Hi,
I'm just getting commissioned my first server here at ServerBeach, I'm just asking for some advice on initial Sercurity for the machine.

I'm planning on putting Eset's NOD32 antivirus software to take care of viruses. I am also planning on using Windows Firewall.

Is there any recommendations on anything Extra I should use to help protect the server from attacks from the Net.

This is going to be a personal server for me to host friends sites/forums and for me to do test/personal development work with ASP.net.

Thanks,

Jas

Why bog down a server with continuously running anti-virus? It's a server, not a desktop; there won't be anybody on the machine browsing unsafe sites in Internet Explorer or opening random email attachments.

Only place anti-malware can fit on a server is in the email chain to prevent them being received and/or sent as attachments. And that requires an entirely different product than normal desktop scanners.

Stick with a good firewall, keep services patched, and file permissions up to date.

What would you recommend as a good firewall?

I was planning on the Windows Firewall.

Cheers,

Jas

Windows Firewalls is good and free but I use Visnetic Firewall and it can be purchased cheap at http://www.servertastic.com

IPSec policies can be utilized to create a more versatile free firewall solution.

Oh well, it seems the worst has happened. The machine kept crashing, so after an investigation by SB, they found it has been compromised with a brute force attack.

It looks like I am going to have to start from scratch and try to get things right this time round.

Being a developer more than a security expert, what are peoples recommendations. I spotted the remote desktop security post in this forum earlier so will try to set up a VPN access to remote desktop using QT's instructions. Anyone else have any ideas of things I can do? (I am going to be in the process of backing everything I can up tonight so it can be re-formatted)

Thanks,

Jas

Well brute force attacks usually get through when weak passwords are used. I'm more of a dev myself as well but this is what I suggest:

1. Use passwords that can't be guessed easily. Generally, if it's got words you can lookup in a dictionary it can probably be cracked.

2. Rename the Administrator account to something else. That's probably the first thing a brute force attack is going to attempt to go after knowing that account is likely on 90% of servers out there. Having the login name is half of the guessing game.

3. Put in a lockout policy. That way a brute force algorithm will be stopped cold after just a few guesses.

2. Rename the Administrator account to something else. That's probably the first thing a brute force attack is going to attempt to go after knowing that account is likely on 90% of servers out there. Having the login name is half of the guessing game.

Definitely some good advice. :) That's why root logins are denied over SSH....it's a guaranteed username with full control of the machine. ;)

Thanks for the advice.

I've disabled the "Administrator" user and will be using my personal administrator login.

I've also set the security to lock out accounts after 3 failed logins for 30 mins

Fingers cross it doesn't happen again.

Jas

I am going to agree with these guys about passwords. I generally require users to have lower and UPPER case letters, numbers, and if possible a special character. If they send me a weak password, I do not just accept it; I give them a new password.

I have used the following to help generate passwords on the fly:
http://www.pctools.com/guides/password/. Be sure to check Punctuation.

By all means, never use words in a dictionary. You can also get good by using characters not on an US keyboard (for example ñáéíóú¿¡ü). You can block out a good bit of Brute Force applications by using these characters. And course, if you _really_ want to be secure, use UNICODE only characters such as (ூறிொ).

I think the hack was running over a few days. I think the best change I did was implement the 3 tries and the account gets locked for 30 mins security policy as this would probably deter brute force attacks.

Jas

I think the hack was running over a few days. I think the best change I did was implement the 3 tries and the account gets locked for 30 mins security policy as this would probably deter brute force attacks.

Jas

Were you happening to use MailEnable? Did it have all the latest fixes and patches? MailEnable has been one of the worse for hack's in the past year or so.

It came pre-installed with mail enable, but according to SB, it was a brute force attack at the administrator user logon.

It came pre-installed with mail enable, but according to SB, it was a brute force attack at the administrator user logon.

It's still a very good idea to keep up with MailEnable updates. :) I've seen a lot of nasty exploits on the older versions.

Someone elsewhere suggested switching to SmarterMail Free edition.

For me, all I really need is a way of sending mail from the server. I'm unlikely to need mail accounts. Would this be a better packaged than MailEnable?

Jas

If you only need to SEND mail from the server, then just use the Windows Virtual SMTP server and set a RELAY rule to only 127.0.0.1.