3

A new server has just been installed but literally has nothing else running on it, no services setup to SSH in or anything yet (it's a Linux server).

However, it is hooked up to the web so I can start pulling software down and installing it.

So here is the question, is it at risk whilst it is plugged in? Obviously no AV atm as mentioned above and also I'm not all that savvy on routers and the protection they can offer...

Hmm, maybe one thing to note is that it's the latest software so the server OS is up to date.

Arlix
  • 1,459
  • 3
  • 13
  • 22
  • 2
    Be aware that a default build almost certainly has services running...read http://security.stackexchange.com/q/993/485 – Rory Alsop May 28 '15 at 15:41
  • 1
    How is it hooked up to the Internet? If it's connected to a consumer-grade home router just like a regular desktop computer, it is probably protected by the router's NAT firewall, which blocks all incoming connections by default (making it highly unlikely that the server could be compromised from outside). It will not be accessible from outside at all unless you forward ports to it or put it in a DMZ, by modifying your router settings. – tlng05 May 29 '15 at 01:16

1 Answers1

7

You could use nmap to get a better view of the (network)services it is running:

nmap -sS -v <your_server> -sV -p1-65535

and lsof to view the current inbound/outbound connections to the box.

lsof -i

If there are no processes listening on any port then the server is reasonably safe. If new services are installed(i.e. ssh server) it is recommended that strong(>8 characters, alpha numeric, upper case, lower case, special characters) passwords are used(with SSH some argue it's better to use public key authentication). For added safety you could also install fail2ban and run an updating script regularly(i.e. as a cron job).

For example, an update script(on Debian/Ubuntu) may look like:

#!/bin/bash
sudo sh -c "apt-get update;apt-get dist-upgrade;apt-get autoremove;apt-get autoclean"

Installing fail2ban on Ubuntu/Debian can be done using:

sudo apt-get install fail2ban

In order to configure fail2ban it is recommended to make a copy of the default configuration file:

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

and work on the copy:

sudo vim /etc/fail2ban/jail.local

The most relevant entries are ignoreip, bantime, findtime and maxretry.

Increasing the bantime and maxretry values statistically improve security.

Sebi
  • 1,391
  • 9
  • 16