ubuntu 12.4 server

.:Blindfaith:. · 30 Jun 2013 at 20:44

Hi, i have just ordered a kimsufi dedicated server.

Its running ubuntu 12.4 as per the title, i have played around with VPS servers in the past for hosting minecraft on
so i do know how to find my way around the Os - more like stagger and bump into things... hah

I shall be attempting to run a game server, mumble a site and some FTP access
generally an all singing dancing package for our "gaming community"

How would you go about setting things up?

Any security measures i need to implement or is that taken care of?

should i create a new user for the daily running of things?

I may be asking "simple" things here but just looking for advice from people who know a thing or two
would like to get this running smooth, with little to no fuss

I guess im looking for general advice

cheers!

Audigex · 30 Jun 2013 at 21:34

I'd look up server hardening, it's a big topic and not something that could be covered in a forum thread.

Some pointers though, some obvious, some less so
1) Keep everything up to date - OS, programs
2) Install as little as possible. The less you have installed, the less potential points of failure/entry into your system
3) Choose secure passwords. Your security is only as good as your weakest password
4) Firewalls. Set it up, set it up properly and block as much as possible.
5) Read up on it. Check which versions of things you've installed and read up on any vulnerabilities. Keep abreast of security issues with the packages you have installed
6) Contrary to #2, install Webmin. It gives you a lot of wizards for common tasks and interfaces to most aspects of a server OS - making it a little more difficult to **** things up.

I also wouldn't recommend Ubuntu Server - it's decent, but CentOS is popular for a reason: one of which is that it comes with the bare minimum installed, and most things disabled... the ethernet connection isn't on by default, for example.

You're not overly likely to be attacked, so you'll get some "security through obscurity" - but that's not something you should rely on. There's always a good chance that you'll be attacked by a rival clan or similar.

Harvey616 · 12 Jul 2013 at 21:45

Ensuring applications are run as the correct user is also very important- don't run things as root that shouldn't be (mine craft, webserver, etc).

My issue with web panels is that they can be quite insecure and leave config messes behind if you decide to get rid of them. The recent zpanel issues have certainly been a good example of this.

aln · 12 Jul 2013 at 23:09

Audigex said:
You're not overly likely to be attacked, so you'll get some "security through obscurity" - but that's not something you should rely on. There's always a good chance that you'll be attacked by a rival clan or similar.

Actually there'll quickly be a ton of bots attempting nefarious deeds on his server, based on the fact they'll port scan on everything on the subnets used for popular hosting companies on a fairly regular basis and then concentrate on anything that actually responds.

Rather than going for "security through obscurity" you can use something like fail2ban and require a key/pass combo to login. If you don't personally have a dynamic IP, you could firewall off everything that isn't you for SSH and pretty much everything that you don't fully intend to serve to the world. Setup unattended updates and hardening the server wouldn't go amiss.

That'll leave you with pretty much one attack vector on a typical server, software that's not being maintained that's not firewalled off, generally the httpd stuff. You don't keep on security updates from whatever you're serving, then it's pretty likely that you'll get owned. The weakest link breaks the chain.

KIA · 13 Jul 2013 at 11:55

Debian would be my recommendation.
Keep everything up-to-date.
Subscribe to debian-security-announce: http://www.debian.org/MailingLists/subscribe
Use public key authentication: http://www.cyberciti.biz/tips/ssh-public-key-based-authentication-how-to.html
You'll need to be prepared because bots will hammer your server 24/7.

.:Blindfaith:. · 31 Jul 2013 at 12:22

Thanks all

I actually switched to CentOS 6 as Audigex suggested
read a few guides from centos.org, changed shh and ftp port disallowed anon access etc

But while following an ip-tables guide to close all but ftp and shh
found OVH did not like that... hah figures they need to be able to ping me

Still don't have a full understanding of ip-tables sadly
and had to go back to default with a rule added for the game server
(i will revisit this)

managed to add a group that had rwx on a specific dir
to run said game server, gave root to user

getting through all this slow and steady.
Fun to learn all this and having a lot of "derp should have done it this way moments"

Have just closed the server and ordered a new one
they just scraped the previous offer i had KS8g @ £30 and have a far better one...
currently waiting on KS16g @ £20.39 inc vat

Thanks again for the info guys

Cheers!

One thing that bothering though...
virgin media seems to have a bad connection to the server
(VM is just poo nothing but problems)

KIA · 31 Jul 2013 at 13:40

.:Blindfaith:. said:
But while following an ip-tables guide to close all but ftp and shh
found OVH did not like that... hah figures they need to be able to ping me

You can disable the ping monitoring via the OVH control panel.

I picked up one of the new Kimsufi 2G's for £2.49 per month. Not bad at all!