Hey, thanks to anyone for chiming in with advice on this.

I just setup a Debian 7.4 Linode and thought iptables was loading a configuration, but it was loading an empty configuration because I screwed something up. Fail2Ban was running, but zilch for an iptables configuration.

The time period was about 48 hours.

Do you think I'm okay, or would Debian 7.4 get hacked like crazy during that amount of time?

I haven't noticed anything weird...just being cautious. I had one WP site running, but it has it's own WordFence firewall running.

Thanks!

_________________
kyler d. boudreau
theatereleven.com

A) fail2ban doesn't improve security

B) Credentials matter way more than iptables when it comes to securing SSH: strong keys or passwords.

C) Wordpress is orders of magnitude more likely to be compromised than SSH, and I doubt "WordFence" helps.

- Les

Ok thanks. My SSH password was fine.

So what I'm wondering is, with no ip tables running, would that have left ports open that could have been compromised? Or if my SSH login was solid, am I probably okay?

*My past in IT was windows server, and throwing a windows server online with no firewall was instant death.

_________________
kyler d. boudreau

theatereleven.com

Ports aren't "open or firewalled off". If you don't have a service listening on a port, your server won't respond to connections on that port. If you had unsecured services listening, that's a separate problem, and you should be binding those things to localhost.

- Les

Okay, sweet. So that's probably how Windows servers get hacked so fast...they have a bunch of ports open for stuff.

I'm newer to Linux admin, but I didn't open any ports specifically. I just deployed Debian 7.4, installed Apache2, MySQL (secured) and PHP. Oh, and setup an Exim SMTP server with no relay.

Thanks for putting my mind at ease man.

_________________
kyler d. boudreau

theatereleven.com

I wouldn't take any chances, I'd delete it, build it again, when you start it up the IP wont' be in the stack so use Lish to login, make sure the firewall is running, the ports you need open are open, software you need is installed and the system is updated. Then add the IP and start the network stack, if you're using ufw then:

sudo ufw status

That's to make sure you have the ports open that you want. From a client that can run nmap I'd run:

nmap -sV -T4 -A -v yourserveriphere

If you don't want to install and run nmap (and your ISP might not like you running nmap, IDK) then you could use Steve Gibson's Shield's Up service, it's free, Google it.

Not sure if we're talking about different things, but a newly deployed Linode will boot with its IP up, via DHCP.

Also, the "burn it down" strategy seems massively excessive in this case. The firewall has so little to do with system security for 90% of people, I'm not sure why nuking it from orbit is recommended. SSH is resilient with strong credentials, firewall or no, and the main thing that *aren't* secure are things like databases that should be bound to the local interface only anyways.

- Les

I'd configured mine for static so I guess I'd forgotten that it will boot from DHCP. That's probably not a wise policy for Linode to have for new Linodes, IMHO.

I stand by my recommendation that the OP should wipe it and start over.

Why would you need to wipe? A firewall just blocks network access to services. By default only SSH listens on the public iface, iirc. As long as the passwords are safe there should be no need to wipe, unless debian decided to suddenly ship with vulnerable services.

No, it's usually a direct result of a user (or application) having more access than they know how to responsibly handle. I'd say any Windows OS released since the turn of the century is roughly as secure out-of-the-box (with a proper bare-bones install, applicable updates, and good passwords) as your average Linux distribution.

I recommend installing some evals of Microsoft OSes into VirtualBox (or similar virtualization software) and trying to pry your way in. BackTrack may be a helpful tool for this. It's not as easy as it used to be.

_________________

/* TODO: need to add signature to posts */

Historically Windows was wide open for attack; it had a bunch of exposed ports (eg SMB) and a mega-tonne of vulnerabilities.

As you say, though, a modern Windows is pretty secure. Most vulnerabilities have been fixed. However, there's always new ones so having SMB open is still a risk. Which is why Microsoft OS's also come with an enabled firewall, by default. Microsoft fail a core security concept; "if you don't have something installed then it can't be used for an exploit". Windows is dependent on a good firewall config because it inherently runs so many network services.

Now to be fair, Linux historically also came with a load of default services. Back in the RedHat 4 (the original RedHat 4, not RHEL) days the joke used to be "how long from after installation to exploit" (the most common was people using stupidly weak passwords, which is still a risk today). Today, however, a modern Linux install doesn't run things. Some distros don't even run sshd by default. "If you don't install it, it can't be exploited". Linux distros, typically, aren't dependent on firewalls for security.

Both OSes also historically came with poor defaults (eg sendmail allowing open spam relay; IIS allowing access to source files, etc etc). Both OSes are better at this, as well.

I don't run firewalls on my linode. I _do_ run a perimeter firewall at home (on the router) because I run additional services internally which I don't want exposed to the internet (eg NFS).

_________________
Rgds
Stephen
(Linux user since kernel version 0.11)

The two days the OP mentioned concerns me nowhere near as much as saying put Windows online without a firewall for more than 15 minutes.

edit: fixed quote attribution.

A co-worker and I one tried to get a Windows NT server up and patched around 2001'ish. It was hacked before we even finished the install, let alone before we could download "critical" security updates.