How to secure a backup server ?

[Albertwu]

Hello !

I've chosen to use a small server as a backup server (I only have about 40 gigabytes to save). I'm not very conversant with server security, so I'm looking for some help.

Here is what I did :
- Centos minimal installation : without php, mysql,...
- Changed SSH port.
- Create a new user and disable root login.
- Allow only these two users to connect to SSH.
- added an email ssh root logging alert.
- installed logwatch.
- installed rkhunter.
- configured iptables to only allow ssh and icmp (for my host to monitor my server) :


#!/bin/sh
# chkconfig: 3 21 91
# description: Firewall

IPT=/sbin/iptables

case "$1" in
start)
$IPT -F INPUT
$IPT -F OUTPUT
$IPT -I INPUT -i lo -p all -j ACCEPT
$IPT -A OUTPUT -o lo -p all -j ACCEPT
$IPT -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -i eth0 -p tcp --dport 1364 -j ACCEPT
$IPT -A INPUT -i eth0 -p icmp --source proxy.ovh.net -j ACCEPT
$IPT -A INPUT -i eth0 -p icmp --source proxy.p19.ovh.net -j ACCEPT
$IPT -A INPUT -i eth0 -p icmp --source proxy.rbx.ovh.net -j ACCEPT
$IPT -A INPUT -i eth0 -p icmp --source proxy.rbx2.ovh.net -j ACCEPT
$IPT -A INPUT -i eth0 -p icmp --source xx.xx.xx.250 -j ACCEPT
$IPT -A INPUT -i eth0 -p icmp --source xx.xx.xx.251 -j ACCEPT
$IPT -A INPUT -i eth0 -p icmp --source ping.ovh.net -j ACCEPT
$IPT -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
$IPT -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
$IPT -t filter -A OUTPUT -p udp --dport 6100:6200 -j ACCEPT
$IPT -t filter -A INPUT -p udp --dport 6100:6200 -j ACCEPT
$IPT -P FORWARD DROP
$IPT -A INPUT -i eth0 -j DROP
exit 0
;;

stop)
$IPT -F INPUT
exit 0
;;
esacWhat I'm going to do next :
- allow ftp or sftp...
- only allow use of compilers and installers for root.
- secure tmp folder (tmp being a separate partition).

Did I do it the right way so far, regarding security ?
What else can I do ?

Thank you !

 

[wdc]

One more think can be to install fail2ban to ban IPs that trying to bruteforce via SSH.
Also you may enable SSH key access and disable SSH password access.
Closing all ports except needed ones and changing SSH port number was good step.

 

[Lawrence]

The best security you can take on a backup server, deny all IPs and just allow the servers using it for backup purposes connect to it, with the exception of your own IP. Of course this only works if you have a static IP, but also as long as the one server can connect to it, you can always SSH into the backup server should something need to be retrieved.

Get a static IP, deny all IPs but yours and the servers that need it, and you don't have to worry much about the intrinsic procedures involved in securing a backup server.

 

[PerpetualBox]

The best way to secure your backup server would be to change your SSH port, use SSH keys, deny all IPs but yours, and put your server offline when you are not using it.

 

[Neil Govan]

Re:

There are many firewalls available for Linux systems, some of which have a steeper learning curve than others. In general though, setting up the firewall should only take a few minutes and will only need to happen during your server's initial setup or when you make changes in what services are offered on your computer.
A simple choice is the UFW firewall. Other options are to use iptables or the CSF firewall.

 

[cyril31]

Some Linux Firewalls

Since virus protection is not something very common for typical Linux user, I usually installing software from distro repositories, where all packages are tested and malware-free. I think you’re already have well understanding what root access is and why it’s a bad idea have simple or not root password at all.
Traditional methods assume real time virus scanning and repairing of infected files instead of getting rid of them manually. If you need to repair executables, it is better to reinstall the software together with other necessary Linux files. You can also face the similar problems with some well known web apps like Wordpress and Joomla, which is not a program in common sense, but still can be hacked! Moreover, if your webserver did run at root privileges, intruder can have all the access to your system. You probably want to have both your system and apps updated at last stable version, and keep looking for known vulnerabilities. It is important to operate a properly secured environment for the Linux networking as well, which is totally achievable from a secured control panel for server management like cPanel, Webmin, or some new platforms like ServerSuit.

I suggest three the most proficient tools to detect malicious software in Linux:

Avast
Avast is a freemium type antivirus software with intuitive Linux GUI that can be used for Linux server security. Free Avast allows to easily update definitions and scan file folders for any viruses, while commercial version offers sandbox applications. Start with installing Avast for Linux from the company website and download the right package, then register for a free year of Avast usage. After registration you can operate the great product free of charge.

AVGAVG for Linux has no GUI, but the command line scanner offers the same definitions as for Windows. AVG offers complete scanning of your OS for any security threats and reports upon revealing to confirm future actions, such as scheduling whole system analysis. AVG tailored to reduce system resources: command line Terminal allows to faster complete programmed tasks. Virus database is constantly updated.

ClamAntiVirusClamAV is free command software with free updates via freshclam used for detecting viruses and healing infected files in the quarantined folder. ClamTK is a frontend (GUI) for ClamAV that employs ClamAV parameters to run processes.