screen resolution as headless server

Your router does connect you to the Internet, doesn't ist? External administration is so "convenient" and "comfortable" that it may be offered by default and if not your security need not be worth much.

On the other hand, getting at you that way will require knowledge and effort. I expect you to be safe just because nobody as qualified would consider it worth his time to look at your PI experiments. Now, if you hosted a sizeable customer database there of ran a political website ...

--




/ \  Mail | -- No unannounced, large, binary attachments, please! --

Of course

The only hole in mine is to a printer.

Good luck pwning that, when its mostly off.

--
?It is hard to imagine a more stupid decision or more dangerous way of  
making decisions than by putting those decisions in the hands of people  
who pay no price for being wrong.? 

Thomas Sowell

No. External administration is not offered by defaukt on a second hand Cisco 527W

Even there, its surprsinsing how resileinet one can be. I do run a very public websitre

Have a look at what was happening in October...

...a massive increase in traffic TO the server...

Till I got bored with the huge logs and firwalled out the fruitless attempts to log in as root with every possible password.

Hint to hackers. Root login is in any case disallowed. Even with the roopt password.

My point is that even with a relatively high profile and exposed machine that has sshd enabled to all comers, they couldnt hack the thing in a month of trying.

Whereas I know of people with varoius 'web tools' like joomla who were hacked every few DAYS

--
Future generations will wonder in bemused amazement that the early  
twenty-first century?s developed world went into hysterical panic over a  
globally average temperature increase of a few tenths of a degree, and,  
on the basis of gross exaggerations of highly uncertain computer  
projections combined into implausible chains of inference, proceeded to  
contemplate a rollback of the industrial age. 

Richard Lindzen

It's turned off. If I *really* need to configure from outside then I set up a temporary ssh tunnel to do so.

Quite! :-) I doubt anyone will expend a *lot* of effort trying to break into my home systems.

--
Chris Green

Yes, it's amazing how many hits an open ssh port gets! :-)

I have mine set up to only allow connections from two outside sites where I have ssh login accounts. Thus I connect from 'somewhere' to one of these two accounts and then from there to my home system.

--
Chris Green

Basically I have unlimited access from my (fixed) home address - I had opened ssh up so I could access it from abroad, but I am back home now, so I have shut the lot down.

Now the only globally open ports are smtp, ssmtp, pop3, http and https. And one other I won't mention.

ACCEPT tcp -- anywhere anywhere tcp dpt:www ACCEPT tcp -- anywhere anywhere tcp dpt:ssmtp ACCEPT tcp -- anywhere anywhere tcp dpt:smtp ACCEPT tcp -- anywhere anywhere tcp dpt:pop3 ACCEPT tcp -- anywhere anywhere tcp dpt:https ACCEPT tcp -- anywhere anywhere tcp dpt:xxxxx REJECT all -- anywhere anywhere reject-with icmp-port-unreachable

On the internet the default should always be 'only let in what you absolutely need, and then only once you have worked out how to hack it, and blocked that too'

I havenm't had a virus since I abandonedd Windows, and I have never been hacked. Yet. But I have been subjected to sccessful denial of service attacks.

Greens dont like gridwatch.

Fair comment

Most of these are obvious and sensible given that you're running a webserver and, presumably, a mainserver that accepts SMTP connections.

Indeed, but one has me curious: why is pop3 open?

I assume you're running a public or semi-public POP3 server, since using it to collect mail from an ISP doesn't require an externally accessible POP3 port.

--
Martin    | martin at 
Gregorie  | gregorie 
          | dot org

I use ssh to read mail and usenet as I simply connect to my desktop machine at home and run command line mail and news clients.

I only have SMTP open in addition to ssh. I did have SMTP limited (like ssh) to only some IPs allowed to connect (my hosting service's mail servers) but that got a bit difficult to maintain so it's now open to any IP. It doesn't seem to get many unwanted connection attempts, nothing like ssh gets.

--
Chris Green

Correct. A friend is also using it, from a BT dynamic IP setup.

I dont understand what you mean by 'using it to collect mail from an ISP'.

Why on earth would I want to be 'collecting mail from an ISP'?

Since ISPS don't have mail to collect. They are merely connectivity devices.

I mean what is the POINT of having your own domains and server, if you then 'use it to collect mail from somewhere else?

Mail comes on and out via SMTP and SSMTP

POP3 is how it gets to me inside my network, as I don't want to open an SMTP port into my home network

--
"I am inclined to tell the truth and dislike people who lie consistently. 
This makes me unfit for the company of people of a Left persuasion, and  
all women"

Well I have to have it openm else how could I receive global email?

Ditto https and https. You cant run webservers if the world is firewalled out.

Naturally there are comnstantt attempts to hack into all these serviecs, but sincef I dont runs 'standard' sofwtare liek wordpress, phpmydamnin, jooomla, ISP style mail logins...they are all simply network load that leads to nothing.

None of the hack attempts have even come close.

--
The biggest threat to humanity comes from socialism, which has utterly  
diverted our attention away from what really matters to our existential  
survival, to indulging in navel gazing and faux moral investigations  
into what the world ought to be, whilst we fail utterly to deal with  
what it actually is.

It probably would not suit you, but the following setup works exactly the way I want it to:

My Postfix MTA sends outgoing mail via my ISP's mail host and I use getmail to retrieve incoming mail from from my ISP's mail host using POP3, passing it to my MTA for local delivery via Dovecot. My mail volume is fairly small, so this system handles it easily while allowing me to receive and send mail without having any ports externally visible or accessible.

