 is now closed I don't have to make any changes to the postfix config file(s).

Nginx limiters:

This is difficult.

Do you have to specify limiters on the server level (http block) or for each virtual host (server block)?

Do you have to define a zone (or 2: 1 for httplimitreq and 1 for httplimitzone) for each virtual host?

What's the difference between connections and requests? Have I got it right when someone visits your site that is a connection and the individual files (html, css, js, png, …) are requests?

In case of a Wordpress blog: are the php-file, the css and javascript files, image files, … all "requests"? In that case should one set the rate in limitreqzone to 10r/s. To be on the safe side.

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct