Secure Meshcentral server on Vultr

pmoncho

Goal - Lock down the server to a point where the level of risk is rather low from the rest of the outside world.

Wondering what else I should do?

Based on my setup below, the two possible changes I can think of based on my reading,
--Change SSH to different port (is it worth it?)
--Change port in MC to 4433 instead of 443

Current Setup:

Vultr account setup with 2FA
Vultr Firewall setup (I don't believe I need this as UFW is setup on Ubuntu)
--Allow SSH port 22 from Home and Work IP only
--Allow 80 and 443 from anywhere to get to MC

Ubuntu 18.04.2 (I know others like Fedora and Ubuntu current)
--Check for Updates Daily
--SSH with Keys only (Private Key has a passphrase)
--No SSH root login
--fail2ban for SSH
UFW
--Allow SSH port 22 from Home and Work IP only
--Allow 80 and 443 from anywhere

Meshcentral with NeBB-
--MC Site login setup with 2FA
--SelfUpdate =True
--UserAllowedIP set to home and work IP's only
--Using LE

JaredBusch

@pmoncho said in Secure Meshcentral server on Vultr:

Based on my setup below, the two possible changes I can think of based on my reading,
--Change SSH to different port (is it worth it?)
--Change port in MC to 4433 instead of 443

This serves zero purpose except to complicate your life.

pmoncho

@JaredBusch
Thanks. That is what I was thinking. I just read read and read more but I have not been a security through obscurity kinda person.

scottalanmiller

@pmoncho said in Secure Meshcentral server on Vultr:

--Change SSH to different port (is it worth it?)

Personally I don't think so. Use keys, use fail2ban, if you change the port, do it because it makes your logs cleaner, not for security.

scottalanmiller

@JaredBusch said in Secure Meshcentral server on Vultr:

@pmoncho said in Secure Meshcentral server on Vultr:

Based on my setup below, the two possible changes I can think of based on my reading,
--Change SSH to different port (is it worth it?)
--Change port in MC to 4433 instead of 443

This serves zero purpose except to complicate your life.

I agree. Makes things harder for you, not harder for hackers.

JaredBusch

@pmoncho said in Secure Meshcentral server on Vultr:

@JaredBusch
Thanks. That is what I was thinking. I just read read and read more but I have not been a security through obscurity kinda person.

When it comes to the internet, there is no such thing as security through obscurity.

No one is looking at this shit. It is bots and they don't care WTF port they find open.

There absolutely are bots out there attempting to open connections to every port on every IP.

There are exactly 2 things that changing the port does.

1. It reduces the hits, so you will have smaller logs of hits, but it is only a reduction. Once one of the bots finds it, your IP goes on a list and is resold.
2. It causes you to fucking cuss at yourself everytime you forget to use the "random" port you selected.

pmoncho

@scottalanmiller said in Secure Meshcentral server on Vultr:

@JaredBusch said in Secure Meshcentral server on Vultr:

@pmoncho said in Secure Meshcentral server on Vultr:

Based on my setup below, the two possible changes I can think of based on my reading,
--Change SSH to different port (is it worth it?)
--Change port in MC to 4433 instead of 443

This serves zero purpose except to complicate your life.

I agree. Makes things harder for you, not harder for hackers.

I am of the belief that to hackers, they will scan as many ports for as many protocols as they can. If they can't find SSH on 22, they will search all the way up to 65543 to find it.

scottalanmiller

@pmoncho said in Secure Meshcentral server on Vultr:

@scottalanmiller said in Secure Meshcentral server on Vultr:

@JaredBusch said in Secure Meshcentral server on Vultr:

@pmoncho said in Secure Meshcentral server on Vultr:

Based on my setup below, the two possible changes I can think of based on my reading,
--Change SSH to different port (is it worth it?)
--Change port in MC to 4433 instead of 443

This serves zero purpose except to complicate your life.

I agree. Makes things harder for you, not harder for hackers.

I am of the belief that to hackers, they will scan as many ports for as many protocols as they can. If they can't find SSH on 22, they will search all the way up to 65543 to find it.

Absolutely. They will look for all open ports, regardless of protocol, too.

Reid Cooper

@pmoncho said in Secure Meshcentral server on Vultr:

Ubuntu 18.04.2 (I know others like Fedora and Ubuntu current)

Why the older release? Likely to be faster and more stable on the newer release and MeshCentral is being used there.

Reid Cooper

@pmoncho said in Secure Meshcentral server on Vultr:

Vultr Firewall setup (I don't believe I need this as UFW is setup on Ubuntu)

Less portable that way. Why not do it the normal way?