I do run a web server, but only for internal use. My published websites are hosted by my ISP. These are maintained locally and published by using FTP to mirror them onto my ISP's webhosting servers.

--
Martin    | martin at 
Gregorie  | gregorie 
          | dot org

Good gid. I wouldnt rteuts my ISP tro host a cklown party for 5 year olds.

I run about 20 websites on a linux virtual private server, plus half a dozen doamins I keep for my email and other nefarious purposes plus a few other people's websites and email.

This isnt at home stuff. Behind some firewall. This is out there on the backbone shit.

The only firewall is iptables.

--
"Anyone who believes that the laws of physics are mere social  
conventions is invited to try transgressing those conventions from the  
windows of my apartment. (I live on the twenty-first floor.) " 

Alan Sokal

You would be surprised about how far it extends. The range of your WiFi depends on your equipment and that used by the second party, with some very simple hardware it is easy to build an antenna with sufficient gain to boost the signal out to a mile or more. While unlikely that some hacker with QRP (reduced power) skills would be within a mile or two of your house it is possible. I have used a simple cantenna to boost wifi across a field of just over a mile to get a poor but useable signal.

2.4GHz wifi band routers output about 100mW, one of the current QRP ham radio records is about 1500 miles on a microwatt, not a quality data signal by any means but a very low bandwidth signal that was detectable. With a directional antenna a hacker could sit in a car a hundred yards or so away and easily pick up your router or a neighbour could. Finding a way in through open ports is possible then but brute forcing the key may be a better option.

I live in the UK and use Sky as my provider. Their routers use WPA encryption which has an ASCII key between 8 and 63 characters long. Sky chose 8 characters for simplicity which, if you use the full printable ASCII set, has about 100 Billion combinations. At 10 seconds per key that amounts to an average of about 15 thousand years to crack by brute forcing so fairly secure. Sky however, for customer simplicity and convenience over security, only uses upper case letters in their passwords so that 95 possible characters drops to 26 and brute forcing is possible in an average of 3 months.

You have to be very determined to crack an average user's wifi and even more determined to do so at a distance but it is possible. Also bear in mind that many small businesses use standard routers for the broadband so hacking a shop to steal banking information is possibly more lucrative. I brute forced a sky password in just over a month just for fun with an old Pi1. It was an spare router of my own BTW before someone quotes the computer misuse act. The simplest way to crack a neighbour's wifi is just to visit them and sneak a peek at the back of their router, it saves weeks of fiddling about.

Andy

I would only allow SSH access from the outside using DSH/RSH key authentication, possibly even changing the port even though that should not be considered a security measure in its own right.

personally I prefer to have a VPN tunnel into my network again protected by key/certificate rather than password.

--
'It's time to-' 
'Prod buttock, sir?' said Carrot, hurriedly. 
'Close,' said Vimes, taking a deep drag and blowing out a smoke ring,  
'but no cigar.' 
(Feet of Clay)

The effect for this is the same but I wonder if there are things that do work differently when you leave the framebuffer dimensions commented out and instead edit the hdmi mode settings, eg. I am used to changing:

hdmi_group=1 hdmi_mode=31

for TV mode 1080p @50 Hz. And then to make absolutely sure:

hdmi_force_hotplug=1 hdmi_ignore_edid=0xa5000080

(in my case for a receiver that wrongly reported available resolutions). See all settings at

RDP gives a much better experience than VNC. Install x11vnc and xrdp on the Pi and you can use any Remmina on Linux or Windows Remote Desktop clients.

---druck

you

The POINT is that it saves you trouble of running and administering that mail server ... and spares you the responsibility of knowing what you're doing and keeping that knowledge up to date. Life is finite!

You and I may be happy doing all that, but I wouldn't recommend that most people try running any kind of public-facing server (even if they do have their own domains) unless they're really sure that they have a good reason to do so and that they know how to do it securely.

Of course, having your own domain is convenient even if you have no intention of running your own server(s), as it gives you the freedom to move the hosting between ISPs/suppliers without having to change your addresses.

--
Cheers, 
 Daniel.

But it doesn't. You still have to set up the mail server. Assuming its out there in internet land the most trivial thing is to let it accept incoming SMTP mail and set MX recods to point to it.

But thats only haf my pint.

Why use a server AT ALL if it's simply cloning someone elses server? Why not go direct to the original server?

--
A lie can travel halfway around the world while the truth is putting on  
its shoes.

Actually, I chose to do it that way because using getmail to collect incoming messages avoids having to open any ports in my firewall.

I run my own internal Postfix MTA for two additional reasons:

- I have a database-based mail archive which gets fed via a Postfix 'always_bcc' directive. I ensure that all my incoming and outgoing mail passes through that MTA. Why do that? Because I thought that it should be a lot faster to find an e-mail by searching that database than by looking through huge email folders in an MTA - and it certainly is. Any matching email among the 184,000 in the archive will be found within 10 seconds and can be inspected in the search app or forwarded to my MUA so attachments can be saved and/or it can be replied to.

- The archive also acts as a whitelisting engine: I wrote a Spamassassin rule that whitelists any e-mail whose sender is recorded as having received mail from me.

That too. I also run an internal HTTP server (Apache) which is an extended bookmarking system, provides no-hassle access to a growing collection of images and documents in a variety of topics, as well as being a convenient place to publish my externally visible websites, which are exported to a webhost via FTP.

I save myself a lot of hassle by using external hosts for my websites and domain names and by routing all incoming and outgoing mail through my ISP's mail server.

--
Martin    | martin at 
Gregorie  | gregorie 
          | dot org