[clug] Linux Security

[Ian Bardsley]

G'Day

Many thanks for your prompt response to this and to all the other list 
members who added to your core advice.

I can see that I have much googling and reading to do and with your 
collective permissions will come back to you all with more specific 
questions which I am sure will need answering once I have gained as much 
information from the myriad of forums that I'm sure will deal with the 
various aspects of the points of advise you have offered.

Hell, if this keeps up, I'll have to give up building and become an IT 
person.....On second thoughts maybe not, Microsoft cause enough problems 
with me adding to them.

Many thanks again. I'm sure I'll be back with more questions in the very 
near future.

Regards


Ian Bardsley

Daniel Pittman wrote:
> Ian Bardsley <ifb777 at tpg.com.au> writes:
>
>   
>> The current topic "My Windows Box got rooted" has prompted me to
>> consider the potential risks associated with a project I am currently
>> researching.  Naturally, I call upon the collective wisdom of these
>> hallowed pages for advise, guidance and comment.
>>
>> The scenario:
>>
>> I have recently given my grand children who live in the Wagga area a
>> PC of their own.  This PC is a linux only box (cos I didn't have a
>> copy of windows to give them and I figure exposing them to
>> alternatives is a healthy approach). It sits as part of a small home
>> network sharing with Windows XP and a Printer connected to to the
>> Windows box.  All this works well and both file and printer sharing
>> are working.
>>
>> As I'm sure that at some point they are going to break something with
>> this system, I have been researching how to set this box up to allow
>> SSH over the internet through which I plan to tunnel VNC (I hope) in
>> the hope that I may be able to fix up damage if it occurs without
>> driving to Wagga.
>>
>> My research has revealed that for all this to happen, Port 22 needs
>> Port Forwarding enabled.  Fine...I now know how to set this up within
>> their router but the process is not a simple one and ideally should be
>> left open for the Wagga family's sake ( not strong on the finer points
>> of computing at this stage).  So now I am thinking how do I make this
>> system as secure as possible.  
>>     
>
> I suggest four things:
>
> 1. Forward a port other than 22, on the basis that obscurity can't hurt
>    your case.  Don't count on this to provide *any* security though.
>
> 2. Edit /etc/ssh/sshd_config to allow *only* your one "admin" user to
>    log in remotely.  *Don't* give that password to the family.
>
>    That helps make it quite unlikely that they will be able to make it
>    weak, and allows you to keep the system reasonably secure against
>    password guessing.
>
> 3. Install something like fail2ban(.sf.net) that will watch for failed
>    password guesses and blacklist the source automatically.  This will
>    help defeat brute force attacks.
>
>   
>> Will a software firewall close the gap?  
>>     
>
> 4. Yes, since you should deploy it in a "block anything outside the
>    local network" mode on the Linux box, with the one exception for the
>    SSH service.
>
>   
>> What happens if they manage to break the system to the point where it
>> may be impossible to operate a software firewall and a host of other
>> points that I haven't thought through yet.
>>     
>
> Unless you want to set up a scripted install, not much, I fear.
>
>   
>> So any comments, advise, guidance would be most welcome as I am on a
>> fairly steep learning curve with this.
>>     
>
> The biggest part of my advice is defence in *depth* -- even if they work
> out how to open up ports on the router they are still protected by the
> firewall.
>
> If they set weak passwords on user accounts the ssh login restrictions
> mean that user account can't be accessed anyhow.
>
> This all helps add to the security, by preventing them shooting
> themselves in the foot, without incurring *too* much trouble for you.
>
> Regards,
>         Daniel
>
>
>
>