Debain file server on internet

[VinylxScratches]

Would it be safe if I had my Debian fileserver enabled to connect from the internet? Is there any considerations?

I want only me to get to the files like how I do internally.

 

[Ken g6]

Probably. First, does your ISP allow servers?

Second, regardless of that, if you only want to give yourself access to your own files, is there any reason you can't do it tunneled over SSH?

If neither of those matter, what access method are you using?

 

[Red Squirrel]

I would look into a SSH tunnel as mentioned, or OpenVPN. Do you plan to access these files only from a single location (ex: work). If yes use IPtables and only allow that location's IP to connect.

 

[Colt45]

might want to narrow down "file server"

SSHFS SFTP, SSH+SCP, sure. samba, nfs... no, hell no.

 

[Khyron320]

Port shift anything your opening up.

Use strong passwords CAPS #s and Symbols

Take the time to setup a security application like fail2ban
http://www.fail2ban.org/wiki/index.php/Main_Page

And you will be fine.

If you want to go to the extreme. Setup snort and Denyhost http://denyhosts.sourceforge.net/

If all else fails turn your server off when not using it.

If your ISP does not allow servers (Usually if your IP is dynamic they do NOT) then setup a VPN connection. Many open source gateways make this easy.

ClearOS(Was Clarkconnect)
m0n0wall
pfsense

If you are on a dynamic IP and need dyndns setup. What their GUIDES fail to tell you is ddclient and inadyn need to use http://checkip.dyndns.com:8245/ instead of their defaults to function inside of a NAT network.

 

[Red Squirrel]

+1 for fail2ban and changing default port. Those are a must.

I opened up a SSH server once to the internet telling myself I'll just setup fail2ban later. Within about 5-10 minutes it was compromised. SSH has no anti brute force built in, 10 tries per second, 100 tries per second, 10,000 tries per second, it does not care. Was a worm that basically brute forces into SSH, plants a trojan, then infects other SSH machines from there. My machine had already infected 2 other machines by the time I found it which was almost immediately. I noticed because my internet connection pretty much grinded to a halt. One machine that "I" Infected was a university server, and a government web server or something... I forget. All this within no more then 10 minutes after opening the port. The other mistake I did was using the default port and having an account with username test and password test, which I forgot to delete.

I ended up emailing both parties that got infected just to give them a heads up what happened in case they did not even realize they got hacked. Had I left the building and not notice, it could have been a disaster. All this damage in a matter of minutes. Imagine if it went on for hours.

Thankfully this was a VM that was more or less for testing so it was no big deal to reformat. The biggest danger though is the fact that it was not in a DMZ so I got lucky TBH. Was a fun security experience though. 😛

 

[Nothinman]

The other mistake I did was using the default port and having an account with username test and password test, which I forgot to delete.

That was _the_ mistake, not changing the SSH port or forgetting fail2ban. Both of those aren't terrible ideas, but don't get you a whole lot. And the latter opens up the possibility for a DoS, all you need is someone PAT'd to the same IP as you and they can lock you out of your own machine.

 

[Red Squirrel]

That was _the_ mistake, not changing the SSH port or forgetting fail2ban. Both of those aren't terrible ideas, but don't get you a whole lot. And the latter opens up the possibility for a DoS, all you need is someone PAT'd to the same IP as you and they can lock you out of your own machine.

Actually if that account did not exist, it would of taken maybe several hours or days, instead of minutes. When there's nothing to stop the brute force, it will eventually succeed. Changing the port is more or less security through obscurity, but it does act as a certain layer, given it will stop a good 99% of bots as bots don't bother scanning every single 65535 ports. Fail2Ban or similar app is a must either way.

That worm had actually locked me out but given it was a test machine I was not too concerned. I was more concerned about the fact that if it had been a smart worm, or an actual hacker, he could of attacked the rest of my network from that box. I later on put that box behind it's own DMZ. It's retired now, since my VPN server replaced it.

 

[Nothinman]

Actually if that account did not exist, it would of taken maybe several hours or days, instead of minutes. When there's nothing to stop the brute force, it will eventually succeed. Changing the port is more or less security through obscurity, but it does act as a certain layer, given it will stop a good 99% of bots as bots don't bother scanning every single 65535 ports.

