I'm setting up a pro-peace anti-nazi website for one of my customers on a dedicated Raq3.

Because of the content of the site they expect heavy and repeated attacks from the bad guys. Their last provider dumped them because attacks on their (virtual) site kept bringing down the entire server.

Anthing I should do apart from having all the latest Cobalt patches, turning off TelNet and FTP when not in use, and having pop before SMTP?

How does the Raq respond to automatic brute-force password attacks? Does the delay time between attempts increase with failed attempts? If not, is there any easy way to achieve this? I prefer not to rewrite half of the OS. Can I change the admin name to something other than admin?

Any advice welcome.

(Don't bother sending me a Trojan and telling me it's a security patch. Been there done that.)

Gee, maybe you should avoid this client...I surely hope this is not a shared server or else you sure are inviting problems to not just the server, but your entire network. (the culprit will definately go up the complete site IP class and the server IP class)

1. You should not even turn on telnet at all. Have it disabled all the time. Having it switched on sometimes (even for lets say couple minutes puts your server at risk if somebody is listening to the port on the server, which I think someone who is (bad) will.

2. Install port sentry or IPChains/IPTables. Hell, put a hardware firewall up.

3. Close off all unecessary ports on the server. If the server is only going to serve http, then close off everything else and just leave port 80.

Sometimes its just not worth taking the risk to host sites which are labeld high risk.

......and you should probably keep open the email, ssh, and control panel ports if you would like to receive email and do anything but look at the web pages.

You should also figure out how you were hacked before. Fool me once, shame on you............

Oh well, so much for individual freedom of speech, this may require a little bit more work and attention, but do host their site !
If that particular site requires you to be even stricter on security issues, your other clients will just thank you for it.
I would also suggest adding a anti-scan device such as the one that I think was provided by a Cobalt patch - but that seems to be gone now. Most attacks probably start with a port scan.
We use it on another "standard" (non-Cobalt) Linux box, and it does wonders. The basis are PortSentry and LogSentry, I'll check where they stand as far as Cobalt install is concerned, but you can definitely install it even if a PKG package is not available.

Originally posted by Pingouin
The basis are PortSentry and LogSentry, I'll check where they stand as far as Cobalt install is concerned, but you can definitely install it even if a PKG package is not available.

I would also be interested in this, I prefer a .pkg install if possible.

Thanks guys. Food for thought.

For your info we were not the previous host who was hacked and I have no idea of the attack type - but I guess we should be ready for anything.

I can't turn these guys away as it would make ME feel like a nazi.

It's a stand-alone server, so no worries on other sites going down. Unfortunately it's co-located in the US (I'm in the UK) so I pretty much need Telnet from time to time, or at least the control panel, otherwise I'm locked out. The other IP's in the series belong to the co-location host, so not a problem for me. I guess they are pros and will look after their own security.

Does Port Sentry have much overhead? Remember this is a Raq3 and could go moderately heavy traffic.

Anybody got any ideas on the password timeout for the control panels? I can't see any increae in recycle time, so presumably a brute-force attack would be just a matter of time - although a long alphanumeric password (what's the max length allowed?) changed once a week should nail it.

:confused:

PortSentry/LogSentry link

http://www.psionic.com/products/