5

I have got a small VPS running Ubuntu which (for the foreseeable future) will only host my own, static, website. The only services accessible from the outside will be SSH (only public key authentication allowed) and HTTP (probably nginx).

I am managing the configuration of the server via Puppet and would like to share that configuration via GitHub as an example to anyone interested. The Puppet configuration does not contain any passwords or similar sensitive information. It does however include for instance the firewall configuration (which is pretty basic), the username of a user that can use sudo, which packages are installed, etc.

I know that the less a potential intruder knows about the system, the better. But realistically, how much trouble would I put myself into by publishing the configuration?

Mark van Lent
  • 153
  • 6
  • 4
    Miscreants _will_ find out what your configuration is, even if you try to hide it (look up nmap). Or even simpler, as they have almost unlimited (botnet) resources available, they will just divebomb anything with an IP, without regard if it is Windows, Linux, Mac, OpenWRT. If the attack succeeds, another recruit for the botnet; if not, try the next one. – vonbrand Feb 25 '13 at 03:08

2 Answers2

8

I don't think there's that much exposure.

Just make sure that your configuration is sanitized and free of passwords or other system-identifying information (IP addresses, hostnames, etc.)

ewwhite
  • 197,159
  • 92
  • 443
  • 809
  • 1
    ... i'm guessing this is the vps that runs the blog on his SF user's profile page. – Sirex Feb 24 '13 at 20:51
  • Let's assume either Sirex is right or that there is other information about me that would make it easy to guess which host uses the configuration. How much would that change this answer? – Mark van Lent Feb 24 '13 at 21:21
  • 2
    @MarkvanLent One could argue that relying on someone not knowing your conf is security through obscurity, which is by definition not security. A determined attacker targeting specifically your VPS would get all the info he needs anyway. As long as you don't publish private keys / passwords, you'll be fine. – TC1 Feb 25 '13 at 00:59
3

Publishing configurations can help an attacker a little - in that it reduces the time they would usually spend in scanning/information gathering, but if you are a target then they would be carrying out these tasks anyway. Having directory or server names that indicate their function also speeds up an attack (eg FinanceServer01) so you are better off having a naming convention which doesn't give away free info like this.

Realistically, if it makes your life easier to publish the config, then do so, but remove unnecessary info (passwords, certs, keys, hostnames) - focus your security efforts instead on making sure your patches are current, your config secures you against attack, and you monitor your most sensitive data (if appropriate) for intrusion.

Rory Alsop
  • 1,184
  • 11
  • 21