Server Security
 

I'm curious about what kind of security (both physical and software) people use for their servers. I'm hoping some discussion on this topic will help out newer server admins learn something (which includes me) and maybe help stop some servers from being compromised in the future.

My server is physically located in my home which lends a decent amount of physical security (if my home is physically compromised, I have more important things to worry about than my eqemu server). As far as software goes, it runs openssh with a fairly decent password for all accounts (random numbers/characters/symbols/capitals) with the root account disabled (ubuntu server does this by default) and denyhosts. I do not have port 22 blocked on my router because I originally had planned on a friend or two sshing in to do work on it, but that didn't happen and I haven't bothered to close it (maybe I will now though). I still get about 10 attacks a day, mostly from other infected servers.

My server is run from home as well and it is behind a hardware firewall(router) and a software firewall. I use UAC type software so nothing can launch on my server even if it gets through the firewalls. I also use network monitoring tools to control traffic and to log connections made to the server.

If you intend hosting a high-player server, then I'd suggest you invest into some form of physical firewall. And get a good one too.

Definitely. In the future (when I have some more income), I plan on getting a decent switch that can intelligently handle some kinds of attacks. Actually, might just build a pico ITX computer with one of the open source firewall/router packages. I haven't really looked into the costs/benefits though.

I have a 24port cisco. It's a beast!

home routers like the ones you buy in a store cannot properly handle high UDP traffic, this is just a note for those who plan on running bigger servers like 50+ players. The routers will eventually overheat (and possibly explode, that last one is a fun one).

If you plan on having a bigger server use a hardware based router and keep in mind that you only need UDP traffic available in port forwarding, you should keep the TCP traffic internal to the network (such as the world port listening for zones).