[Cc-webedit] Server stuff

Jim Dog theinnercityhippy at riseup.net
Tue Nov 24 12:14:28 GMT 2009 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi all

As ever, November has been a bit quiet for everyone (traditionally when
everyone takes a deep breath from all the summers madness), me included
as I've had my head buried in a project to build a coin op linux jukebox
for the 1in12 club (bloody great fun).

Just wanted people to know though that I have still got one beady eye on
the server and so wanted to bring up the following couple of things for
discussion.

First up, after logging in today as usual there are 30 odd denyhosts
reports waiting for me. Pretty much every script kiddy on the internet
seems to have set their sites on our server and it won't be long before
someone finds a chink in the armour no doubt. With that in mind, I know
I proposed this before and people agreed (but then life got the better
of me a bit), but I would like to move the ssh port from the default 22
to a high random number. This is the easy bit, the hard bit is letting
everyone know who needs to access the server to change the setttings in
their clients if for example they are using sftp. So, to make the
transition smoother, I propose we do the following:

* Make a list of everyone who has access to the server, their contact
email, level of privilege and the reason for them having access (admin,
sftp for photo's, subsite access etc) - This would need to be in a
secure place, such a a private group on crabgrass.
* email everyone on this list giving a date a couple of weeks away when
the change will happen and asking anyone who has questions or needs help
to get in touch. Me and others can respond to these and get people ready.
* Send a final reminder a few days before it will happen
* Change the port

This won't stop any concerted hacking attempts but it will cut off the
script kiddies and bots out there and will be a good start.

I'd also like to propose the following couple of changes to tighten up
security a little:

* We set passwords for sudo accounts to expire after 3 months (as in
they need to be changed after this time) so that anyone who does manage
to get hold of the shadow password file will only have a limited time to
 get in. Thiks won't affect anyone other than those with sudo access as
logging in to the server is only possible with a key and not a plain
text password anyhow.

* We look to set up groups with restrictive permissions for various
levels of admin which don't require the user to have full sudo access.
This way, we can encourage more people to get involved in an open and
accessible way without leaving gaping security holes. This could be an
ongoing skillshare project where we can encourage more people to get
involved in that side of running the site.

* We implement some kind of process where security can be audited a
little better by some kind of working group (at present, there is only
me doing this which isn't ideal as I'm likely to miss loads, and it's
unsustainable), which could also advise on changes to the site which
involves embedding material from elsewhere, or other access policies.
Maybe this could be a committee on the crabgrass group which anyone is
free to join.

* Some kind of record is kept of when the server was last updated, if
new software has been installed/removed and how/when/by whom
(tarball/aptitude etc) and any requests to open/close ports can be made
in a more open way. This information shouldn't be available to the
general public for obvious reasons but it would be really useful in
order to identify potential problems if it were available to the working
group.

With this in mind (apologies for the long and boring email),  I guess
what I'm saying is that we have our own server, but we don't seem to
have any really sound policy of how to use it at present which is
horizontal, as currently to make a change involves asking off list the
one or two people who can do this stuff to sort it out. Non-heirarchical
structures when it comes to server admin are really hard to achieve, so
It would be really cool if we could all put some thought and effort into
finding a way to do this which could potentially benefit everyone, and
leave a route open for getting talented (unlike myself :-) ) new people
involved in the dark arts of server admin.

OK, really sorry for the long email. Hope it makes some sense to someone.

In Solidarity

JimDog
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAksLzhYACgkQjI3ttaQQxvaU8QCgoG4Autfb8siMlljD1P6VE44c
OyQAnAuzW3aCfiRGNGt6tgHmnarLHzPO
=3ldr
-----END PGP SIGNATURE-----

More information about the Cc-webedit mailing list