Server Security

Ask questions about dedicated servers here and we and other users will do our best to answer them. Please also refer to the self-help section for tutorials and answers to the most commonly asked questions.
JayArea
New to forums
New to forums
Posts: 10
https://www.youtube.com/channel/UC40BgXanDqOYoVCYFDSTfHA
Joined: Wed Jul 01, 2009 2:37 pm

Server Security

Post by JayArea »

what security measures can I take to make sure my server is secure? I don't want people getting access via remote desktop or getting rcon without my permission first.
User avatar
Edge100x
Founder
Founder
Posts: 12945
Joined: Thu Apr 18, 2002 11:04 pm
Location: Seattle
Contact:

Re: Server Security

Post by Edge100x »

I'd recommend taking a few simple measures to try to prevent unauthorized access to your server.

- Use a complicated administrator password, like the one we first gave you, and store it in a safe place. Remote login attempts are frequently made by automated scripts from all corners of the internet and if you use a simple password one of these might be able to guess it.

- Minimize the number of users who have the administrator password. Ideally, you should be the only one who has it. Consider setting up an FTP service like FileZilla so that others can have some access, but not unlimited access.

- Disable the "server" service and any others that you don't actually need, through the Control Panel->Administrative tools->Services snap-in. The "server" service provides additional remote access capabilities (such as file sharing) and has been a common source of security problems for Windows versions.

- Avoid web surfing on your dedicated server. Web browsers, and in particular Internet Explorer, are possibly the most common source of new, critical security vulnerabilities, and sometimes just visiting a website can infect your machine with a fresh virus. When you do open pages, visit only trusted sites.

- Make sure that you are always running the latest Windows security updates. Using the Automatic Updates server is a good way of doing this, but keep in mind that sometimes the AU service freezes when it tries to reboot after applying its updates and you may need to manually power cycle your machine through our control panel.

- Don't run anything but trusted server executables (and trusted programs to support them) on your dedicated machine. For instance, don't run AIM, gadgets to expand your desktop, email clients, or anything like that. Run only plugins on your servers that you trust.

- Consider running an antivirus application in the background. This isn't generally required if you follow the other steps, however. If you do run an AV, make sure that the it does not come with a firewall.

We don't typically recommend running a firewall with a dedicated server because it is not really necessary if you follow the other steps, and it's very easy to block your own access to the machine (which would require us to order up an on-site technician to fix the problem). With a VDS, though, you could experiment with one without worry -- just keep an eye on CPU usage, since firewalls do cause some overhead.
ziggo0
New to forums
New to forums
Posts: 1
Joined: Tue Oct 26, 2010 8:48 pm

Re: Server Security

Post by ziggo0 »

I've been worrying about this myself as of late. Most if not all unnecessary services are disabled on my VPS, and unneeded programs are not running. Just a game server, http, ftp, and mysql. I've never been a fan of AV's or software firewalls due to the bog it feels that they put on the machine, edge - can you make any recommendations for a light weight software firewall? I'm assuming this only really works on our VPS because of the web based VNC you have in the control panel?
User avatar
Edge100x
Founder
Founder
Posts: 12945
Joined: Thu Apr 18, 2002 11:04 pm
Location: Seattle
Contact:

Re: Server Security

Post by Edge100x »

ziggo0 wrote:edge - can you make any recommendations for a light weight software firewall?
The one included in Windows is pretty good, actually, as is the Linux one (iptables). I'd recommend just sticking with these.
I'm assuming this only really works on our VPS because of the web based VNC you have in the control panel?
You could configure a firewall on a machine without VNC, as well, but the VNC is nice because it allows you to go in and fix any mistake :)
rustydusty1717
This is my homepage
This is my homepage
Posts: 642
Joined: Sun Sep 20, 2009 6:15 pm

Re: Server Security

Post by rustydusty1717 »

Like John said, don't run anything besides your basic stuff, don't use a browser, don't download files unless you know what they are. Basically, use common sence and you will be fine. Main thing is your remote desktop/shell password. Use the one NFO provides and you should be fine. I've never ran a firewall on and VDS or Dedicated server I've used, and not once had issues. They generally do slow things down a bit, if not a lot.
Image
axelkic
New to forums
New to forums
Posts: 14
Joined: Mon Sep 14, 2009 5:12 pm

