2

I want to keep configuration for several of my hosts in mercurial and back it up, let's say, to bitbucket.

Let's say, I have taken some precautions - tuned SSH to accept only keys, tuned pam to hash password even more times, and, of course, keep /etc/shadow away from repo.

Is there any actual downside of letting everyone know about my host configuration?

Ivan Kolmychek
  • 1,244
  • 2
  • 10
  • 13
  • 1
    Not what you are asking but just in case, Bitbucket and other managed code version systems allow for private repositories, so they are not in principle exposed to everyone. – LinuxDevOps Mar 31 '14 at 13:33
  • @LinuxDevOps, yes, I know about private repos, and was going to use them from the beginning. I just wanted to know more about dangers of public configuration sharing. Anyway, thank you. =) – Ivan Kolmychek Mar 31 '14 at 16:04
  • 1
    Downsides or not, you would certainly be in a good company: https://blog.wikimedia.org/2011/09/19/ever-wondered-how-the-wikimedia-servers-are-configured/ – Michał Politowski Mar 31 '14 at 22:13
  • @Ivan Kolmycheck I know you use Mercurial but for Git you could use git-crypt to encrypt sensitive files in git https://github.com/AGWA/git-crypt – LinuxDevOps Apr 01 '14 at 16:20

2 Answers2

3

Yes, you are exposing yourself needlessly. The problem is known as Google Hacking. One of the major costs when attacking systems is the time it takes to identify vulnerable systems. Basically, by publishing your whole configuration you allow people to check if you are vulnerable to attacks without consuming any resources, making yourself an easy target.

Even if you are not vulnerable at the moment, assume that somebody finds a new vulnerability... Then they can simply use Google to identify your servers as potential targets and attack, before you have time to respond.

pehrs
  • 8,789
  • 1
  • 30
  • 46
1

Yes, because you are inviting attention to your site in a way that does not serve any real purpose. Unless you are specifically sharing configurations which others may find useful, the only likely result is increasing the visibility of your site to crackers and bots (regardless of whether your configuration itself is problematic).

Of course, as pehrs points out, if your configuration has an identified vulnerability, you are exposing it to automated attacks. While "security through obscurity" is often derided and sometimes abused, it is a component in your overall security (like window shades). And while encrypting it might offset this danger, it would be better just to avoid it entirely.

Generally speaking, you shouldn't expose any information about any system without a specific purpose in doing so.

cowb0y
  • 11
  • 1
  • `you shouldn't expose any information about any system without a specific purpose in doing so` - Specific purpose is to keep it in source control with copy in repo on some free external service like bitbucket or github. Disclosure is possible in that case, so, it is better to be prepared. =) – Ivan Kolmychek Aug 18 '14 at 09:48
  • It would be better to use a cloud storage service to mirror the repository (lots of ways to accomplish this; you could just clone your repo to a Dropbox folder (or use rsync), as opposed to pushing it to a Bitbucket repo). This accomplishes the same thing, but with zero public exposure of your files. – cowb0y Aug 18 '14 at 20:49