How can you secure a server? [closed]












-1















A while ago, I ran a vino server inside my local wifi network, and the vino server wrote messages on stdout that some strange IPs from the Internet tried to connect to it. I wondered, "Is my server being Attacked". How can you secure your server on local and nonlocal, and public and private networks not under your control?



Is the following a possible idea?
Is there a way to make the server only accessible to the other processes running on the server host, and run sshd on the server host to allow forwarded access? (I guess the idea from: https://help.ubuntu.com/community/VNC#SSH_port-forwarding. I don't quite understand how it is done and hope you could explain.)




  • Does this make other machines only able to connect to the server by using ssh and port-forwarding/tunneling?


  • Does this way make the server only accessible to the machines in the same local network or does is also allow machines outside the local network?


  • Is it a more secured way to access the server than making the server accessible to all the other machines in the local network? If yes, is it more secured because SSH is usually more secured than other protocols. (Such as the protocol used by vino?)



Thanks.










share|improve this question















closed as too broad by Romeo Ninov, Rui F Ribeiro, Kusalananda, nwildner, terdon Feb 25 at 12:51


Please edit the question to limit it to a specific problem with enough detail to identify an adequate answer. Avoid asking multiple distinct questions at once. See the How to Ask page for help clarifying this question. If this question can be reworded to fit the rules in the help center, please edit the question.



















  • For Vino specifically, you can set the listening interface as discussed here: VNC vino over SSH tunnel ONLY

    – steeldriver
    Feb 25 at 12:44











  • Looking at your problem before... if you didn't manually set up a port forward from your router then this looks like you had UPNP enabled on the router and vino used it.

    – Philip Couling
    Feb 25 at 12:46











  • @steeldriver For my question "How can you make a server accessible only to the other processes running on the same host?", do you mean it is server specific to make a server accessible only to the other processes running on the same host? Is there a server-independent way to make any server accessible only to the other processes running on the same host?

    – Tim
    Feb 25 at 13:07











  • Plug out all your network card?

    – 炸鱼薯条德里克
    Feb 25 at 13:39











  • Actually… a computer can only operate its own hardware, but can communicate with other computers. By that, it looks like you operated other computers, but you're not.

    – 炸鱼薯条德里克
    Feb 25 at 13:44
















-1















A while ago, I ran a vino server inside my local wifi network, and the vino server wrote messages on stdout that some strange IPs from the Internet tried to connect to it. I wondered, "Is my server being Attacked". How can you secure your server on local and nonlocal, and public and private networks not under your control?



Is the following a possible idea?
Is there a way to make the server only accessible to the other processes running on the server host, and run sshd on the server host to allow forwarded access? (I guess the idea from: https://help.ubuntu.com/community/VNC#SSH_port-forwarding. I don't quite understand how it is done and hope you could explain.)




  • Does this make other machines only able to connect to the server by using ssh and port-forwarding/tunneling?


  • Does this way make the server only accessible to the machines in the same local network or does is also allow machines outside the local network?


  • Is it a more secured way to access the server than making the server accessible to all the other machines in the local network? If yes, is it more secured because SSH is usually more secured than other protocols. (Such as the protocol used by vino?)



Thanks.










share|improve this question















closed as too broad by Romeo Ninov, Rui F Ribeiro, Kusalananda, nwildner, terdon Feb 25 at 12:51


Please edit the question to limit it to a specific problem with enough detail to identify an adequate answer. Avoid asking multiple distinct questions at once. See the How to Ask page for help clarifying this question. If this question can be reworded to fit the rules in the help center, please edit the question.



















  • For Vino specifically, you can set the listening interface as discussed here: VNC vino over SSH tunnel ONLY

    – steeldriver
    Feb 25 at 12:44











  • Looking at your problem before... if you didn't manually set up a port forward from your router then this looks like you had UPNP enabled on the router and vino used it.

    – Philip Couling
    Feb 25 at 12:46











  • @steeldriver For my question "How can you make a server accessible only to the other processes running on the same host?", do you mean it is server specific to make a server accessible only to the other processes running on the same host? Is there a server-independent way to make any server accessible only to the other processes running on the same host?

    – Tim
    Feb 25 at 13:07











  • Plug out all your network card?

    – 炸鱼薯条德里克
    Feb 25 at 13:39











  • Actually… a computer can only operate its own hardware, but can communicate with other computers. By that, it looks like you operated other computers, but you're not.

    – 炸鱼薯条德里克
    Feb 25 at 13:44














-1












-1








-1








A while ago, I ran a vino server inside my local wifi network, and the vino server wrote messages on stdout that some strange IPs from the Internet tried to connect to it. I wondered, "Is my server being Attacked". How can you secure your server on local and nonlocal, and public and private networks not under your control?