Re: Server Security

Post by axelkic »

the best type of security is premature protection. if your security is being compromised, it's already too late. i know that's not entirely true, but the best way to steer clear of having security issues is to not give anyone a reason to do it. with your gameserver, don't go out or you way to pick fights with cheaters, these people are already cheating at a game (why put hacking/ddosing past them?). that's just my 2 cents, but windows firewall is very solid, i have an older program (very very basic but effective) that's from 2004 for firewall security, i might post it in a bit.
rustydusty1717
This is my homepage
This is my homepage
Posts: 642
Joined: Sun Sep 20, 2009 6:15 pm

Re: Server Security

Post by rustydusty1717 »

Firewall's can be handy, but sometimes it doesn't matter if you have no firewalls or 3, someone can get it. It's entirely up to you though, as the admin of the VDS. I tend to find them more of a pain than useful, but that is just my personal opinion on them.
Image
Gossamer
New to forums
New to forums
Posts: 7
Joined: Sun Mar 28, 2010 8:55 am

Re: Server Security

Post by Gossamer »

I have windows firewall running and I only allow my game servers, HTTP and FTP servers access.

I checked my security event logs today and there are a lot of failed logins from random IP addresses. I've seen 5 different IP Addresses so far trying to log into accounts "admin" and "administrator". The Base administrator account that was on the VDS when I go it still has the rather complex password.

Is there anything I can do to prevent these people from trying to basically "brute" into my server?
User avatar
Edge100x
Founder
Founder
Posts: 12945
Joined: Thu Apr 18, 2002 11:04 pm
Location: Seattle
Contact:

Re: Server Security

Post by Edge100x »

Those sorts of brute force attacks are unfortunately unavoidable on any public-facing server. The most important measures to take in mitigating them are to keep all of your applications as up-to-date as possible and to use secure passwords.

I've seen some attempts to detect these and ban the IPs involved, but for the most part, that won't do a lot of good.
Gossamer
New to forums
New to forums
Posts: 7
Joined: Sun Mar 28, 2010 8:55 am

Re: Server Security

Post by Gossamer »

Ah so this is a regular thing. Ok, well I have the latest updates on the OS, and have made sure the passwords are very strong, so I shouldn't have anything to worry about then.
Yash
New to forums
New to forums
Posts: 2
Joined: Sat Aug 13, 2011 2:20 pm

Re: Server Security

Post by Yash »

Regarding disabling the "server" service, im an avid Teamviewer user and I prefer it over VNC anyday, would disabling this service still allow me to use it? thx.
User avatar
TimeX
Staff
Staff
Posts: 1730
Joined: Thu Jul 22, 2004 12:24 am
Location: Big Bear, CA

Re: Server Security

Post by TimeX »

It should, as I don't think it needs the "Server" service. If Teamviewer stops working, you could always enable the service again via VNC.
TimeX
Yash
New to forums
New to forums
Posts: 2
Joined: Sat Aug 13, 2011 2:20 pm

Re: Server Security

Post by Yash »

will do, thx.
justchil
New to forums
New to forums
Posts: 3
Joined: Thu Jun 06, 2013 12:20 pm

Re: Server Security

Post by justchil »

One good thing I've always done on any windows server that's open to the internet is to change the RDP port. It's a simple registry change / reboot. Just be careful and follow proper instructions.
User avatar
soja
This is my homepage
This is my homepage
Posts: 2389
Joined: Fri May 18, 2012 3:20 pm

Re: Server Security

Post by soja »

That is a great option, but a much simpler one on a VDS is to make an IP whitelist in the firewall tab. This is something I recommend everyone do.

Here is an example of mine:

Image

Because rules are evaluated in-order for VDS's and linux systems, you can make rules that will accept packets and they will not go through the other rules, and if they don't match the first rule, they will go to the next one.

In this example, I have my "staff" IPs set to be allowed, and any traffic that does not match those IPs passes that rule, if their traffic is destined to port 22 or 2087(WHM management panel) it will be dropped.

This is a great measure to take so port scanners will not even know your machine has the ports open :)
Not a NFO employee
Post Reply