Secure Meshcentral server on Vultr
-
@pmoncho said in Secure Meshcentral server on Vultr:
@scottalanmiller said in Secure Meshcentral server on Vultr:
@JaredBusch said in Secure Meshcentral server on Vultr:
@pmoncho said in Secure Meshcentral server on Vultr:
Based on my setup below, the two possible changes I can think of based on my reading,
--Change SSH to different port (is it worth it?)
--Change port in MC to 4433 instead of 443This serves zero purpose except to complicate your life.
I agree. Makes things harder for you, not harder for hackers.
I am of the belief that to hackers, they will scan as many ports for as many protocols as they can. If they can't find SSH on 22, they will search all the way up to 65543 to find it.
Absolutely. They will look for all open ports, regardless of protocol, too.
-
@pmoncho said in Secure Meshcentral server on Vultr:
Ubuntu 18.04.2 (I know others like Fedora and Ubuntu current)
Why the older release? Likely to be faster and more stable on the newer release and MeshCentral is being used there.
-
@pmoncho said in Secure Meshcentral server on Vultr:
Vultr Firewall setup (I don't believe I need this as UFW is setup on Ubuntu)
Less portable that way. Why not do it the normal way?
-
@pmoncho said in Secure Meshcentral server on Vultr:
UFW
--Allow SSH port 22 from Home and Work IP only
--Allow 80 and 443 from anywhereIs port 80 needed?
-
@Reid-Cooper said in Secure Meshcentral server on Vultr:
@pmoncho said in Secure Meshcentral server on Vultr:
UFW
--Allow SSH port 22 from Home and Work IP only
--Allow 80 and 443 from anywhereIs port 80 needed?
Maybe if nginx is acting as a reverse proxy server.
User > nginx {80 and 443} > meshcentral {443} -
@black3dynamite wouldnt that take the secure meshcentral and expose it as unencrypted?
-
@scottalanmiller said in Secure Meshcentral server on Vultr:
@black3dynamite wouldnt that take the secure meshcentral and expose it as unencrypted?
Now I'm only assuming if Nginx and MeshCentral are on separate VM
You are have nginx listening on port 80 and then redirect to 443. Proxy pass is set to the MeshCentral VM address and port 443.Now if nginx and MeshCentral is on the same VM, I would do something like the example on page 30, 31, and 32.
http://info.meshcentral.com/downloads/MeshCentral2/MeshCentral2UserGuide-0.2.2.pdf -
@black3dynamite said in Secure Meshcentral server on Vultr:
@scottalanmiller said in Secure Meshcentral server on Vultr:
@black3dynamite wouldnt that take the secure meshcentral and expose it as unencrypted?
Now I'm only assuming if Nginx and MeshCentral are on separate VM
You are have nginx listening on port 80 and then redirect to 443. Proxy pass is set to the MeshCentral VM address and port 443.If Nginx listens on port 80, that would make MC think it was secure, but have the encryption removed before going over the Internet. It's the other way that you'd want to do it. MC on 80, Nginx listening on 443.
-
Mesh Central has to listen on 80 i order to get the LE cert.
Other than that, instance, I believe it force edirects traffic to 443
-
@Reid-Cooper said in Secure Meshcentral server on Vultr:
@pmoncho said in Secure Meshcentral server on Vultr:
Vultr Firewall setup (I don't believe I need this as UFW is setup on Ubuntu)
Less portable that way. Why not do it the normal way?
I went the LTS route as I used Vultr's image and its what I know at the moment. No other reason. Someday I will change it over to Ubuntu Current or Fedora.
-
@Reid-Cooper said in Secure Meshcentral server on Vultr:
@pmoncho said in Secure Meshcentral server on Vultr:
Vultr Firewall setup (I don't believe I need this as UFW is setup on Ubuntu)
Less portable that way. Why not do it the normal way?
Little lost here. What is the "normal way?"
Basically, I setup the Vultr FW because I wanted to make sure the MC server had a FW up front during the initial install and config. After setting up UFW on Ubuntu, I realized that I may no longer need it.
-
@pmoncho said in Secure Meshcentral server on Vultr:
@Reid-Cooper said in Secure Meshcentral server on Vultr:
@pmoncho said in Secure Meshcentral server on Vultr:
Vultr Firewall setup (I don't believe I need this as UFW is setup on Ubuntu)
Less portable that way. Why not do it the normal way?
Little lost here. What is the "normal way?"
