Server Security
-
- New to forums
- Posts: 10
- https://www.youtube.com/channel/UC40BgXanDqOYoVCYFDSTfHA
- Joined: Wed Jul 01, 2009 2:37 pm
Server Security
what security measures can I take to make sure my server is secure? I don't want people getting access via remote desktop or getting rcon without my permission first.
Re: Server Security
I'd recommend taking a few simple measures to try to prevent unauthorized access to your server.
- Use a complicated administrator password, like the one we first gave you, and store it in a safe place. Remote login attempts are frequently made by automated scripts from all corners of the internet and if you use a simple password one of these might be able to guess it.
- Minimize the number of users who have the administrator password. Ideally, you should be the only one who has it. Consider setting up an FTP service like FileZilla so that others can have some access, but not unlimited access.
- Disable the "server" service and any others that you don't actually need, through the Control Panel->Administrative tools->Services snap-in. The "server" service provides additional remote access capabilities (such as file sharing) and has been a common source of security problems for Windows versions.
- Avoid web surfing on your dedicated server. Web browsers, and in particular Internet Explorer, are possibly the most common source of new, critical security vulnerabilities, and sometimes just visiting a website can infect your machine with a fresh virus. When you do open pages, visit only trusted sites.
- Make sure that you are always running the latest Windows security updates. Using the Automatic Updates server is a good way of doing this, but keep in mind that sometimes the AU service freezes when it tries to reboot after applying its updates and you may need to manually power cycle your machine through our control panel.
- Don't run anything but trusted server executables (and trusted programs to support them) on your dedicated machine. For instance, don't run AIM, gadgets to expand your desktop, email clients, or anything like that. Run only plugins on your servers that you trust.
- Consider running an antivirus application in the background. This isn't generally required if you follow the other steps, however. If you do run an AV, make sure that the it does not come with a firewall.
We don't typically recommend running a firewall with a dedicated server because it is not really necessary if you follow the other steps, and it's very easy to block your own access to the machine (which would require us to order up an on-site technician to fix the problem). With a VDS, though, you could experiment with one without worry -- just keep an eye on CPU usage, since firewalls do cause some overhead.
- Use a complicated administrator password, like the one we first gave you, and store it in a safe place. Remote login attempts are frequently made by automated scripts from all corners of the internet and if you use a simple password one of these might be able to guess it.
- Minimize the number of users who have the administrator password. Ideally, you should be the only one who has it. Consider setting up an FTP service like FileZilla so that others can have some access, but not unlimited access.
- Disable the "server" service and any others that you don't actually need, through the Control Panel->Administrative tools->Services snap-in. The "server" service provides additional remote access capabilities (such as file sharing) and has been a common source of security problems for Windows versions.
- Avoid web surfing on your dedicated server. Web browsers, and in particular Internet Explorer, are possibly the most common source of new, critical security vulnerabilities, and sometimes just visiting a website can infect your machine with a fresh virus. When you do open pages, visit only trusted sites.
- Make sure that you are always running the latest Windows security updates. Using the Automatic Updates server is a good way of doing this, but keep in mind that sometimes the AU service freezes when it tries to reboot after applying its updates and you may need to manually power cycle your machine through our control panel.
- Don't run anything but trusted server executables (and trusted programs to support them) on your dedicated machine. For instance, don't run AIM, gadgets to expand your desktop, email clients, or anything like that. Run only plugins on your servers that you trust.
- Consider running an antivirus application in the background. This isn't generally required if you follow the other steps, however. If you do run an AV, make sure that the it does not come with a firewall.
We don't typically recommend running a firewall with a dedicated server because it is not really necessary if you follow the other steps, and it's very easy to block your own access to the machine (which would require us to order up an on-site technician to fix the problem). With a VDS, though, you could experiment with one without worry -- just keep an eye on CPU usage, since firewalls do cause some overhead.
Re: Server Security
I've been worrying about this myself as of late. Most if not all unnecessary services are disabled on my VPS, and unneeded programs are not running. Just a game server, http, ftp, and mysql. I've never been a fan of AV's or software firewalls due to the bog it feels that they put on the machine, edge - can you make any recommendations for a light weight software firewall? I'm assuming this only really works on our VPS because of the web based VNC you have in the control panel?
