[Discuss] Port Scanning

[daniel at syntheticblue.com (Daniel M Gessel)]

My bro runs BSD with a mail and web server (and maybe some other stuff 
too), but he has organized everything into jails so each service is a 
different environment, but it's all one physical machine - I don't 
really understand the details.

I run sshd on my RPis but not on my laptop. I configure the RPi OS 
install before booting it, and one thing I do is set up sshd_config to 
only allow public key authentication. I don't intentionally run anything 
else that would respond to network traffic except ping, which I wouldn't 
even know how to disable.

I do install git everywhere - I know it can run a server but I don't use 
the server intentionally - I try to do everything over ssh (git, rsync 
and logins). I'll try nmap to see if I can find anything.

I do use SD cards - are there security issues, or is your concern over 
reliability?

Thanks!

Dan

On 2024-08-01 18:47, Kent Borg wrote:
> On 8/1/24 14:34, Daniel M Gessel wrote:
>> This thread makes me want to ask:
>>
>> As an amateur (and neophyte) sys-admin, what should I be doing to 
>> check for vulnerabilities and attacks? My brother runs a publicly 
>> visible server, but I'm not familiar with the tools he uses and when 
>> I ask him, it all goes over my head!
>
> Ask him to slow down long enough for a followup question, listen to 
> the answer, then go off and learn enough to understand what he said. 
> Repeat. (Be nice to him, he might teach you a lot.)
>
>
>> Is there a guide/book/website that might help me keep my systems from 
>> being easily attacked? 
>
> I don't know about a book, there is a lot of information the the web, 
> though the spam is getting worse of late.
>
>
> Maybe your first project is to learn enough to do the following?
>
> - Start minimal: a server that has sshd listening on port 22, has only 
> you as a user, and nothing else running as a service, only the default 
> OS software installed at all.
>
> - Don't store any sensitive data on that machine.
>
> - From another Linux machine do something like "nmap -A -T3 1.2.3.4", 
> but put in your IP address instead of 1.2.3.4. What ports are open? 
> Why? You only want port 22.
>
> - Make sure you have a good password that you haven't used elsewhere.
>
> - Keep your software up to date. (Regularly run "sudo apt update", see 
> what it says.)
>
> - You should now be able to "ssh 1.2.3.4" and log in, and no one else. 
> Only log in from a paranoid machine (don't log in from a potentially 
> spyware infested machine that might steal your password). Make sure 
> root is not allowed to login over ssh.
>
> At this point I would say you are in really good shape and that 
> machine is safe to put on the internet. It doesn't do much, but that 
> is a big part of why it is safe! 1. It is so simple it is probably 
> configured correctly. 2. No sensitive data so the consequences of 
> someone exploiting a mistake you might have made are low.
>
>
>> I run Debian (or RPi OS, which is Debian derived) on everything.
>
> I run my e-mail server on a Raspberry Pi 4! I don't trust SD cards, so 
> I went through some effort to boot completely independently of SD 
> cards, from redundant disks. I have it working and I trust it a lot.
>
>
>
> Some General Advice
>
> Background stuff:
>
> 1. Be worried, but not too worried.
>
> 2. Think clearly.
>
> 3. Learn.
>
> 4. Try stuff, carefully, take notes, be organized. (When you want to 
> undo something you tried and don't like, your notes will be valuable.)
>
> 4. Repeat.
>
>
> Foreground stuff:
>
> 1. Be very limited in what you decide to run, less software means less 
> stuff to go wrong. If some tantalizing package looks cool, but isn't 
> available from your distribution, be skeptical about downloading it 
> anyway. Run programs that are well respected, avoid obscure packages 
> that it seems no one runs, even if they are available in your 
> distribution.
>
> 2. Run stuff that has clear documentation so you have some hope of 
> configuring it well. Play with a copy on some local machine before 
> putting on a public facing machine.
>
> 3. Be prompt about updating your software when your distribution has 
> an update ("sudo apt update"). That is another reason to run software 
> from your distribution and not manually installed: much easier to get 
> updates.
>
> 4. Limit your risk. I have a couple servers exposed to the internet. 
> My e-mail server would be very bad if I got broken into, so I am very 
> conservative about what runs on it. The web server would be merely 
> very annoying if it got hacked, so I am willing to be more "flexible" 
> with it, but that means storing nothing sensitive there. Note, I am 
> willing to log into the less trusted web server from the more trusted 
> e-mail server, but not the other way around (log into the more trusted 
> e-mail server from the less trusted web server).
>
> 5. Use good passwords, write them down, keep them safe, and do not 
> reuse passwords between different accounts.
>
> 6. Port scan yourself, see what ports are open, know why, make sure 
> you know what they are for, and that they are correct.
>
> 7. Use a firewall, but only as an extra protection, first convince 
> yourself you have been so careful that you don't really need it. (See 
> #6.)
>
> 8. Change Raspbian's sudo configuration to require your password.
>
>
> Ask questions.
>
>
> -kb
>
>
> _______________________________________________
> Discuss mailing list
> Discuss at driftwood.blu.org
> https://driftwood.blu.org/mailman/listinfo/discuss