Context Navigation

Bytemark VHost : Security Setup

We aim to deliver your system to you in a secure fashion, and allow you to keep it in such a state.

We do that by configuring it in line with recommended security practices.

Security Updates

Any Debian Security Updates which are relevant to your host will be automatically installed once a day. This should ensure that your system is not vulnerable to publicly revealed and fixed security attacks.

Dictionary Attacks

One common source of system compromise is weak passwords for user accounts. We aim to foil those attacks in two ways:

Reject weak passwords.
Avoid dictionary attacks against SSH.

We can't prevent you from setting poor passwords for your accounts, but we have configured the systems PAM setup to reject weak passwords when you try to set them.

A "Dictionary Attack" is the name for a simple hacking method which involves attempting to login to your machine with a dictionary of common passwords. These may be easily identified via system logs. Typically you will see 100+ connection attempts, each trying a different password for a small set of users. Our firewall package? should block these incoming attempts after only a few failures.

Incoming & Outgoing Firewall

To help you protect your system a simple firewall will be installed. This firewall may be used to configure which incoming and outgoing connections are made via a simple set of configuration files. You can read more about the Bytemark Firewall configuration? elsewhere.

The firewall is activated by default and enables connections to be made to all the services which are listening by default. In addition to this a simple outgoing firewall ruleset is put into place to prevent your www-data (the user that your webserver runs as) from making outgoing connections. This is done primarily to avoid PHP-based worms from spreading.

Although PHP is not insecure it does have a reputation as a language which causes security problems, primarily because people who develop software using it have little experience of coding, and make mistakes.

To prevent this firewall from loading at system-startup time you should run the following command (either as root, or using sudo):

yourbox# touch /etc/firewall/disabled

If you wish to make disable it immediately you'll also need to restart your network interfaces:

yourbox# touch /etc/firewall/disabled
yourbox# /etc/init.d/networking restart

You may verify that the firewall rules have been removed by executing the following command, again as root:

yourbox# iptables --list -n

Download in other formats:

Plain Text