Is the following a possible idea?
Is there a way to make the server only accessible to the other processes running on the server host, and run sshd on the server host to allow forwarded access? (I guess the idea from: https://help.ubuntu.com/community/VNC#SSH_port-forwarding. I don't quite understand how it is done and hope you could explain.)




  • Does this make other machines only able to connect to the server by using ssh and port-forwarding/tunneling?


  • Does this way make the server only accessible to the machines in the same local network or does is also allow machines outside the local network?


  • Is it a more secured way to access the server than making the server accessible to all the other machines in the local network? If yes, is it more secured because SSH is usually more secured than other protocols. (Such as the protocol used by vino?)



Thanks.










share|improve this question
















A while ago, I ran a vino server inside my local wifi network, and the vino server wrote messages on stdout that some strange IPs from the Internet tried to connect to it. I wondered, "Is my server being Attacked". How can you secure your server on local and nonlocal, and public and private networks not under your control?



Is the following a possible idea?
Is there a way to make the server only accessible to the other processes running on the server host, and run sshd on the server host to allow forwarded access? (I guess the idea from: https://help.ubuntu.com/community/VNC#SSH_port-forwarding. I don't quite understand how it is done and hope you could explain.)




  • Does this make other machines only able to connect to the server by using ssh and port-forwarding/tunneling?


  • Does this way make the server only accessible to the machines in the same local network or does is also allow machines outside the local network?


  • Is it a more secured way to access the server than making the server accessible to all the other machines in the local network? If yes, is it more secured because SSH is usually more secured than other protocols. (Such as the protocol used by vino?)



Thanks.







ssh security vnc






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Feb 25 at 14:18







Tim

















asked Feb 25 at 11:57









TimTim

27.8k78265485




27.8k78265485




closed as too broad by Romeo Ninov, Rui F Ribeiro, Kusalananda, nwildner, terdon Feb 25 at 12:51


Please edit the question to limit it to a specific problem with enough detail to identify an adequate answer. Avoid asking multiple distinct questions at once. See the How to Ask page for help clarifying this question. If this question can be reworded to fit the rules in the help center, please edit the question.









closed as too broad by Romeo Ninov, Rui F Ribeiro, Kusalananda, nwildner, terdon Feb 25 at 12:51


Please edit the question to limit it to a specific problem with enough detail to identify an adequate answer. Avoid asking multiple distinct questions at once. See the How to Ask page for help clarifying this question. If this question can be reworded to fit the rules in the help center, please edit the question.















  • For Vino specifically, you can set the listening interface as discussed here: VNC vino over SSH tunnel ONLY

    – steeldriver
    Feb 25 at 12:44











  • Looking at your problem before... if you didn't manually set up a port forward from your router then this looks like you had UPNP enabled on the router and vino used it.

    – Philip Couling
    Feb 25 at 12:46











  • @steeldriver For my question "How can you make a server accessible only to the other processes running on the same host?", do you mean it is server specific to make a server accessible only to the other processes running on the same host? Is there a server-independent way to make any server accessible only to the other processes running on the same host?

    – Tim
    Feb 25 at 13:07











  • Plug out all your network card?

    – 炸鱼薯条德里克
    Feb 25 at 13:39











  • Actually… a computer can only operate its own hardware, but can communicate with other computers. By that, it looks like you operated other computers, but you're not.

    – 炸鱼薯条德里克
    Feb 25 at 13:44



















  • For Vino specifically, you can set the listening interface as discussed here: VNC vino over SSH tunnel ONLY

    – steeldriver
    Feb 25 at 12:44











  • Looking at your problem before... if you didn't manually set up a port forward from your router then this looks like you had UPNP enabled on the router and vino used it.

    – Philip Couling
    Feb 25 at 12:46











  • @steeldriver For my question "How can you make a server accessible only to the other processes running on the same host?", do you mean it is server specific to make a server accessible only to the other processes running on the same host? Is there a server-independent way to make any server accessible only to the other processes running on the same host?

    – Tim
    Feb 25 at 13:07











  • Plug out all your network card?

    – 炸鱼薯条德里克
    Feb 25 at 13:39











  • Actually… a computer can only operate its own hardware, but can communicate with other computers. By that, it looks like you operated other computers, but you're not.

    – 炸鱼薯条德里克
    Feb 25 at 13:44

















For Vino specifically, you can set the listening interface as discussed here: VNC vino over SSH tunnel ONLY

– steeldriver
Feb 25 at 12:44





For Vino specifically, you can set the listening interface as discussed here: VNC vino over SSH tunnel ONLY

– steeldriver
Feb 25 at 12:44













Looking at your problem before... if you didn't manually set up a port forward from your router then this looks like you had UPNP enabled on the router and vino used it.