Basically, I setup the Vultr FW because I wanted to make sure the MC server had a FW up front during the initial install and config. After setting up UFW on Ubuntu, I realized that I may no longer need it.
Is that really a risk during install though? What ports are open during install that would make this a concern?
-
@Dashrender said in Secure Meshcentral server on Vultr:
@pmoncho said in Secure Meshcentral server on Vultr:
@Reid-Cooper said in Secure Meshcentral server on Vultr:
@pmoncho said in Secure Meshcentral server on Vultr:
Vultr Firewall setup (I don't believe I need this as UFW is setup on Ubuntu)
Less portable that way. Why not do it the normal way?
Little lost here. What is the "normal way?"
Basically, I setup the Vultr FW because I wanted to make sure the MC server had a FW up front during the initial install and config. After setting up UFW on Ubuntu, I realized that I may no longer need it.
Is that really a risk during install though? What ports are open during install that would make this a concern?
Truth is, I have no idea. Most likely not though. Just enabled it until I had the OS installed, opened the SSH port so I could get in from my IP and configured UFW on Ubuntu. Just never disabled the Vultr FW. Figure it didn't hurt so I kept it.
I guess its just personal trust issues. I even sometimes like my car doors while parked in my garage with a garage door opener and locked side door. Weird I know!
-
@pmoncho said in Secure Meshcentral server on Vultr:
@Dashrender said in Secure Meshcentral server on Vultr:
@pmoncho said in Secure Meshcentral server on Vultr:
@Reid-Cooper said in Secure Meshcentral server on Vultr:
@pmoncho said in Secure Meshcentral server on Vultr:
Vultr Firewall setup (I don't believe I need this as UFW is setup on Ubuntu)
Less portable that way. Why not do it the normal way?
Little lost here. What is the "normal way?"
Basically, I setup the Vultr FW because I wanted to make sure the MC server had a FW up front during the initial install and config. After setting up UFW on Ubuntu, I realized that I may no longer need it.
Is that really a risk during install though? What ports are open during install that would make this a concern?
Truth is, I have no idea. Most likely not though. Just enabled it until I had the OS installed, opened the SSH port so I could get in from my IP and configured UFW on Ubuntu. Just never disabled the Vultr FW. Figure it didn't hurt so I kept it.
I guess its just personal trust issues. I even sometimes like my car doors while parked in my garage with a garage door opener and locked side door. Weird I know!
A little paranoia isn't a bad thing... but I think you may be tiptoeing the line.
-
@dafyre said in Secure Meshcentral server on Vultr:
@pmoncho said in Secure Meshcentral server on Vultr:
@Dashrender said in Secure Meshcentral server on Vultr:
@pmoncho said in Secure Meshcentral server on Vultr:
@Reid-Cooper said in Secure Meshcentral server on Vultr:
@pmoncho said in Secure Meshcentral server on Vultr:
Vultr Firewall setup (I don't believe I need this as UFW is setup on Ubuntu)
Less portable that way. Why not do it the normal way?
Little lost here. What is the "normal way?"
Basically, I setup the Vultr FW because I wanted to make sure the MC server had a FW up front during the initial install and config. After setting up UFW on Ubuntu, I realized that I may no longer need it.
Is that really a risk during install though? What ports are open during install that would make this a concern?
Truth is, I have no idea. Most likely not though. Just enabled it until I had the OS installed, opened the SSH port so I could get in from my IP and configured UFW on Ubuntu. Just never disabled the Vultr FW. Figure it didn't hurt so I kept it.
I guess its just personal trust issues. I even sometimes like my car doors while parked in my garage with a garage door opener and locked side door. Weird I know!
A little paranoia isn't a bad thing... but I think you may be tiptoeing the line.
No doubt. Have to let go a little.
-
@pmoncho said in Secure Meshcentral server on Vultr:
@dafyre said in Secure Meshcentral server on Vultr:
@pmoncho said in Secure Meshcentral server on Vultr:
@Dashrender said in Secure Meshcentral server on Vultr:
@pmoncho said in Secure Meshcentral server on Vultr:
@Reid-Cooper said in Secure Meshcentral server on Vultr:
@pmoncho said in Secure Meshcentral server on Vultr:
Vultr Firewall setup (I don't believe I need this as UFW is setup on Ubuntu)
Less portable that way. Why not do it the normal way?
Little lost here. What is the "normal way?"
Basically, I setup the Vultr FW because I wanted to make sure the MC server had a FW up front during the initial install and config. After setting up UFW on Ubuntu, I realized that I may no longer need it.
