[clug] Linux Security

Daniel Pittman daniel at rimspace.net
Wed Jun 11 12:26:49 GMT 2008


Ian Bardsley <ifb777 at tpg.com.au> writes:

> The current topic "My Windows Box got rooted" has prompted me to
> consider the potential risks associated with a project I am currently
> researching.  Naturally, I call upon the collective wisdom of these
> hallowed pages for advise, guidance and comment.
>
> The scenario:
>
> I have recently given my grand children who live in the Wagga area a
> PC of their own.  This PC is a linux only box (cos I didn't have a
> copy of windows to give them and I figure exposing them to
> alternatives is a healthy approach). It sits as part of a small home
> network sharing with Windows XP and a Printer connected to to the
> Windows box.  All this works well and both file and printer sharing
> are working.
>
> As I'm sure that at some point they are going to break something with
> this system, I have been researching how to set this box up to allow
> SSH over the internet through which I plan to tunnel VNC (I hope) in
> the hope that I may be able to fix up damage if it occurs without
> driving to Wagga.
>
> My research has revealed that for all this to happen, Port 22 needs
> Port Forwarding enabled.  Fine...I now know how to set this up within
> their router but the process is not a simple one and ideally should be
> left open for the Wagga family's sake ( not strong on the finer points
> of computing at this stage).  So now I am thinking how do I make this
> system as secure as possible.  

I suggest four things:

1. Forward a port other than 22, on the basis that obscurity can't hurt
   your case.  Don't count on this to provide *any* security though.

2. Edit /etc/ssh/sshd_config to allow *only* your one "admin" user to
   log in remotely.  *Don't* give that password to the family.

   That helps make it quite unlikely that they will be able to make it
   weak, and allows you to keep the system reasonably secure against
   password guessing.

3. Install something like fail2ban(.sf.net) that will watch for failed
   password guesses and blacklist the source automatically.  This will
   help defeat brute force attacks.

> Will a software firewall close the gap?  

4. Yes, since you should deploy it in a "block anything outside the
   local network" mode on the Linux box, with the one exception for the
   SSH service.

> What happens if they manage to break the system to the point where it
> may be impossible to operate a software firewall and a host of other
> points that I haven't thought through yet.

Unless you want to set up a scripted install, not much, I fear.

> So any comments, advise, guidance would be most welcome as I am on a
> fairly steep learning curve with this.

The biggest part of my advice is defence in *depth* -- even if they work
out how to open up ports on the router they are still protected by the
firewall.

If they set weak passwords on user accounts the ssh login restrictions
mean that user account can't be accessed anyhow.

This all helps add to the security, by preventing them shooting
themselves in the foot, without incurring *too* much trouble for you.

Regards,
        Daniel


More information about the linux mailing list