– Philip Couling
Feb 25 at 12:46





Looking at your problem before... if you didn't manually set up a port forward from your router then this looks like you had UPNP enabled on the router and vino used it.

– Philip Couling
Feb 25 at 12:46













@steeldriver For my question "How can you make a server accessible only to the other processes running on the same host?", do you mean it is server specific to make a server accessible only to the other processes running on the same host? Is there a server-independent way to make any server accessible only to the other processes running on the same host?

– Tim
Feb 25 at 13:07





@steeldriver For my question "How can you make a server accessible only to the other processes running on the same host?", do you mean it is server specific to make a server accessible only to the other processes running on the same host? Is there a server-independent way to make any server accessible only to the other processes running on the same host?

– Tim
Feb 25 at 13:07













Plug out all your network card?

– 炸鱼薯条德里克
Feb 25 at 13:39





Plug out all your network card?

– 炸鱼薯条德里克
Feb 25 at 13:39













Actually… a computer can only operate its own hardware, but can communicate with other computers. By that, it looks like you operated other computers, but you're not.

– 炸鱼薯条德里克
Feb 25 at 13:44





Actually… a computer can only operate its own hardware, but can communicate with other computers. By that, it looks like you operated other computers, but you're not.

– 炸鱼薯条德里克
Feb 25 at 13:44










1 Answer
1






active

oldest

votes


















2














IP tables can get this job done. It is basically a firewall.



iptables are installed by default on most linux systems. However you can manually install it:



apt-get install iptabels


You can configure it, To Only Allow the local host Access to the Ports and Services, by implementing the following: (This makes processes only available to the host they are running on.)



iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT


From there you could add allowances for other ports and services. If you need Internet on that machine while you look for the services and ports you want to allow and how to do it don't use iptables -P OUTPUT DROP yet, put that in place last. Here are good sites to learn from:



Iptables Examples

Allow only SSH



To save the firewall between boots, install iptables-persistent then do iptables-persistent save or netfilter-persistent save.



Doing the first process described here will make your machine, only accessible to it self. The SSH only method will only allow SSH conections to the machine and only from the local network, unless you port-forward the SSH port from your router to that machine from the outside, then all you need is a diydns or no-ip type service or constantly know your public IP to get access from the outside.



Doing the things described in the Allow SSH Only link then port forwarding through a ssh tunnel to the service, is more secure. It only allows SSH connections. It is best to use key based authentication vs passwords however.






share|improve this answer


























  • Thanks. (1) "IP tables can get this job done. It is basically a firewall, you can configure it to only allow only the local host access to the ports and services." Where are the firewall, and the IP tables? (2) could you try to answer the individual questions in my post?

    – Tim
    Feb 25 at 13:09













  • @Tim in the kernel

    – 炸鱼薯条德里克
    Feb 25 at 15:16


















1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes









2














IP tables can get this job done. It is basically a firewall.



iptables are installed by default on most linux systems. However you can manually install it:



apt-get install iptabels


You can configure it, To Only Allow the local host Access to the Ports and Services, by implementing the following: (This makes processes only available to the host they are running on.)



iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT


From there you could add allowances for other ports and services. If you need Internet on that machine while you look for the services and ports you want to allow and how to do it don't use iptables -P OUTPUT DROP yet, put that in place last. Here are good sites to learn from:



Iptables Examples

Allow only SSH



To save the firewall between boots, install iptables-persistent then do iptables-persistent save or netfilter-persistent save.



Doing the first process described here will make your machine, only accessible to it self. The SSH only method will only allow SSH conections to the machine and only from the local network, unless you port-forward the SSH port from your router to that machine from the outside, then all you need is a diydns or no-ip type service or constantly know your public IP to get access from the outside.



Doing the things described in the Allow SSH Only link then port forwarding through a ssh tunnel to the service, is more secure. It only allows SSH connections. It is best to use key based authentication vs passwords however.






share|improve this answer


























  • Thanks. (1) "IP tables can get this job done. It is basically a firewall, you can configure it to only allow only the local host access to the ports and services." Where are the firewall, and the IP tables? (2) could you try to answer the individual questions in my post?

    – Tim
    Feb 25 at 13:09













  • @Tim in the kernel

    – 炸鱼薯条德里克
    Feb 25 at 15:16
















2














IP tables can get this job done. It is basically a firewall.



iptables are installed by default on most linux systems. However you can manually install it:



apt-get install iptabels


You can configure it, To Only Allow the local host Access to the Ports and Services, by implementing the following: (This makes processes only available to the host they are running on.)



iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT


From there you could add allowances for other ports and services. If you need Internet on that machine while you look for the services and ports you want to allow and how to do it don't use iptables -P OUTPUT DROP yet, put that in place last. Here are good sites to learn from:



Iptables Examples

Allow only SSH



To save the firewall between boots, install iptables-persistent then do iptables-persistent save or netfilter-persistent save.



