Ancestors

Toot

Written by ISSOtm 🔜 🗣️ @ FOSDEM on 2024-12-29 at 00:34

Turns out a bunch of services have their default behaviour be to listen on external interfaces. Not great on an Internet-facing server.

Thankfully, after a bit of wrangling, I got all services to be localhost-only! Feels good reducing attack surface ☺️

[#]sysadmin

=> More informations about this toot | More toots from issotm@treehouse.systems

Descendants

Written by ISSOtm 🔜 🗣️ @ FOSDEM on 2024-12-29 at 00:35

Also @dns is nice 👀

=> More informations about this toot | More toots from issotm@treehouse.systems

Written by Justin on 2024-12-29 at 03:45

@issotm an internet facing server with no firewall? 🤔

=> More informations about this toot | More toots from justin@toot.io

Written by ISSOtm 🔜 🗣️ @ FOSDEM on 2024-12-29 at 08:11

@justin There's iptables/nftables, but what am I going to do with it in that regard?

=> More informations about this toot | More toots from issotm@treehouse.systems

Written by Justin on 2024-12-30 at 01:16

@issotm all ports should be default to blocked on external interfaces until you enable them. Therefore new services should be accessible internally only until you choose to expose them to the internet.

=> More informations about this toot | More toots from justin@toot.io

Written by DrScriptt on 2024-12-29 at 06:41

@issotm kudos for the effort. a.k.a. “the belt”

Now go for the suspenders a.k.a. the firewall.

=> More informations about this toot | More toots from drscriptt@oldbytes.space

Written by ISSOtm 🔜 🗣️ @ FOSDEM on 2024-12-29 at 08:12

@drscriptt What can I do with it?

=> More informations about this toot | More toots from issotm@treehouse.systems

Written by DrScriptt on 2024-12-29 at 18:49

@issotm running a (host based) firewall on (Internet exposed) servers has been best practice for more than a decade.

The firewall helps protect against daemon misconfigurations and / or new daemons.

They can also be used to filter other things that you can’t do with making a service not listen on a port. E.g. you can filter based on packet size, frequency (rate), contents.

=> More informations about this toot | More toots from drscriptt@oldbytes.space

Written by ISSOtm 🔜 🗣️ @ FOSDEM on 2024-12-29 at 23:38

@drscriptt Oh, I see. I was thinking about a separate machine, not nftables.

Yeah, sounds good! I have no idea how to operate them, so if you have any pointers that'd be lovely?

Another thing I maybe should consider is fail2ban, heh. A couple of machines are hammering my services with endpoints clearly designed for exploit scanning.

=> More informations about this toot | More toots from issotm@treehouse.systems

Written by DrScriptt on 2024-12-30 at 00:50

@issotm Fail2Ban uses the host based firewall. 😉

I stopped offering SSH to the world years ago.

I pinhole known source IPs; home, work, friends house, etc. and use port knocking (also host based firewall) to allow me to get to the SSH daemon and login from elsewhere.

Protecting SSH from the world protects against exploits of zero-days. Bots can’t attack what they can’t connect to.

Please feel free to ask questions if you want to.

=> More informations about this toot | More toots from drscriptt@oldbytes.space

Written by ISSOtm 🔜 🗣️ @ FOSDEM on 2024-12-30 at 10:09

@drscriptt I do offer SSH to the world, but on a non-default port, and with https://github.com/skeeto/endlessh running on port 22. This seems effective. (You can nmap the server to figure out which port, but not with the default flags. Seems Good Enough™ to me.)

I assume port knocking is "attempt connection to this port for the daemon to actually start"?

I roam too much for pinning source IPs to be viable, seems like. Would be nice, otherwise.

=> More informations about this toot | More toots from issotm@treehouse.systems