securing airtime server
  • I have airtime running in the cloud on Ubuntu server. I see the following programs listening on all interfaces. Can I modify any of them to listen on localhost interface? How about restricting access via iptables? Just to expose as little as possible.

    image
  • 3 Comments sorted by
  • "listening on a port" does not constitute  that its an open port to the world at large.
    Its more like what services your computer needs to use.

    So here is what should be your major concern

    1. What is the policy of your cloud server provider (ie what is there firewall policy) for incoming and outgoing traffic is it half open,open (all) or closed(unless explictly open by you).Amazon gives you Guideline on how to open ports and unless you do so ,no one not even you have access to the particular service
    2. Some provider gives you access to like ssh (port 22),web(http and https)-(port 80 and 443),only others you have to call and verify before you get access.
    The common mistakes people make is that shutting down ports prevent an attack.
    On the contrary it is an overall policy that will mitigate that attack. you would be astound that an attack can be launch on the web ports.(so I am told).

    "The problem I found with us new school administrator is that we block everything just to find out we have not block that one thing that someone will use to enter"

    So know the policy first then implement strategies around that.

    So here is an easy suggestion

    • Place the public interface separate from the local Like separate (bin or partion) for public Icecast)
    • Relay your Main Icecast to public Icecast with failovers
    • Set SSH  through VPNs for all  those who need access to The airtime interface
    • Watch your logs and set alerts.
    • Do not worry too much on what people want to do,just give them enough to have them busy [Honey pot] and hide the rest,because crazy people will always search.
    • Read The Airtime Security discussion for some guidelines

    quoting from Canonical phrase  about security

    "Security should always be considered when installing, deploying, and using any type of computer system. Although a fresh installation of Ubuntu is relatively safe for immediate use on the Internet, it is important to have a balanced understanding of your systems security posture based on how it will be used after deployment."

    That is to say you do not want to render your system useless,but to take the necessary precaution"

    Contrast that with may bloggers (Google Linux security) who writes suggesting its a lie that Linux is more secure and my thoughts that we all have an inherent vulnerabilities,but maybe it just has not been exploited. 

    • Wish you All the Luck 

    V.O.I.S.S.E.S

    I am out of office at this time
     




    Post edited by Voisses Tech at 2013-10-15 14:10:47
    Anyone reading this a find it funny about my grammar , I make no apology ,Go get a translator.
    "The Problem with education today is that it takes a university degree to switch on a light bulb"
    "You learn from your mistakes but wise people learn from others mistakes avoid Making mistakes there is not sufficient rooms to make them"
    "Innuendo","If's","Assumptions" and "Fear" are for politician.Who,What,where,When and How are for those seeking knowledge and care about Humanity.
    "I might be in Mud but that does not Make me a Wild Hog(pig)"
    “Any intelligent fool can make things bigger, more complex, and more violent. It takes a touch of genius — and a lot of courage to move in the opposite direction.”
    "The only thing that remains constant is change itself"
    May the force be with you,until our path or destiny bring us in tandem.
  • Thanks V.O.I.S.S.E.S for the quick response.

    In my case, all (incoming/outgoing) traffic is open. I'm pretty sure my hosting provider (Digital Ocean) has IDS to detect DDoS and various attacks but they don't block traffic for my linux vps. So I need secure my own VPS using Iptables, etc.

    I'm not concerned w/ SSH, HTTP(S) or IceCast. I'm more concerned w/ epmd (Erlang Port Mapper Daemon) and monit. I'm just not too familiar w/ those two. I'm able to telnet into those two ports. Should they really be listening on all interfaces?

    tcp        0      0 0.0.0.0:4369            0.0.0.0:*               LISTEN      1017/epmd
    tcp        0      0 0.0.0.0:2812            0.0.0.0:*               LISTEN      1240/monit

  • you can lock down these ports.
    Locking down a port is just preventing the service from answering any request from the interface(network).It will not stop the service from working.
    In fact I do so on most of my machine unless I explicitly need that port.

    UFW is the default iptables configuration tool for Ubuntu,so any changes you make will make the necessary changes to the iptables.All you need to do is enable it

    The syntax are simple

    sudo ufw enable
    This will block all ports so make sure you at least enable ssh

    then make sure you allow ssh immediately before you restart your network interface

    sudo ufw allow ssh

    Your Provider  has a excellent support for  firewall also recommend you install fail2ban

    Remember a firewall just block the interaction between the outside world and the computer

    The service will still run and the only way to stop it is to kill the pid ( monit is a core element you should not kill its pid)

    I donot know if Airtime can be chroot and your tech support was at a lost,So I will try it myself and report at a later date.
     

    Voisses
    outta office
    Post edited by Voisses Tech at 2013-10-15 22:25:22
    Anyone reading this a find it funny about my grammar , I make no apology ,Go get a translator.
    "The Problem with education today is that it takes a university degree to switch on a light bulb"
    "You learn from your mistakes but wise people learn from others mistakes avoid Making mistakes there is not sufficient rooms to make them"
    "Innuendo","If's","Assumptions" and "Fear" are for politician.Who,What,where,When and How are for those seeking knowledge and care about Humanity.
    "I might be in Mud but that does not Make me a Wild Hog(pig)"
    “Any intelligent fool can make things bigger, more complex, and more violent. It takes a touch of genius — and a lot of courage to move in the opposite direction.”
    "The only thing that remains constant is change itself"
    May the force be with you,until our path or destiny bring us in tandem.