var sidebar_align = 'right';
var content_container_margin = parseInt('350px');
var sidebar_width = parseInt('330px');
Securing my server
Next week I'm about to move my server from home to my colocation facility. It runs Windows 2000 Server on it, and to say, I'm quite concerned about security.
How can I prevent that my server is being hacked?
I've already disabled services in windows that aren't needed, disabled netbios as far as possible.
I'm running Apache, with php and mysql + perl. As DNS server software I'm using microsoft's one included with windows 2000 server.
I've created an IpSec policy to block all incoming traffic except service ports that I need.
Is there anything I can do to secure my server more? How can I prevent a DOS attack? etc...
You cant prevent a (D)DoS attack... and theres nothing that will make your box unhackable.. but so far you're on the right track...
MrDredd is correct that you cannot have a hacker proof or DoS proof system on the Internet.
However, you can take measures to make your system more resistant against hackers and survive light DOS attacks.
Look at setting up the following:
* mod_security from http://www.modsecurity.org/ (since you mentioned you are running Apache)
* Reviewing the security alerts and tools mentioned on http://www.microsoft.com/technet/security/default.mspx and taking action as appropriate.
Any recommendations regarding a good firewall?
Visnetic for a software firewall.
Watchguard for hardware firewalls.
Free and Good are hard to find at the same time, but maybe someone will have some open-source options...
Well if you want free and good, then set up a Linux box as a front end running iptables ;-)
I hear Microsoft Corporation utilizes Linux boxes as part of their site security.
Yes I know, I should be using linux :p
But I've concluded I don't have enough experience with Linux to put it somewhere remote and administrate it from home.
I've set up a linux box here, and I had to go do something with the machine itself WAAAAY to many times because I screwed up something with SSH...
My rule of server deployment.
1) Use a firewall (hardware should be used unless you are really strapped for cash)
2) In the firewall, disable everything and add only ports, ip ranges that need to be exposed to the outside.
3) Use only secure connection such as SSH.
4) Even if you are using SSH, use the firewall to block SSH to only your IP at home/work.
5) Add rules to firewall so that the firewall admin interface is only accessible to your home/work IP or locally in front of the machine.
6) Don't even think about running a Windows machine unless you have a firewall with damn strict rules listed above. Within seconds of you plugging a windoze server on a crowded colocation network, the ip will be hit with probed.