Securing my desktop Linux Mint FTP server

Connection sharing, Firewall, Samba..etc
Forum rules
Before you post please read how to get help
Post Reply
anotheri
Level 1
Level 1
Posts: 18
Joined: Mon Jan 22, 2018 11:34 pm

Securing my desktop Linux Mint FTP server

Post by anotheri » Wed Jan 02, 2019 4:19 am

Over the course of the past few weeks I have been setting up my first real server that I hope to be able to release in the wild soon enough. I was looking for some advice about my setup before I finally turn it on and expose it to the internet.

I am running a home FTP server using proFTPD version 1.3.5e. on an Intel NUC that is running Linux Mint 19. The server is technically not directly exposed to the internet, it is behind a NAT (Ubiquiti Edgerouter ER-X, which is a decent semi-enterprise grade router) that has ports forwarded to the Linux box running the FTP server. This router has it's own built in dynamics DNS client which interfaces with my domain providers servers to resolve my domain to this routers WAN address.

Before someone says it... I am aware full GUI desktop Linux is not an ideal server. Some (especially the Linux elitists) were ripping on me on another forum for this as they indicated the Xorg GUI/X-Window system was never made to be exposed on the internet/be part of a server and could potentially be exploited.

In case you're wondering why I chose Linux Mint instead of something like Ubuntu server...

I'm not a Linux expert, setting up my first server was one heck of a time. I chose a GUI desktop Linux distro since I figured it would be a lot easier to do a bunch of unknown things with a user friendly GUI window system so I could drag and drop .conf files/certificates, open the whole file explorer as sudo for ease of use while configuring, etc... I would also like to use the server as an HTPC of sorts sometimes so having a full GUI environment that can be used at will is handy.

Like I said previously, technically this server is not directly exposed to the internet. So while desktop Linux and Xorg might not be made with the security of facing the internet directly in mind, the Ubiquiti Edgerouter ER-X that is the NAT in front of it is basically a CLI only Linux router running the proprietary Edge OS AND that is made to be facing the internet directly. I could be mistaken but I feel like that should offset the increased attack surface of using desktop Linux as a server.

Is this adequate or did choosing GUI desktop Linux Mint as a server OS seriously compromise security? If so can anything be done to mitigate these vulnerabilities like temporarily disabling the GUI/Window system and turning the Linux Mint box CLI only until I need the GUI back to minimize possible exploits against Xorg, etc?

I am looking for general advise on how to harden my server before I expose it on the internet full time. My FTP server is working properly, before anyone asks it is NOT plain text old school FTP. I setup my server for FTPES (file transfer protocol explicit SSL) using TLS 1.2 on both control & data connections using a real CA issued SSL cert. The FTP logins are setup with virtual users jailed to their home directory without valid shells using 30 character passwords. The normal user account also has a 30 character password and SSH is disabled altogether, I will be administering the server by physically plugging into it with a keyboard/mouse/screen.

I was going to use a non-standard port to reduce brute force attempts by bots but instead I installed fail2ban and activated the default proftpd jail profile which bans IPs after 3 failed attempts at logging in. This and my fairly long password should prevent brute force attempts by bot/port scanners. I also believe that my home router is setup by default to not respond to ping request.

I have configured the firewall on the Linux Mint box through the UFW CLI, default deny all IN & default deny all OUT. I have added exceptions for port 21/TCP IN & OUT as my server needs to be reachable/send on the FTP port and the following 60000:60010 TCP port range IN (so another 10 ports) as required for PASV FTP to work.

The only other ports I have allowed out are 53 (DNS), 80 (HTTP) & 443 (HTTPS) so that updates fetched from the update manager can connect/download from the official repositories.

I have been told that part of securing a server would be to find all unnecessary active/listening processes through the use of the #netstat command and kill them off. I am unsure as of how to do this so if someone knows or knows of what specific at risk processes I should kill off I am all ears.

I will also be monitoring the logs in the following locations,

/var/log/proftpd/ to see who is connecting/uploading what
/var/log/fail2ban.log to see who is being banned for repeated/brute force attempts
/var/log/auth.log to make sure nobody is sudo'ing up when they should not be

Is that enough? Any other logs I should be monitoring? With what frequency should be I checking these logs?

I feel like that should cover all the bases, I know there are a few other logs but my problem is that they end up being complicated enough that I wouldn't really know what I was looking at anyway.

I plan on turning on auto updates in the update manager for my server so things like kernel updates/security patches get auto updated and log into the server myself once every two weeks or so to check it, read the logs, restart it, etc.

I am under the impression that once I expose a device to be reachable on the internet it will basically be under attack 24/7. Have I covered all my bases here? Is my server ready to be turned loose into the wild? Is there anything else I should be doing, any other security related applications I should install/configure?

One last thing is that my FTP server will be simply sitting on the LAN of my router just as any other device normally would. Should I go out of my way to create a separate VLAN just for it, DMZ or some other kind of segregation or does it not matter? The only other thing on my LAN is my daily driver Linux Mint desktop, no IOT devices or things like that.

Post Reply

Return to “Other networking topics”