Openg's picture

Hi all,

I'm very happy with my new Joomla Turnkeylinux/Amazon set-up, but one thing that's bugging me as I set my websites loose on the world, and that is that security seems to have been severely downgraded from the default set-up that Amazon employ with their distros. 

To start with they require keypairs to be used even for things like FTP, they don't have a root user by default and your security groups are open to the whole world, for everyone from everywhere, upon firing the system up. 

Surely this means that brute force attacks are virtually being invited. 

Is there a list of things to do to harden the systems and how to do it using the software you supply in your lovely distro?



Openg's picture

I made a start and this is what I did:

1. There's a lovely program called 'Hybrid Fox' that allows you to have a tinker inside your amazon account. Pop in your credentials and navigate your way to the security groups set-up by Turnkey-Linux. Set them all to your own IP range. 

Remember that if you go anywhere else you'll have to re-set these security groups to your new IP. 

In theory this should stop anyone from even attempting to log into your accounts.

2. Change the admin login in Joomla (wordpress, whatever you are using) from Admin to something else. Using the default login means people have a big head start in guessing the password to it. 

3. Create a mighty unbreakable password for Joomla/Wprdpress etc. I personally use an on-line password generator and stipulate upper case, lower case, punctuation etc etc of 20 characters or more. 

4. Don't store any passwords on your computer, store them in the cloud (I use Google Docs). 

I like the idea of the ip based security because things like Webmin and SSH are easy to use with a root user, just not for other people.....

Jeremy Davis's picture

But both the core devs have extensive experience in IT security (both having worked with military IT) and as such I am inclined to accept their perspective on this.

As you have probably noticed keypairs are an option from the Hub (which will set a random root password). I don't know enough about AWS to comment on your opinon re security groups so can't say much there.

Whilst having non-default usernames (and disabling root) makes it marginally more difficult (ie means that your site is not one of the 'low hanging fruit') but if someone is seriously trying to hack your site a non-default username alone is not going to make a lot of difference. I think that security by obscurity is not much security at all. If you have a good password (a complex randomly generated one as you suggest is optimal) then that is real security. Security by obscurity just promotes a false sense of security IMO.

My 2c anyway...

But the beauty of TKL is that it's open source so users such as yourself can relatively easily set it up how you want.

smoe's picture

i don't know if i agree with storing passwords in the cloud.

It sounds a little like your computer is highly vulnerable, and you don't trust it. If that is the case (an assumption I admit), then I would look at your home pc first and foremost in terms of security.  if your home pc is vulnerable, then really, anything you store in the cloud is too.  Anything you transfer, including usernames and passwords are up for grabs if whatever machine you are administering everything from isn't up to scratch.

If you must store your passwords (can't remember them), then there are options for storing them on your pc with encryption.

Liraz Siri's picture

By default, the Hub sets the root password to something long and random that would be impossible to bruteforce. That's a good default if you're comfortable using SSH key authentication. If you set it up the right way it's not only more secure but also much more convenient.

For example, I've setup an SSH agent on my machine so I only have to enter the password on my SSH key once every hour or so. Since the Hub adds my SSH key to the authorized keys of the servers it launches, I can easily log into my servers with SSH without having to enter a password 90% of the time.

Openg's picture

I remember the password to my Google Docs storage, that's enough. 

I travel a lot and once had a lap-top stolen in Vietnam. The computer was password protected, no password were stored on there and when I got another lap-top I was up and running in half an hour after downloading software/passwords I needed.

If you can remember ANY of your passwords they are not strong enough!

But both the core devs have extensive experience in IT security (both having worked with military IT) 

Here's just one example, there are many many more!

But that's by the by, (I'm assuming) the main reason that security is turned down on Turnkey products is because many people wouldn't be able to get them up and running with the knob turned up to 10, it would be good to make people aware of this so that they can get up to speed.

I initially got myself up and running on Amazon and it was a pain, but I appreciated the extra security once I understood it, perhaps others would too when they understand that the alternative might be some oik rummaging around on your server!

Perhaps this discussion would be better served by discussing what it is you DO do to up your security, the big problem with our wonderful open source web servers seems to be that many people do the basics and think it's enough. It's not.

Jeremy Davis's picture

I wasn't suggesting that a history in military IT makes the systems infallible, just that there is a hightened awareness of potential pitfalls. And as Liraz says below, there is always a compromise between security and usability. The only way to make your server completely secure is lock it in a physically secure bunker with no network access, but obviously it's not goning to be too useable! :)

For my purposes the default setup is fine, but I'm not dealing with anything really important so worst case scenario; my server being hacked would be inconvienient. But I agree that it is important to ensure people are aware of the trade-offs (between usability and security) and that if they are dealing with sensitive, personal or important data they really should hardern their systems as much as practically possible.

Your point re saving passwords in the cloud is a good one, especially for mobile computers, which are much more prone to theft and loss. And no matter how good your local password(s) is, without encryption machines are very vulnerable when the theif/hacker has physical access.

Sounds like you have a pretty good handle on security so I'm sure other users would appreciate some pointers if you'd like to share. :)

Liraz Siri's picture

Since TurnKey is just Ubuntu under the hood you are free to customize / harden deployments as much as you like. The issue for TurnKey is what should be the default, and it's impossible to please everyone. TurnKey is designed to provide a good balance between security and usability out of the box. Remember that usually making things more secure comes at the expense of usability/convenience. If not for an expert then at least for someone who isn't familiar with the concept of challenge-response cryptographic authentication (for example).

It's true that passwords are weak relative to multi-factor authentication but they're easy to use and for certain applications they can be secure enough. The devil is in the details however. It's hard to make a password secure against local cryptographic attacks, but a good password will provide excellent protection from brute force attempts that have to go over the network.

FYI, I discussed password security in a bit more detail here:

Add new comment