That worm had actually locked me out but given it was a test machine I was not too concerned. I was more concerned about the fact that if it had been a smart worm, or an actual hacker, he could of attacked the rest of my network from that box. I later on put that box behind it's own DMZ. It's retired now, since my VPN server replaced it.

Yes, purely statistically, if left to go indefinitely a password will eventually be guessed. But as long as your passwords are strong enough it's a moot point because it'll take too long to be useful. I've had john running on my machine here and at work in a cron job and so far it has yet to figure out my account or root passwords.

 

[child of wonder]

Use strong paslswords and denyhosts. Works great. When I worked at an ISP we were bought out by some morons from Georgia. These idiots opened up our internal management network to the internet. This network used real IPs so suddenly all these internal routable IPs were exposed to the whole world.

We set up denyhosts on all our servers until these geniuses fixed the firewall issue. We could watch the denyhosts file fill up as brute force attacks mounted. Nobody got in.

 

[Khyron320]

Lol redsquirl I did the same thing for a paper I was writing in school.
Root/123456
It was hacked within 24 hours. Same thing just a bot that gathered passwords of other servers using ssh

 

[PCTC2]

Moving ssh off of port 22 is not a must, but it does decrease the risk. Strong passwords and hosts.deny and a good script is all I've ever needed. Or you can use RSA keys WITH a passkey (never use them without a passkey) and disable Password Login in sshd_config. Just make sure you have local access or never lose your RSA key. Then SSH Tunnel the rest of the traffic.

Personally, I run SSH on port 22 and have never had trouble across 10 servers and multiple ISPs across the country. I have had a few brute force attempts, but strong passwords, RSA keys, and a script to block 100 attempts from a single IP have prevented myself from being hacked.

 

[n0cmonkey]

Actually if that account did not exist, it would of taken maybe several hours or days, instead of minutes. When there's nothing to stop the brute force, it will eventually succeed.

Why didn't you have anything to stop the brute force? That should be easy with PAM, right?

Changing the port is more or less security through obscurity,

More, not less. 😉

 

[n0cmonkey]

Want to know what usernames/passwords these bots are using? I "backdoored" my own server to get this data. 😀

