WOOT!

[TPerry]

Twowheeldemon.com is now live on a Ram Node VPS. The hardest part of the whole ordeal was deciding with OS to go with. Now comes time for the fine tuning (like setting up the Postfix so it serves mail - even tho' mine is hosted through Google Apps). I'm really impressed so far with Ram Node. Once I went live there you could definitely tell a difference in the responsiveness of the site.

I'm still trying to get SFTP figured out. I was wanting to make it so I could FTP directly to the website and process my files, but I may just place them in a directory in my home and point the server at them there... all it needs is read access.

 

[Deebs]

Well done! Do not forget about the security of your VPS. iptables is a must and SFTP is the right choice

 

[Slavik]

What OS did you select in the end?

 

[TPerry]

Well done! Do not forget about the security of your VPS. iptables is a must and SFTP is the right choice

Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp source-quench
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
fail2ban-ssh tcp -- anywhere anywhere multiport dports ssh
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:webmin
DROP tcp -- anywhere anywhere tcp dpt:ftp
ACCEPT tcp -- anywhere anywhere tcp dpt:****
ACCEPT tcp -- anywhere anywhere tcp dpt:www
DROP tcp -- anywhere anywhere tcp dpt:www

Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain fail2ban-ssh (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere


This is what my iptables is set at right now.

 

[TPerry]

What OS did you select in the end?

Debian - I played with CentOS for a while, but it's been so long since I used the RPM package format that I decided to go with what I was familiar with. Figured Debian (next to CentOS and Red Hat) was a solid choice. Seems a lot of sites are using it also. Was not going to go out and pay for Red Hat when I don't need that kind of service.

 

[Slavik]

Debian - I played with CentOS for a while, but it's been so long since I used the RPM package format that I decided to go with what I was familiar with. Figured Debian (next to CentOS and Red Hat) was a solid choice. Seems a lot of sites are using it also. Was not going to go out and pay for Red Hat when I don't need that kind of service.

Fair enough

 

[Deebs]

Only thing allowed in right now is port 80, my SSH port (with non-standard number) and the ability to respond to pings. Everything else is blocked since I currently am not using it. It also has a setting for DDOS attacks, and fail2ban.

Great stuff. Don't spend too much on security thru obscurity by changing your SSH port, they will find it by portscanning but you have fail2ban which is a much better choice.

 

[Slavik]

And set up SSH key authentication for that added security

 

[TPerry]

And set up SSH key authentication for that added security

yep, had it on an earlier install.. now got to figure out how to do it again... I know it wasn't hard.

 

[TPerry]

And set up SSH key authentication for that added security

Think this is working? I also have some from Russia trying to hit in.

Mar 17 16:38:23 twowheeldemon sshd[4253]: Invalid user oracle from 31.3.245.178
Mar 17 16:38:24 twowheeldemon sshd[4256]: Invalid user test from 31.3.245.178
Mar 17 16:39:31 twowheeldemon sshd[4386]: Invalid user oracle from 31.3.245.178
Mar 17 16:39:31 twowheeldemon sshd[4388]: Invalid user oracle from 31.3.245.178
Mar 17 16:39:32 twowheeldemon sshd[4390]: Invalid user oracle from 31.3.245.178
Mar 17 16:39:34 twowheeldemon sshd[4392]: Invalid user bwadmin from 31.3.245.178

Mar 18 08:13:22 twowheeldemon sshd[1549]: Accepted publickey for ********** from 24.49.69.204 port 61899 ssh2

 

[Ghan_04]

Is 61899 a new port for SSH? That's usually one thing I always do is move SSH to a new port. Most brute force attempts/sniffer scripts will look for the default.

 

[Slavik]

Is 61899 a new port for SSH? That's usually one thing I always do is move SSH to a new port. Most brute force attempts/sniffer scripts will look for the default.

In all honesty, moving SSH to another port is one of those measures which people over-rate. SSH is fine on port 22, just dont use a simple password (using keys is the best way), or configure your firewall to only allow your IP to connect.

 

[Biker]

In all honesty, moving SSH to another port is one of those measures which people over-rate. SSH is fine on port 22, just dont use a simple password (using keys is the best way), or configure your firewall to only allow your IP to connect.

