[clug] Linux Security

steve jenkin sjenkin at canb.auug.org.au
Thu Oct 9 07:37:20 GMT 2008


Daniel Pittman wrote on 11/6/08 10:26 PM:

Picking up an old thread, I was wondering how people provide (local)
email access for 'global travellers'.

It's simple to read mail via webmail, POP or IMAP.

Sending mail means allowing external connections to Port 25 - which
creates an open mail relay. Hmmmm.

Is this solved with just TLS/SSL + user login (and I get busy reading),
or will using SSH's ability to map a remote port locally be easiest?

User runs Windows and is not terribly IT capable - the config has to be
simple and 'set and forget'. Plus be able to suffer others tinkering
with it if he goes somewhere and it stops & locals get 'helpful' :-(

TIA
steve

> Ian Bardsley <ifb777 at tpg.com.au> writes:
> 
>> The current topic "My Windows Box got rooted" has prompted me to
>> consider the potential risks associated with a project I am currently
>> researching.  Naturally, I call upon the collective wisdom of these
>> hallowed pages for advise, guidance and comment.
>>
>> The scenario:
>>
>> I have recently given my grand children who live in the Wagga area a
>> PC of their own.  This PC is a linux only box (cos I didn't have a
>> copy of windows to give them and I figure exposing them to
>> alternatives is a healthy approach). It sits as part of a small home
>> network sharing with Windows XP and a Printer connected to to the
>> Windows box.  All this works well and both file and printer sharing
>> are working.
>>
>> As I'm sure that at some point they are going to break something with
>> this system, I have been researching how to set this box up to allow
>> SSH over the internet through which I plan to tunnel VNC (I hope) in
>> the hope that I may be able to fix up damage if it occurs without
>> driving to Wagga.
>>
>> My research has revealed that for all this to happen, Port 22 needs
>> Port Forwarding enabled.  Fine...I now know how to set this up within
>> their router but the process is not a simple one and ideally should be
>> left open for the Wagga family's sake ( not strong on the finer points
>> of computing at this stage).  So now I am thinking how do I make this
>> system as secure as possible.  
> 
> I suggest four things:
> 
> 1. Forward a port other than 22, on the basis that obscurity can't hurt
>    your case.  Don't count on this to provide *any* security though.
> 
> 2. Edit /etc/ssh/sshd_config to allow *only* your one "admin" user to
>    log in remotely.  *Don't* give that password to the family.
> 
>    That helps make it quite unlikely that they will be able to make it
>    weak, and allows you to keep the system reasonably secure against
>    password guessing.
> 
> 3. Install something like fail2ban(.sf.net) that will watch for failed
>    password guesses and blacklist the source automatically.  This will
>    help defeat brute force attacks.
> 
>> Will a software firewall close the gap?  
> 
> 4. Yes, since you should deploy it in a "block anything outside the
>    local network" mode on the Linux box, with the one exception for the
>    SSH service.
> 
>> What happens if they manage to break the system to the point where it
>> may be impossible to operate a software firewall and a host of other
>> points that I haven't thought through yet.
> 
> Unless you want to set up a scripted install, not much, I fear.
> 
>> So any comments, advise, guidance would be most welcome as I am on a
>> fairly steep learning curve with this.
> 
> The biggest part of my advice is defence in *depth* -- even if they work
> out how to open up ports on the router they are still protected by the
> firewall.
> 
> If they set weak passwords on user accounts the ssh login restrictions
> mean that user account can't be accessed anyhow.
> 
> This all helps add to the security, by preventing them shooting
> themselves in the foot, without incurring *too* much trouble for you.
> 
> Regards,
>         Daniel


-- 
Steve Jenkin, Info Tech, Systems and Design Specialist.
0412 786 915 (+61 412 786 915)
PO Box 48, Kippax ACT 2615, AUSTRALIA

sjenkin at canb.auug.org.au http://members.tip.net.au/~sjenkin


More information about the linux mailing list