Is that really a risk during install though? What ports are open during install that would make this a concern?
Truth is, I have no idea. Most likely not though. Just enabled it until I had the OS installed, opened the SSH port so I could get in from my IP and configured UFW on Ubuntu. Just never disabled the Vultr FW. Figure it didn't hurt so I kept it.
I guess its just personal trust issues. I even sometimes like my car doors while parked in my garage with a garage door opener and locked side door. Weird I know!
A little paranoia isn't a bad thing... but I think you may be tiptoeing the line.
No doubt. Have to let go a little.
But only a little. Don't want somebody to steal your car when they get into your garage.
-
@dafyre said in Secure Meshcentral server on Vultr:
@pmoncho said in Secure Meshcentral server on Vultr:
@dafyre said in Secure Meshcentral server on Vultr:
@pmoncho said in Secure Meshcentral server on Vultr:
@Dashrender said in Secure Meshcentral server on Vultr:
@pmoncho said in Secure Meshcentral server on Vultr:
@Reid-Cooper said in Secure Meshcentral server on Vultr:
@pmoncho said in Secure Meshcentral server on Vultr:
Vultr Firewall setup (I don't believe I need this as UFW is setup on Ubuntu)
Less portable that way. Why not do it the normal way?
Little lost here. What is the "normal way?"
Basically, I setup the Vultr FW because I wanted to make sure the MC server had a FW up front during the initial install and config. After setting up UFW on Ubuntu, I realized that I may no longer need it.
Is that really a risk during install though? What ports are open during install that would make this a concern?
Truth is, I have no idea. Most likely not though. Just enabled it until I had the OS installed, opened the SSH port so I could get in from my IP and configured UFW on Ubuntu. Just never disabled the Vultr FW. Figure it didn't hurt so I kept it.
I guess its just personal trust issues. I even sometimes like my car doors while parked in my garage with a garage door opener and locked side door. Weird I know!
A little paranoia isn't a bad thing... but I think you may be tiptoeing the line.
No doubt. Have to let go a little.
But only a little. Don't want somebody to steal your car when they get into your garage.
Lol - they'd still likely need the keys - so even having open doors doesn't really help the crook.
-
@Dashrender said in Secure Meshcentral server on Vultr:
@dafyre said in Secure Meshcentral server on Vultr:
@pmoncho said in Secure Meshcentral server on Vultr:
@dafyre said in Secure Meshcentral server on Vultr:
@pmoncho said in Secure Meshcentral server on Vultr:
@Dashrender said in Secure Meshcentral server on Vultr:
@pmoncho said in Secure Meshcentral server on Vultr:
@Reid-Cooper said in Secure Meshcentral server on Vultr:
@pmoncho said in Secure Meshcentral server on Vultr:
Vultr Firewall setup (I don't believe I need this as UFW is setup on Ubuntu)
Less portable that way. Why not do it the normal way?
Little lost here. What is the "normal way?"
Basically, I setup the Vultr FW because I wanted to make sure the MC server had a FW up front during the initial install and config. After setting up UFW on Ubuntu, I realized that I may no longer need it.
Is that really a risk during install though? What ports are open during install that would make this a concern?
Truth is, I have no idea. Most likely not though. Just enabled it until I had the OS installed, opened the SSH port so I could get in from my IP and configured UFW on Ubuntu. Just never disabled the Vultr FW. Figure it didn't hurt so I kept it.
I guess its just personal trust issues. I even sometimes like my car doors while parked in my garage with a garage door opener and locked side door. Weird I know!
A little paranoia isn't a bad thing... but I think you may be tiptoeing the line.
No doubt. Have to let go a little.
But only a little. Don't want somebody to steal your car when they get into your garage.
Lol - they'd still likely need the keys - so even having open doors doesn't really help the crook.
Crook needs no keys. That is the scary part. Metal shim, wire cutter/stripper, electrical tape and possibly screw driver. Jimmy lock, strip wires, connect to get it out of park, push to end of driveway, connect to start up and away they go. Ugh. To much Black Mirror and Mr. Robot.
