Don't set it up to reply to DNS requests from outside your network, and don't enable any kind of remote administration from outside your network. Really not sure how I can put that any more simply, the fewer internet accessible services you run, the smaller your attack surface.I'm not sure what you mean by "provided it's not listening to DNS requests from the WAN / internet at large or exposing administration interfaces or remote login services to the same".
I'd especially steer clear of exposing web based admin panels to the internet... That's how the vast majority of routers and IoT junk get pwned. Things like webmin or some other other shiny webui might be convenient for you, but they're just as convenient for anyone looking for ways into your system. If you must run such things, at least put them behind a VPN or SSH tunnel.
I mean logins that are available over the network, obviously. SSH is one, and there are several others. If you do allow SSH from the internet, be sure to disable root login and use a decently strong password for any account that has SSH logins enabled. You might also consider an IP whitelist, preshared-keys instead of (or as well as) passwords, or a login-failure monitoring script like fail2ban. The first thing any botnet does is hammer any open SSH ports it finds with simplistic brute-force attacks.what do you mean by network logins? ssh?
Leaving your user logged in to the local system is largely irrelevant to network security, unless you're running some kind of service that allows remote access to it (e.g. VNC)... which is, IMO, an exceedingly bad idea without using a VPN or tunnel.
Leaving a local user logged in and running X / a DE, and allowing SSH access for that same user, and that user account getting pwned over SSH might allow for easier escalation to root (much larger attack surface)... But then I honestly have no idea why anyone would run a graphical desktop on a server to begin with.
How long is a piece of string? How you set up privilege elevation on a server depends on what it's for and who needs to do what with it.How would you configure sudo for a server with network security in mind?
Personally, I wouldn't bother with sudo at all unless I needed to delegate limited root access.
Statistics: Posted by steve_v — 2024-02-19 14:40 — Replies 10 — Views 1214