[clug] Linux Security
steve jenkin
sjenkin at canb.auug.org.au
Thu Oct 9 07:37:20 GMT 2008
Daniel Pittman wrote on 11/6/08 10:26 PM:
Picking up an old thread, I was wondering how people provide (local)
email access for 'global travellers'.
It's simple to read mail via webmail, POP or IMAP.
Sending mail means allowing external connections to Port 25 - which
creates an open mail relay. Hmmmm.
Is this solved with just TLS/SSL + user login (and I get busy reading),
or will using SSH's ability to map a remote port locally be easiest?
User runs Windows and is not terribly IT capable - the config has to be
simple and 'set and forget'. Plus be able to suffer others tinkering
with it if he goes somewhere and it stops & locals get 'helpful' :-(
TIA
steve
> Ian Bardsley <ifb777 at tpg.com.au> writes:
>
>> The current topic "My Windows Box got rooted" has prompted me to
>> consider the potential risks associated with a project I am currently
>> researching. Naturally, I call upon the collective wisdom of these
>> hallowed pages for advise, guidance and comment.
>>
>> The scenario:
>>
>> I have recently given my grand children who live in the Wagga area a
>> PC of their own. This PC is a linux only box (cos I didn't have a
>> copy of windows to give them and I figure exposing them to
>> alternatives is a healthy approach). It sits as part of a small home
>> network sharing with Windows XP and a Printer connected to to the
>> Windows box. All this works well and both file and printer sharing
>> are working.
>>
>> As I'm sure that at some point they are going to break something with
>> this system, I have been researching how to set this box up to allow
>> SSH over the internet through which I plan to tunnel VNC (I hope) in
>> the hope that I may be able to fix up damage if it occurs without
>> driving to Wagga.
>>
>> My research has revealed that for all this to happen, Port 22 needs
>> Port Forwarding enabled. Fine...I now know how to set this up within
>> their router but the process is not a simple one and ideally should be
>> left open for the Wagga family's sake ( not strong on the finer points
>> of computing at this stage). So now I am thinking how do I make this
>> system as secure as possible.
>
> I suggest four things:
>
> 1. Forward a port other than 22, on the basis that obscurity can't hurt
> your case. Don't count on this to provide *any* security though.
>
> 2. Edit /etc/ssh/sshd_config to allow *only* your one "admin" user to
> log in remotely. *Don't* give that password to the family.
>
> That helps make it quite unlikely that they will be able to make it
> weak, and allows you to keep the system reasonably secure against
> password guessing.
>
> 3. Install something like fail2ban(.sf.net) that will watch for failed
> password guesses and blacklist the source automatically. This will
> help defeat brute force attacks.
>
>> Will a software firewall close the gap?
>
> 4. Yes, since you should deploy it in a "block anything outside the
> local network" mode on the Linux box, with the one exception for the
> SSH service.
>
>> What happens if they manage to break the system to the point where it
>> may be impossible to operate a software firewall and a host of other
>> points that I haven't thought through yet.
>
> Unless you want to set up a scripted install, not much, I fear.
>
>> So any comments, advise, guidance would be most welcome as I am on a
>> fairly steep learning curve with this.
>
> The biggest part of my advice is defence in *depth* -- even if they work
> out how to open up ports on the router they are still protected by the
> firewall.
>
> If they set weak passwords on user accounts the ssh login restrictions
> mean that user account can't be accessed anyhow.
>
> This all helps add to the security, by preventing them shooting
> themselves in the foot, without incurring *too* much trouble for you.
>
> Regards,
> Daniel
--
Steve Jenkin, Info Tech, Systems and Design Specialist.
0412 786 915 (+61 412 786 915)
PO Box 48, Kippax ACT 2615, AUSTRALIA
sjenkin at canb.auug.org.au http://members.tip.net.au/~sjenkin
More information about the linux
mailing list