#attempts  username  password
91      root    root
58      root    password
27      root    111111
23      root    123456
9       staff   staff
8       sales   sales
7       oracle  oracle
7       admin   admin
6       test    test
6       root    root123
6       root    qwerty
5       root    admin
5       root    12
5       admin   sysmail
4       root    roots
4       root    rootroot
4       root    passw0rd
4       root    pa55w0rd
4       root    p@ssw0rd
4       root    muie1234
4       root    muie123
4       root    beach
4       root    QAZwsx!@#
4       root    Ki!l|iN6#Th3Ph03$%nix@NdR3b!irD
4       root    1q2w3e
4       guest   guest
3       stud    stud
3       root    Root
3       root    QQAAZZwwssxx!!@@##
3       root    654321
3       root    1qa2ws3ed4rf5tg6yh7uj8ik
3       root    12345678
3       raimundo        raimundo
3       db2inst1        db2inst1
3       aaa     aaa
3       PlcmSpIp        PlcmSpIp
2       www     adrian140489
2       user1   user1
2       test1   test1
2       test    123456
2       t1na    tina
2       t1na    t1na
2       supporte        supporte
2       soporte soporte
2       sec     robertradiomirc
2       root    zh3I5Lik3P4rtY@v3r
2       root    redroot
2       root    redhat
2       root    pulaparolafraiere
2       root    loverapid89
2       root    linux
2       root    kalimero4cappy
2       root    debian
2       root    cosmindany
2       root    apple
2       root    administrator
2       root    abc123
2       root    Sh3I5Lik3P4rtY@v3r
2       root    Administrator
2       root    1qazxsw2
2       root    123456789
2       root    1234
2       root    /.,mnbvcxz
2       recruit recruit
2       plcmspip        plcmspip
2       nobody  Unprivileged
2       fluffy  fluffy
2       fido    0747899147526202
2       delta   delta
2       ddp-torrent     sdkjh
2       db2inst1        password
2       alexis  alexis
2       admin   123123123
2       abas    abas
2       abakus  abakus
2       ab      123456
2       aaron   aaron
2       aapo    aapo
2       aa      aa
1       xwang   xwang
1       xtn     alex7485963
1       wwwweb  wwwweb
1       www     www123
1       www     changeme
1       user    user
1       user    PASSWORD
1       ula     ula
1       troot   rootroot
1       testuser        testuser
1       test    zfy_zzh_ldz@2007-09
1       test    PASSWORD
1       test    123123123
1       sifak   BySifak
1       samba   samba
1       root    zfy_zzh_ldz@2007-09
1       root    welcome
1       root    vsevelos
1       root    venus
1       root    u6uvy0o4n56045y45
1       root    thursday
1       root    th3end0fw0rld
1       root    test123
1       root    stephan
1       root    sorry
1       root    sleeper
1       root    sistemas
1       root    sistema
1       root    sh3l5l1k3p4rty3v3r
1       root    senha1
1       root    sampa
1       root    s1lv3r
1       root    root123456
1       root    root1234
1       root    root12
1       root    root1
1       root    roo
1       root    redhat12345
1       root    reddog
1       root    qazwsx
1       root    qawsxd
1       root    q1w2e3r4t5
1       root    q1w2e3r4
1       root    plokmijnuhbygvtfcrdxeszwaq
1       root    player1
1       root    passs
1       root    pa55word
1       root    oracle123
1       root    oracle
1       root    opensesame
1       root    oaktreeplaza
1       root    notes
1       root    nocbrother
1       root    newyork
1       root    network
1       root    nasugeoacu
1       root    mysql
1       root    mypass
1       root    merlin
1       root    matrix
1       root    marshma
1       root    letmein
1       root    laser12
1       root    l3tm31n
1       root    klein99
1       root    internet1
1       root    internet
1       root    iamh4ckst4rf0r3ver
1       root    g0df0r3v3r
1       root    futpemata
1       root    fuckoff
1       root    fedora
1       root    dsa100tempPass
1       root    changeme
1       root    bypass
1       root    bc5520xk3dd01z\\^M
1       root    asdfghjkl
1       root    asdasd321
1       root    asd321
1       root    asd123
1       root    apache
1       root    admin1
1       root    abcd1234
1       root    Sh5I8LiK6P8rtY6v5r
1       root    QT3CUCCj
1       root    Predeal99
1       root    PaSsWoRd
1       root    P@ssw0rd
1       root    NOTES
1       root    MirelaGeorgeAna
1       root    BjMintelcn2007,/Kaidi2008
1       root    Admin2009
1       root    Admin
1       root    999999
1       root    888888
1       root    8888
1       root    777777
1       root    666666
1       root    5l2a4o7h9a1n&$%()@han
1       root    555555
1       root    444444
1       root    3edc
1       root    333333
1       root    2wsxzaq1
1       root    2wsx
1       root    222222
1       root    1z2x3c4v5b
1       root    1qazxsw23edcvfr45tgbnhy67ujm
1       root    1qaz2wsx3edc4rfv5tgb6yhn
1       root    1qaz
1       root    1q2w3e4r5t
1       root    1q2w3e4r5
1       root    1q2w
1       root    1q
1       root    1234567
1       root    123123
1       root    123
1       root    11223344556677889900
1       root    11111
1       root    1111
1       root    0okmnji98uhbvgy76tfcxdr54eszaw32q1
1       root    000000
1       root    0000
1       root    "}{:?><
1       postmaster      postmaster
1       postgres        postgres
1       postgres        p0stgres
1       petr    petr
1       oubiwann        oubiwann
1       oracle  oracle321
1       oracle  oracle123
1       oracle  manager
1       oracle  PASSWORD
1       oracle  123456
1       oracle  0racle
1       oracle  0r@cl3
1       office  office
1       news    reservad
1       nagios  nagios
1       nagios  nag10s
1       mysql   mysql
1       mlmb    mlmb
1       mercedes        mercedes
1       master  master123
1       master  m@st3r
1       ls      ls
1       kylix   alexxutzu1$@121
1       kevin   kevin123
1       jtello  jtello
1       joan    joan
1       jmurphy jmurphy
1       jacky   iie9x.rk
1       ir      ir
1       heidi   heidi
1       hdd     hdd
1       guest   guest123
1       ghost   ghost
1       gast    gast
1       ftp     ftp
1       fax     fax123
1       demo    demo1234
1       ddp-torrent     skj
1       ddp-torrent     sadkj
1       ddp-torrent     ksjahfd
1       ddp-torrent     askjhsf
1       db2fenc1        db2fenc1
1       daemon  daemon
1       cvs     cvs
1       apple   apple
1       alexandre       alexandre
1       administrator   password
1       administrator   administrator
1       admin1  admin1
1       admin   test
1       admin   pass
1       admin   linux
1       admin   letmein
1       admin   change
1       admin   aqswdefr
1       admin   admin3
1       admin   admin12345
1       admin   admin1
1       admin   abcd1234
1       admin   1q2w3e4r5t
1       admin   1q2w3e
1       admin   123456789
1       adm     123456
1       aditya  aditya
1       adil    adil
1       adela   aleda
1       add     add
1       adc     adc
1       adam    mada
1       adam    adam
1       adam    abc123
1       adam    123456
1       ad      ad
1       act     act
1       acs     acs
1       acer    acer
1       acct    acct
1       accounting      1234
1       access  access
1       acc     123456
1       ac      ac
1       abuse   abuse
1       abrahams        abrahams
1       abraham abraham
1       abra    abra
1       abel    abel
1       abdollah        abdollah
1       abcs    abcs1
1       abcd    abcd
1       abc     abc
1       abbboo  abbboo
1       aaltor  aaltor
1       aabakken        aabakken
1       a2      a2
1       PlcmSpIp        starcartof
1       Administrator   Administrator
1       Administrator   123456
1       00089   00089