-
@pmoncho said in Secure Meshcentral server on Vultr:
@Dashrender said in Secure Meshcentral server on Vultr:
@dafyre said in Secure Meshcentral server on Vultr:
@pmoncho said in Secure Meshcentral server on Vultr:
@dafyre said in Secure Meshcentral server on Vultr:
@pmoncho said in Secure Meshcentral server on Vultr:
@Dashrender said in Secure Meshcentral server on Vultr:
@pmoncho said in Secure Meshcentral server on Vultr:
@Reid-Cooper said in Secure Meshcentral server on Vultr:
@pmoncho said in Secure Meshcentral server on Vultr:
Vultr Firewall setup (I don't believe I need this as UFW is setup on Ubuntu)
Less portable that way. Why not do it the normal way?
Little lost here. What is the "normal way?"
Basically, I setup the Vultr FW because I wanted to make sure the MC server had a FW up front during the initial install and config. After setting up UFW on Ubuntu, I realized that I may no longer need it.
Is that really a risk during install though? What ports are open during install that would make this a concern?
Truth is, I have no idea. Most likely not though. Just enabled it until I had the OS installed, opened the SSH port so I could get in from my IP and configured UFW on Ubuntu. Just never disabled the Vultr FW. Figure it didn't hurt so I kept it.
I guess its just personal trust issues. I even sometimes like my car doors while parked in my garage with a garage door opener and locked side door. Weird I know!
A little paranoia isn't a bad thing... but I think you may be tiptoeing the line.
No doubt. Have to let go a little.
But only a little. Don't want somebody to steal your car when they get into your garage.
Lol - they'd still likely need the keys - so even having open doors doesn't really help the crook.
Crook needs no keys. That is the scary part. Metal shim, wire cutter/stripper, electrical tape and possibly screw driver. Jimmy lock, strip wires, connect to get it out of park, push to end of driveway, connect to start up and away they go. Ugh. To much Black Mirror and Mr. Robot.
Yeah - the main temper to that around here is - what are the chances of YOU being a target? and what percentage of crooks are going to have those skills? I don't know you, so I can't see what your level of being targeted are, but the % of crooks with the skills are very low.
-
@Dashrender said in Secure Meshcentral server on Vultr:
@pmoncho said in Secure Meshcentral server on Vultr:
@Dashrender said in Secure Meshcentral server on Vultr:
@dafyre said in Secure Meshcentral server on Vultr:
@pmoncho said in Secure Meshcentral server on Vultr:
@dafyre said in Secure Meshcentral server on Vultr:
@pmoncho said in Secure Meshcentral server on Vultr:
@Dashrender said in Secure Meshcentral server on Vultr:
@pmoncho said in Secure Meshcentral server on Vultr:
@Reid-Cooper said in Secure Meshcentral server on Vultr:
@pmoncho said in Secure Meshcentral server on Vultr:
Vultr Firewall setup (I don't believe I need this as UFW is setup on Ubuntu)
Less portable that way. Why not do it the normal way?
Little lost here. What is the "normal way?"
Basically, I setup the Vultr FW because I wanted to make sure the MC server had a FW up front during the initial install and config. After setting up UFW on Ubuntu, I realized that I may no longer need it.
Is that really a risk during install though? What ports are open during install that would make this a concern?
Truth is, I have no idea. Most likely not though. Just enabled it until I had the OS installed, opened the SSH port so I could get in from my IP and configured UFW on Ubuntu. Just never disabled the Vultr FW. Figure it didn't hurt so I kept it.
I guess its just personal trust issues. I even sometimes like my car doors while parked in my garage with a garage door opener and locked side door. Weird I know!
A little paranoia isn't a bad thing... but I think you may be tiptoeing the line.
No doubt. Have to let go a little.
But only a little. Don't want somebody to steal your car when they get into your garage.
Lol - they'd still likely need the keys - so even having open doors doesn't really help the crook.
Crook needs no keys. That is the scary part. Metal shim, wire cutter/stripper, electrical tape and possibly screw driver. Jimmy lock, strip wires, connect to get it out of park, push to end of driveway, connect to start up and away they go. Ugh. To much Black Mirror and Mr. Robot.
Yeah - the main temper to that around here is - what are the chances of YOU being a target? and what percentage of crooks are going to have those skills? I don't know you, so I can't see what your level of being targeted are, but the % of crooks with the skills are very low.
I am just a suburbanite in Ohio. Where I'm at I know the % of being a target is pretty low.
The rational side of me so gets that. I get into that paranoia state and eventually (after long while of stability) get to the "just cause its possible doesn't mean its probable" state. Getting to the latter state sooner is my issue.
Side Note - The confidence, along with knowledge and experience, of the posters here in all aspects of IT, keeps me in awe (I mean that in a very good way).