Re: Server Security
The one included in Windows is pretty good, actually, as is the Linux one (iptables). I'd recommend just sticking with these.ziggo0 wrote:edge - can you make any recommendations for a light weight software firewall?
You could configure a firewall on a machine without VNC, as well, but the VNC is nice because it allows you to go in and fix any mistakeI'm assuming this only really works on our VPS because of the web based VNC you have in the control panel?
-
- This is my homepage
- Posts: 642
- Joined: Sun Sep 20, 2009 6:15 pm
Re: Server Security
Like John said, don't run anything besides your basic stuff, don't use a browser, don't download files unless you know what they are. Basically, use common sence and you will be fine. Main thing is your remote desktop/shell password. Use the one NFO provides and you should be fine. I've never ran a firewall on and VDS or Dedicated server I've used, and not once had issues. They generally do slow things down a bit, if not a lot.
Re: Server Security
the best type of security is premature protection. if your security is being compromised, it's already too late. i know that's not entirely true, but the best way to steer clear of having security issues is to not give anyone a reason to do it. with your gameserver, don't go out or you way to pick fights with cheaters, these people are already cheating at a game (why put hacking/ddosing past them?). that's just my 2 cents, but windows firewall is very solid, i have an older program (very very basic but effective) that's from 2004 for firewall security, i might post it in a bit.
-
- This is my homepage
- Posts: 642
- Joined: Sun Sep 20, 2009 6:15 pm
Re: Server Security
Firewall's can be handy, but sometimes it doesn't matter if you have no firewalls or 3, someone can get it. It's entirely up to you though, as the admin of the VDS. I tend to find them more of a pain than useful, but that is just my personal opinion on them.
Re: Server Security
I have windows firewall running and I only allow my game servers, HTTP and FTP servers access.
I checked my security event logs today and there are a lot of failed logins from random IP addresses. I've seen 5 different IP Addresses so far trying to log into accounts "admin" and "administrator". The Base administrator account that was on the VDS when I go it still has the rather complex password.
Is there anything I can do to prevent these people from trying to basically "brute" into my server?
I checked my security event logs today and there are a lot of failed logins from random IP addresses. I've seen 5 different IP Addresses so far trying to log into accounts "admin" and "administrator". The Base administrator account that was on the VDS when I go it still has the rather complex password.
Is there anything I can do to prevent these people from trying to basically "brute" into my server?
Re: Server Security
Those sorts of brute force attacks are unfortunately unavoidable on any public-facing server. The most important measures to take in mitigating them are to keep all of your applications as up-to-date as possible and to use secure passwords.
I've seen some attempts to detect these and ban the IPs involved, but for the most part, that won't do a lot of good.
I've seen some attempts to detect these and ban the IPs involved, but for the most part, that won't do a lot of good.
Re: Server Security
Ah so this is a regular thing. Ok, well I have the latest updates on the OS, and have made sure the passwords are very strong, so I shouldn't have anything to worry about then.
Re: Server Security
Regarding disabling the "server" service, im an avid Teamviewer user and I prefer it over VNC anyday, would disabling this service still allow me to use it? thx.
Re: Server Security
It should, as I don't think it needs the "Server" service. If Teamviewer stops working, you could always enable the service again via VNC.
TimeX
Re: Server Security
One good thing I've always done on any windows server that's open to the internet is to change the RDP port. It's a simple registry change / reboot. Just be careful and follow proper instructions.
Re: Server Security
That is a great option, but a much simpler one on a VDS is to make an IP whitelist in the firewall tab. This is something I recommend everyone do.
Here is an example of mine:
Because rules are evaluated in-order for VDS's and linux systems, you can make rules that will accept packets and they will not go through the other rules, and if they don't match the first rule, they will go to the next one.
In this example, I have my "staff" IPs set to be allowed, and any traffic that does not match those IPs passes that rule, if their traffic is destined to port 22 or 2087(WHM management panel) it will be dropped.
This is a great measure to take so port scanners will not even know your machine has the ports open
Here is an example of mine:
Because rules are evaluated in-order for VDS's and linux systems, you can make rules that will accept packets and they will not go through the other rules, and if they don't match the first rule, they will go to the next one.
In this example, I have my "staff" IPs set to be allowed, and any traffic that does not match those IPs passes that rule, if their traffic is destined to port 22 or 2087(WHM management panel) it will be dropped.
This is a great measure to take so port scanners will not even know your machine has the ports open
Not a NFO employee