I disagree. When SSH was on port 22, my logs were full of notices from low life scumbuckets who were banging on my front door. After changing the port, I've yet to receive one single notice. I've gone from hundreds of log entries per month to well under 100. What I get now are primarily pudknockers trying to get into the mail and ftp server.

As far as scanning for the port, csf takes care of that for me by temporarily blocking attempted port scans.

 

[TPerry]

Is 61899 a new port for SSH? That's usually one thing I always do is move SSH to a new port. Most brute force attempts/sniffer scripts will look for the default.

Running on standard port 22. That was a direct import from my auth.log. Each time that I have connected the port number is different. I just left it at the standard port (easier to set up for my iPad/iPhone to access using a program I have). And I LOVE sftp ability.

 

[Robert F Schmitz]

403 FORBIDDEN!
Either the address you are accessing this site from has been banned for previous malicious behavior or the action you attempted is considered to be hostile to the proper functioning of this system.
The detected reason(s) you were blocked are:
Mail Server Detection, usually infected. Please access from a non server hostname
Your IP, and Domain Name (if resolvable) has been logged to a local honeypot, along with the referring page (if any), QUERY, POST, User Agent, time of access, and date. Please either 1. Stop the bad behavior, or 2. Cease accessing this system.
Your connection details:
Record #: 1
Time:
Running: 0.4.10a1
Host: mail.guenschel.com
IP: 173.64.112.32
Post:
Query:
Stripped Query:
Referer:
User Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.22 (KHTML, like Gecko) Chrome/25.0.1364.172 Safari/537.22
Reconstructed URL: http:// twowheeldemon.com /

Generated by ZB Block 0.4.10a1

I get that when trying to view your site. Checked honeypot but they have nothing on the IP address.

 

[TPerry]

403 FORBIDDEN!
Either the address you are accessing this site from has been banned for previous malicious behavior or the action you attempted is considered to be hostile to the proper functioning of this system.
The detected reason(s) you were blocked are:
Mail Server Detection, usually infected. Please access from a non server hostname


I get that when trying to view your site. Checked honeypot but they have nothing on the IP address.

Hmmm.. that is zBBlock doing it... I'll check the log files and see what I can find. Are you accessing from an ISP?
I think I just saw what it is... your hostname resolves to a mail server, ergo - it's set to not allow that as most acces attempts from those type of sites are due to the host being *bugged* with an exploit.

 

[Robert F Schmitz]

I will enquire as to why that is. It has shown as mail. for as long as I can remember. Thanks.

 

[TPerry]

I will enquire as to why that is. It has shown as mail. for as long as I can remember. Thanks.

zBBlock is really nice.. it stops at the front door for most stuff, even before you get to the site, but there can be some false positives in it (usually like in your case). Simply accessing the site from a system that doesn't have a FQDN will normally solve the problem as most users will not be using a server to access forums.
Is this an actual server you are coming in from, or a desktop that has a FQDN?

I couldn't check the log file (well, I could, but forgot to change permissions on it so that the system could not write to it after the move to the VPS). THAT problem is also solved now.

 

[Biker]

I will enquire as to why that is. It has shown as mail. for as long as I can remember. Thanks.

Because the IP resolves to a real, honest to goodness mail server.

Service scan

FTP - 21 Error: ConnectionRefused
SMTP - 25 Error: ConnectionRefused
HTTP - 80 HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Date: Mon, 18 Mar 2013 18:20:33 GMT
X-Powered-By: ASP.NET
Connection: Keep-Alive
Content-Length: 1270
Content-Type: text/html
Set-Cookie: ASPSESSIONIDQASSRQSS=KKMDMKCDNEPFFEFCPJICDJHC; path=/
Cache-control: private
POP3 - 110 +OK Microsoft Exchange 2000 POP3 server version 6.0.6249.0 (**removed**) ready.
IMAP - 143 * OK Microsoft Exchange 2000 IMAP4rev1 server version 6.0.6249.0 (**removed**) ready.

 

[TPerry]

Because the IP resolves to a real, honest to goodness mail server.

Yep, and zBBlock did exactly as it is supposed to.. stopped at the front door (like a vacuum cleaners salesman) and the door slammed shut. It misses a few - but those are caught by the other spam utilities that are available here. Figure multilayered protection is nice.

BTW, you the Biker that registered?