Tuesday, July 12, 2005

Examining my system

Ok, so this linode setup is pretty neat. The whole thing is based on UML, so several "hosts" run on one box. You essentially get your own computer coexisting with others on the same hardware. They have multiple distributions to install, etc. Installing and formatting the disk are done with their web interface. Once installed though, you have your own box esssentially. You can even ssh into the box your host is running on, and get console access!

So far a great experience...

You can, through their web setup, correctly set up your reverse DNS mapping. That's one of the first things I did. You have to successfully have a forward mapping setup first though. This was one of the things I would've had to bug WS to do before. Apparently some (few) mail servers will reject mail based on incorrect reverse lookups and I had run into one or two of these already. I think this is a questionable practice, but it's of no concern to me anymore. :-)

You can also through their web setup, deposit your ssh public key(s) at the box your host resides on. This means the ssh console access alluded to above can use public key authentication. It'd be nice if you could disable password based authentication here, but I don't see a way. The website also uses the same password, so it is not worth it anyways. Just use a good password for this. I tend to use pwgen to create long passwords and they get stored in an encrypted file on my laptop. So hopefully this would never be an issue anyways.

There are other implications of the ssh console access. The first of which is, if that gets defeated, your box is vulnerable. So use a good password for this, don't use password based authentication which is more vulnerable than PK, and don't leave yourself logged in, especially as root, at the console. This means that hopefully, they'd have to get through another cryptographically strong password.

The second implication is a very good one. You do not have to run your own ssh daemon unless you need to. So for those who don't keep up with security focus mailing lists as they should, you don't have to worry about the off-chance that someone finds a vulnerability. Presumably in this case the host-based ssh daemons would get updated pretty quickly. :-)

At the moment, I'm running an ssh daemon since I have to set up things, and have multiple shells going at once, and it does seem a little bit faster than the console access, although this could be psychological. I don't know if I'll continue. I took the time to set it up appropriately anyways. In the install offered, password based authentication and root logins were allowed. I set up my PK authentication and sudo and then quickly turned those off.

It was set up generally well for such a system. However, inetd was running with a few services turned on. The security tips part of the linode wiki suggests replacing it with xinetd, but I prefer to remove it all-together. :) Most of the services I wish to run will bind to their port themselves, and I've never really seen the value in a complex tcpd configuration. This is a web and mail server, so I have to be generally open to traffic. There's more value in setting up a good firewall and IDS that will detect hanky-panky before it gets out of hand. The security tips on the wiki are pretty good.

There are still a few things to do. One of them is remove unnecessary dependencies.