 

[VinylxScratches]

Thanks guys,

I have one question.

Is there a way to allow only via MAC Address instead of IP?

I don't have a defined IP because I go from place to place and would like access but only from a select few machines, mainly my Macbook....

I guess this won't work because it's done by the router MAC address.


Edit: New idea

If I use the ssh key, if it fails, can I still not allow password to be used?

 

[Red Squirrel]

Why didn't you have anything to stop the brute force? That should be easy with PAM, right?

I was planing on doing it, and was not at that step yet. Basically I put the forward on, figured I'd be ok for a night, then planned to install fail2ban the next day while at work. BAD mistake. D:

I have to try this experiment again for fun one day but in a controlled environment. (stand alone in DMZ, no access to rest of network) Aparantly windows xp takes about 5 minutes to get hacked too if put directly online with no protection. Fun stuff to try.

 

[MrColin]

Thanks guys,

I have one question.

Is there a way to allow only via MAC Address instead of IP?

I don't have a defined IP because I go from place to place and would like access but only from a select few machines, mainly my Macbook....

I guess this won't work because it's done by the router MAC address.


Edit: New idea

If I use the ssh key, if it fails, can I still not allow password to be used?

It is possible to create iptables rules that will filter based on MAC addresses, its not very intuitive though.

Another interesting application is fwknop, its a port knocking daemon. Basically, all your ports can be closed until it recieves a special packet from you. It can be configured to open, say your ssh port for x number of seconds for you to log in after recieving you authentication packet. There are others that require a combination of packets on different closed ports.

If you have password login disabled in sshd_config and your ssh key fails you are effectively locked out.

One way to get around your dynamic IP addresss on the server is to use a service like dyndns that gives you a domain name to use. Your server or even your router can run a daemon that dyndns with your current IP.

 

[Nothinman]

It is possible to create iptables rules that will filter based on MAC addresses, its not very intuitive though.

And there's the fact that MAC addresses are only used at the link level, meaning that all packets coming from other networks will have the MAC address of the last hope, i.e. his ISP's router.