On 04/26/15 02:36, Jim Garrett wrote: > Am I correct in thinking that running a server for this purpose requires a > static IP address? No. You can enlist the aid of a dynamic dns service. I use DNSexit. The catch of this solution is that you must run a script on your server that periodically checks its IP address and updates the dns server when it changes. Sound simple but the biggest gotcha is when the update script stop working. For myself, I use a bash script wrapper around the perl updater to detect when it has lost the plot, then restart it. > Lots of inexperienced people running servers sounds like a large-scale > security disaster waiting to happen. Is there any way this could be managed? I just started a high security project at work this year. How far you need to go depends on the sensitivity of the data and services you want to protect. Here is some low hanging fruit:
* Do not use SSH, or enable SSH on a non-standard port. * Use SSHGuard to detect and stop brute forcing attempts (works for more than just SSH btw). * Use IPTables, or similar firewall, to block ports other than those being used. * Install Snort to detect network intrusion attempts. * Install AIDE to detect intrusion (and rootkits) at the filesystem level. --
0xE1A91299.asc
Description: application/pgp-keys
signature.asc
Description: OpenPGP digital signature