Doing the first process described here will make your machine, only accessible to it self. The SSH only method will only allow SSH conections to the machine and only from the local network, unless you port-forward the SSH port from your router to that machine from the outside, then all you need is a diydns or no-ip type service or constantly know your public IP to get access from the outside.



Doing the things described in the Allow SSH Only link then port forwarding through a ssh tunnel to the service, is more secure. It only allows SSH connections. It is best to use key based authentication vs passwords however.






share|improve this answer


























  • Thanks. (1) "IP tables can get this job done. It is basically a firewall, you can configure it to only allow only the local host access to the ports and services." Where are the firewall, and the IP tables? (2) could you try to answer the individual questions in my post?

    – Tim
    Feb 25 at 13:09













  • @Tim in the kernel

    – 炸鱼薯条德里克
    Feb 25 at 15:16














2












2








2







IP tables can get this job done. It is basically a firewall.



iptables are installed by default on most linux systems. However you can manually install it:



apt-get install iptabels


You can configure it, To Only Allow the local host Access to the Ports and Services, by implementing the following: (This makes processes only available to the host they are running on.)



iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT


From there you could add allowances for other ports and services. If you need Internet on that machine while you look for the services and ports you want to allow and how to do it don't use iptables -P OUTPUT DROP yet, put that in place last. Here are good sites to learn from:



Iptables Examples

Allow only SSH



To save the firewall between boots, install iptables-persistent then do iptables-persistent save or netfilter-persistent save.



Doing the first process described here will make your machine, only accessible to it self. The SSH only method will only allow SSH conections to the machine and only from the local network, unless you port-forward the SSH port from your router to that machine from the outside, then all you need is a diydns or no-ip type service or constantly know your public IP to get access from the outside.



Doing the things described in the Allow SSH Only link then port forwarding through a ssh tunnel to the service, is more secure. It only allows SSH connections. It is best to use key based authentication vs passwords however.






share|improve this answer















IP tables can get this job done. It is basically a firewall.



iptables are installed by default on most linux systems. However you can manually install it:



apt-get install iptabels


You can configure it, To Only Allow the local host Access to the Ports and Services, by implementing the following: (This makes processes only available to the host they are running on.)



iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT


From there you could add allowances for other ports and services. If you need Internet on that machine while you look for the services and ports you want to allow and how to do it don't use iptables -P OUTPUT DROP yet, put that in place last. Here are good sites to learn from:



Iptables Examples

Allow only SSH



To save the firewall between boots, install iptables-persistent then do iptables-persistent save or netfilter-persistent save.



Doing the first process described here will make your machine, only accessible to it self. The SSH only method will only allow SSH conections to the machine and only from the local network, unless you port-forward the SSH port from your router to that machine from the outside, then all you need is a diydns or no-ip type service or constantly know your public IP to get access from the outside.



Doing the things described in the Allow SSH Only link then port forwarding through a ssh tunnel to the service, is more secure. It only allows SSH connections. It is best to use key based authentication vs passwords however.







share|improve this answer














share|improve this answer



share|improve this answer








edited Feb 25 at 13:42

























answered Feb 25 at 12:52









Michael ProkopecMichael Prokopec

1,545218




1,545218













  • Thanks. (1) "IP tables can get this job done. It is basically a firewall, you can configure it to only allow only the local host access to the ports and services." Where are the firewall, and the IP tables? (2) could you try to answer the individual questions in my post?

    – Tim
    Feb 25 at 13:09













  • @Tim in the kernel

    – 炸鱼薯条德里克
    Feb 25 at 15:16



















  • Thanks. (1) "IP tables can get this job done. It is basically a firewall, you can configure it to only allow only the local host access to the ports and services." Where are the firewall, and the IP tables? (2) could you try to answer the individual questions in my post?

    – Tim
    Feb 25 at 13:09













  • @Tim in the kernel

    – 炸鱼薯条德里克
    Feb 25 at 15:16

















Thanks. (1) "IP tables can get this job done. It is basically a firewall, you can configure it to only allow only the local host access to the ports and services." Where are the firewall, and the IP tables? (2) could you try to answer the individual questions in my post?

– Tim
Feb 25 at 13:09







Thanks. (1) "IP tables can get this job done. It is basically a firewall, you can configure it to only allow only the local host access to the ports and services." Where are the firewall, and the IP tables? (2) could you try to answer the individual questions in my post?

– Tim
Feb 25 at 13:09















@Tim in the kernel

– 炸鱼薯条德里克
Feb 25 at 15:16





@Tim in the kernel

– 炸鱼薯条德里克
Feb 25 at 15:16



Popular posts from this blog

How to make a Squid Proxy server?

Is this a new Fibonacci Identity?

19世紀