Reid Cooper

@pmoncho said in Secure Meshcentral server on Vultr:

UFW
--Allow SSH port 22 from Home and Work IP only
--Allow 80 and 443 from anywhere

Is port 80 needed?

black3dynamite

@Reid-Cooper said in Secure Meshcentral server on Vultr:

@pmoncho said in Secure Meshcentral server on Vultr:

UFW
--Allow SSH port 22 from Home and Work IP only
--Allow 80 and 443 from anywhere

Is port 80 needed?

Maybe if nginx is acting as a reverse proxy server.
User > nginx {80 and 443} > meshcentral {443}

scottalanmiller

@black3dynamite wouldnt that take the secure meshcentral and expose it as unencrypted?

black3dynamite

@scottalanmiller said in Secure Meshcentral server on Vultr:

@black3dynamite wouldnt that take the secure meshcentral and expose it as unencrypted?

Now I'm only assuming if Nginx and MeshCentral are on separate VM
You are have nginx listening on port 80 and then redirect to 443. Proxy pass is set to the MeshCentral VM address and port 443.

Now if nginx and MeshCentral is on the same VM, I would do something like the example on page 30, 31, and 32.
http://info.meshcentral.com/downloads/MeshCentral2/MeshCentral2UserGuide-0.2.2.pdf

scottalanmiller

@black3dynamite said in Secure Meshcentral server on Vultr:

@scottalanmiller said in Secure Meshcentral server on Vultr:

@black3dynamite wouldnt that take the secure meshcentral and expose it as unencrypted?

Now I'm only assuming if Nginx and MeshCentral are on separate VM
You are have nginx listening on port 80 and then redirect to 443. Proxy pass is set to the MeshCentral VM address and port 443.

If Nginx listens on port 80, that would make MC think it was secure, but have the encryption removed before going over the Internet. It's the other way that you'd want to do it. MC on 80, Nginx listening on 443.

JaredBusch

Mesh Central has to listen on 80 i order to get the LE cert.

Other than that, instance, I believe it force edirects traffic to 443

pmoncho

@Reid-Cooper said in Secure Meshcentral server on Vultr:

@pmoncho said in Secure Meshcentral server on Vultr:

Vultr Firewall setup (I don't believe I need this as UFW is setup on Ubuntu)

Less portable that way. Why not do it the normal way?

I went the LTS route as I used Vultr's image and its what I know at the moment. No other reason. Someday I will change it over to Ubuntu Current or Fedora.

pmoncho

@Reid-Cooper said in Secure Meshcentral server on Vultr:

@pmoncho said in Secure Meshcentral server on Vultr:

Vultr Firewall setup (I don't believe I need this as UFW is setup on Ubuntu)

Less portable that way. Why not do it the normal way?

Little lost here. What is the "normal way?"

Basically, I setup the Vultr FW because I wanted to make sure the MC server had a FW up front during the initial install and config. After setting up UFW on Ubuntu, I realized that I may no longer need it.

Dashrender

@pmoncho said in Secure Meshcentral server on Vultr:

@Reid-Cooper said in Secure Meshcentral server on Vultr:

@pmoncho said in Secure Meshcentral server on Vultr:

Vultr Firewall setup (I don't believe I need this as UFW is setup on Ubuntu)

Less portable that way. Why not do it the normal way?

Little lost here. What is the "normal way?"

Basically, I setup the Vultr FW because I wanted to make sure the MC server had a FW up front during the initial install and config. After setting up UFW on Ubuntu, I realized that I may no longer need it.

Is that really a risk during install though? What ports are open during install that would make this a concern?

pmoncho

@Dashrender said in Secure Meshcentral server on Vultr:

@pmoncho said in Secure Meshcentral server on Vultr:

@Reid-Cooper said in Secure Meshcentral server on Vultr:

@pmoncho said in Secure Meshcentral server on Vultr:

Vultr Firewall setup (I don't believe I need this as UFW is setup on Ubuntu)

Less portable that way. Why not do it the normal way?

Little lost here. What is the "normal way?"

Basically, I setup the Vultr FW because I wanted to make sure the MC server had a FW up front during the initial install and config. After setting up UFW on Ubuntu, I realized that I may no longer need it.

Is that really a risk during install though? What ports are open during install that would make this a concern?

Truth is, I have no idea. Most likely not though. Just enabled it until I had the OS installed, opened the SSH port so I could get in from my IP and configured UFW on Ubuntu. Just never disabled the Vultr FW. Figure it didn't hurt so I kept it.

I guess its just personal trust issues. I even sometimes like my car doors while parked in my garage with a garage door opener and locked side door. Weird I know!