Results 1 to 8 of 8
  1. #1
    Join Date
    Jun 2006
    Posts
    82

    How to secure a backup server ?

    Hello !

    I've chosen to use a small server as a backup server (I only have about 40 gigabytes to save). I'm not very conversant with server security, so I'm looking for some help.

    Here is what I did :
    - Centos minimal installation : without php, mysql,...
    - Changed SSH port.
    - Create a new user and disable root login.
    - Allow only these two users to connect to SSH.
    - added an email ssh root logging alert.
    - installed logwatch.
    - installed rkhunter.
    - configured iptables to only allow ssh and icmp (for my host to monitor my server) :

    #!/bin/sh
    # chkconfig: 3 21 91
    # description: Firewall

    IPT=/sbin/iptables

    case "$1" in
    start)
    $IPT -F INPUT
    $IPT -F OUTPUT
    $IPT -I INPUT -i lo -p all -j ACCEPT
    $IPT -A OUTPUT -o lo -p all -j ACCEPT
    $IPT -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
    $IPT -A INPUT -i eth0 -p tcp --dport 1364 -j ACCEPT
    $IPT -A INPUT -i eth0 -p icmp --source proxy.ovh.net -j ACCEPT
    $IPT -A INPUT -i eth0 -p icmp --source proxy.p19.ovh.net -j ACCEPT
    $IPT -A INPUT -i eth0 -p icmp --source proxy.rbx.ovh.net -j ACCEPT
    $IPT -A INPUT -i eth0 -p icmp --source proxy.rbx2.ovh.net -j ACCEPT
    $IPT -A INPUT -i eth0 -p icmp --source xx.xx.xx.250 -j ACCEPT
    $IPT -A INPUT -i eth0 -p icmp --source xx.xx.xx.251 -j ACCEPT
    $IPT -A INPUT -i eth0 -p icmp --source ping.ovh.net -j ACCEPT
    $IPT -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
    $IPT -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
    $IPT -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
    $IPT -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
    $IPT -t filter -A OUTPUT -p udp --dport 6100:6200 -j ACCEPT
    $IPT -t filter -A INPUT -p udp --dport 6100:6200 -j ACCEPT
    $IPT -P FORWARD DROP
    $IPT -A INPUT -i eth0 -j DROP
    exit 0
    ;;

    stop)
    $IPT -F INPUT
    exit 0
    ;;
    esac
    What I'm going to do next :
    - allow ftp or sftp...
    - only allow use of compilers and installers for root.
    - secure tmp folder (tmp being a separate partition).

    Did I do it the right way so far, regarding security ?
    What else can I do ?

    Thank you !

  2. #2
    Join Date
    Jan 2014
    Location
    Fort Lauderdale
    Posts
    360
    Looks good so far. I would go with SFTP. I would also restrict access by IP addresses.
    Michael Vinocur
    Enterprise IT Solutions
    Helix Technologies LLC
    http://www.hlxtechnologies.com

  3. And use a private key for ssh only.
    Hostabulous | cPanel (Linux) & Plesk (Windows) Hosting KVM VPS R1Soft backups | Proudly Canadian
    Cloudflare LiteSpeed Cloudlinux Remote backups Anti-Spam Web App Firewall Canada/US/Germany

  4. #4
    Join Date
    Mar 2009
    Location
    /home/khunj
    Posts
    432
    You can remove that rule, because there is no need to allow loopback in the OUTPUT chain if you allowed it in the INPUT one: on loopback interface, incoming traffic = outgoing traffic.

    Code:
    $IPT -A OUTPUT -o lo -p all -j ACCEPT

    Those ones seem useless too, because your OUTPUT chain policy it already set to ACCEPT, the default value :

    Code:
    $IPT -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
    $IPT -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
    $IPT -t filter -A OUTPUT -p udp --dport 6100:6200 -j ACCEPT
    NinTechNet
    ★ NinjaFirewall : Web Application Firewall for PHP and WordPress.
    ★ NinjaMonitoring : Monitor your website for suspicious activities.

  5. #5
    It looks pretty good! If it's only 40 gb of data though why not store that locally? On a computer that remains turned off until needed? That would be as solid as it gets when we are talking about security

  6. #6
    Join Date
    Jun 2006
    Posts
    82
    Quote Originally Posted by helix247 View Post
    I would also restrict access by IP addresses.
    My own IP is not static, but can I use my server's IP to access the server ?

    Quote Originally Posted by [email protected] View Post
    And use a private key for ssh only.
    I will do that too.

    Quote Originally Posted by Buycpanel-Kevin View Post
    If it's only 40 gb of data though why not store that locally?
    That would also be much cheaper. I do it from time to time (once a month). But the problem is my internet connection is slow and it takes a little more than two days to download the files (compared to a few minutes when using my host's backup server for instance).

    Quote Originally Posted by khunj View Post
    Code:
    $IPT -t filter -A OUTPUT -p udp --dport 6100:6200 -j ACCEPT
    Regarding the line above, my host needs it to monitor my server.
    For the other lines, I wrote the rules for the INPUT and forgot to take care of the rest.

    Thank you for the pieces of advices.

  7. #7
    Configuration seems to be fine. It would be better to install csf as it is easy to manage.

    >>My own IP is not static, but can I use my server's IP to access the server?
    You can access your main server from your IP and backup server should be connected only from your main server. I think that would be good.
    Sean White http://www.supportmonk.com
    Outsourced Support Experts!!!
    Helpdesk/Livechat Support Iphone/Android Development
    Skype : supportmonk.sean Gtalk : sean(at)supportmonk.com

  8. #8
    Join Date
    May 2001
    Location
    HK
    Posts
    3,076

    *

    If the backup server is physically next to the host, then why not just get a cable and connect directly. Make everything private and no public access.

    Restrict internet access so that even when someone is able to get in, he is not able to copy your files to an external network.

    And I think when someone has already gotten the access to your server, you probably want to know what he has done to it. Use a logger and remote logging facility to log user sessions and sends every single command that has executed to a remote server so you could easily traces back.

    Just an FYI, you might want to apply some of these settings on your networking equipments rather than relying everything on that backup server.

Similar Threads

  1. Secure Offsite Backup @ $4.76/mo! .:. Server Complete, LLC
    By SC-Daniel in forum Backup Services
    Replies: 0
    Last Post: 05-21-2011, 11:36 AM
  2. Secure Offsite Backup @ $4.76/mo! .:. Server Complete, LLC
    By SC-Daniel in forum Backup Services
    Replies: 0
    Last Post: 05-09-2011, 10:50 AM
  3. Replies: 0
    Last Post: 03-21-2010, 12:36 AM
  4. Replies: 2
    Last Post: 10-31-2005, 08:55 AM
  5. Fast, Secure Backup Server Space
    By neoshell in forum Shared Hosting Offers
    Replies: 0
    Last Post: 01-26-2004, 04:31 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •