[svlug] Configuring Server - SSH Trouble + Security Considerations

Lord Sauron lordsauronthegreat at gmail.com
Mon Oct 23 13:34:27 PDT 2006


On 10/23/06, Rick Moen <rick at linuxmafia.com> wrote:
> Quoting Lord Sauron (lordsauronthegreat at gmail.com):
>
> > You're right.
>
> {shrug}  It happens.  Even a stopped clock is right twice a day, and all
> that.
>
>
> > So while I'm here, is there any software-based firewall for linux
> > that's free that's better than/works well beside iptables that I
> > should know about?
>
> You're probably well aware of this, but just to make sure everyone is:
> iptables / netfilter is a _toolset_ for making port/address filtering
> and packet-mangling rules.  There are a large number of front-end gizmos

Sounds fun!

> that aim to guide you through the process of using that toolset, and
> sometimes for managing and monitoring the results.

Sounds less fun...

> There are also regimes to do application-level proxy gatewaying, which
> is a more-sophisticated approach, and much more complex to set up.  You
> should ideally read up on the taxonony of such things, before digging
> in.  That would also help you decide if you're trying to solve the right
> problem:

Yah, I should have looked at wikipedia first.

> > I'm asking because I'm about to place the server on the network at a
> > point *before* the hardware firewall.  This will be a server on the
> > net with NO hardware firewall protection.
>
> So, here's my house network, using the BayLISA tradition of pathetic
> ASCII art:

I like ASCII art.  ASCII art is one of the best tools around.

>           Raw Bandwidth Communications DSLAM
>                  |
>                  | aDSL link
>                  |
>             aDSL bridge box, chez Moen
>                  |
>                  |
>        cheap, unmanaged Ethernet switch
>        |               |             |
>  Deirdre's server  Rick's server   wireless base station
>  (deirdre.org)   (linuxmafia.com)  & NAT box ("airport")
>                                      |
>                                      |
>                          cheap, unmanaged Ethernet switch
>                          |         |           |        |
>                       other     people's    laptops    & such
>
>
> For reasons that should be obvious from the above, deirdre.org,
> linuxmafia.com, and airport are fully exposed to the Internet.  That is,
> without some major (and troublesome) rearchitecting, there's no choke
> point where such a magic dingus could reasonably be placed.  (The aDSL
> bridge is a Westel black-box thing.)  Oh, I could junk up the
> linuxmafia.com box's ethernet interface with a bunch of ingress and
> egress rules, but I don't -- or, at least, I doubt I have much beyond
> something to block broadcast ICMP.  (I'd have to go check.)
>
> Why?  Well, it comes down to threat-model philosophy, and reasonable
> people differ about this.  Some folks believe in the magic protective
> barrier thing; for this network, at least, I don't.  My model is:  Just
> _don't run_ any network-facing process that isn't robust against public
> attack.  Don't trust the network.  Don't trust other hosts.

Yes, I've already been sold on the idea of running as few things as
possible and making them things that aren't very complex and are very
secure.

That's why I've narrowed it all down to these things:

Apache (beta portions of sites protected by username/password)
MySQL (listening to localhost ONLY)
PHP
CVS
NO FTP (all site-uploads and stuff handled over CVS)
SSH (trying to find a way to restrict it to my machines only, so if
you're not my laptop or desktop, it should just categorically deny
you.)

> So, it follows that, on my house LAN, each host is responsible for its
> own security, and each host's "security perimeter" is the edge of its
> PC case -- as opposed to the magic barrier thing at the network's edge
> that most people put their faith in.

Yes, you're most likely using only Linux, and what windows you have
can die and you probably wouldn't mind all too much.

My home network has some networked printers, tons of windows machines,
and other insecure things that would be very easily hacked.  The
hardware firewall has protected the whole thing for years because it
blocks all incoming traffic (unless you have the password, which my
dad has).

> How do you know that a host is robust against public attack?  1) nmap is
> your friend.  Security-scan it from nearby on the same LAN.  (You can
> use a Knoppix or similar live CD for this.)  2) Know your system, and
> know in detail what it's running.

I have nmap on my laptop.  I've basically tried installing everything
networking on it so I can plug in and diagnose any network (or rape
it, if I want to, but I'm horrible at that...)  Any other good network
apps I should know about?

So know what ports are open, what services use them, and how those
services are configured.  Using Gentoo's rc-update tool, I have a
pretty good idea of what's starting and when, though there could be
other daemonized things that I'm not seeing.

-- 
========== GCv3.12 ==========
GCS d-(++) s+: a? C++ UL+>++++ P+
L++ E--- W+(+++) N++ o? K? w--- O? M+
V? PS- PE+ Y-(--) PGP- t+++ 5? X R tv-- b+
                DI+++ D+ G e* h- !r !y
========= END GCv3.12 ========




More information about the svlug mailing list