[clug] Linux Security

tmc at vandradlabs.com.au tmc at vandradlabs.com.au
Thu Oct 9 11:09:00 GMT 2008

On Thu, October 9, 2008 6:37 pm, steve jenkin wrote:
> Daniel Pittman wrote on 11/6/08 10:26 PM:
> Picking up an old thread, I was wondering how people provide (local)
> email access for 'global travellers'.
> It's simple to read mail via webmail, POP or IMAP.
> Sending mail means allowing external connections to Port 25 - which
> creates an open mail relay. Hmmmm.
> Is this solved with just TLS/SSL + user login (and I get busy reading),
> or will using SSH's ability to map a remote port locally be easiest?
> User runs Windows and is not terribly IT capable - the config has to be
> simple and 'set and forget'. Plus be able to suffer others tinkering
> with it if he goes somewhere and it stops & locals get 'helpful' :-(
> steve
>> Ian Bardsley <ifb777 at tpg.com.au> writes:
>>> The current topic "My Windows Box got rooted" has prompted me to
>>> consider the potential risks associated with a project I am currently
>>> researching.  Naturally, I call upon the collective wisdom of these
>>> hallowed pages for advise, guidance and comment.
>>> The scenario:
>>> I have recently given my grand children who live in the Wagga area a
>>> PC of their own.  This PC is a linux only box (cos I didn't have a
>>> copy of windows to give them and I figure exposing them to
>>> alternatives is a healthy approach). It sits as part of a small home
>>> network sharing with Windows XP and a Printer connected to to the
>>> Windows box.  All this works well and both file and printer sharing
>>> are working.
>>> As I'm sure that at some point they are going to break something with
>>> this system, I have been researching how to set this box up to allow
>>> SSH over the internet through which I plan to tunnel VNC (I hope) in
>>> the hope that I may be able to fix up damage if it occurs without
>>> driving to Wagga.
>>> My research has revealed that for all this to happen, Port 22 needs
>>> Port Forwarding enabled.  Fine...I now know how to set this up within
>>> their router but the process is not a simple one and ideally should be
>>> left open for the Wagga family's sake ( not strong on the finer points
>>> of computing at this stage).  So now I am thinking how do I make this
>>> system as secure as possible.
>> I suggest four things:
>> 1. Forward a port other than 22, on the basis that obscurity can't hurt
>>    your case.  Don't count on this to provide *any* security though.
>> 2. Edit /etc/ssh/sshd_config to allow *only* your one "admin" user to
>>    log in remotely.  *Don't* give that password to the family.
>>    That helps make it quite unlikely that they will be able to make it
>>    weak, and allows you to keep the system reasonably secure against
>>    password guessing.
>> 3. Install something like fail2ban(.sf.net) that will watch for failed
>>    password guesses and blacklist the source automatically.  This will
>>    help defeat brute force attacks.
>>> Will a software firewall close the gap?
>> 4. Yes, since you should deploy it in a "block anything outside the
>>    local network" mode on the Linux box, with the one exception for the
>>    SSH service.
>>> What happens if they manage to break the system to the point where it
>>> may be impossible to operate a software firewall and a host of other
>>> points that I haven't thought through yet.
>> Unless you want to set up a scripted install, not much, I fear.
>>> So any comments, advise, guidance would be most welcome as I am on a
>>> fairly steep learning curve with this.
>> The biggest part of my advice is defence in *depth* -- even if they work
>> out how to open up ports on the router they are still protected by the
>> firewall.
>> If they set weak passwords on user accounts the ssh login restrictions
>> mean that user account can't be accessed anyhow.
>> This all helps add to the security, by preventing them shooting
>> themselves in the foot, without incurring *too* much trouble for you.
>> Regards,
>>         Daniel
> --
> Steve Jenkin, Info Tech, Systems and Design Specialist.
> 0412 786 915 (+61 412 786 915)
> PO Box 48, Kippax ACT 2615, AUSTRALIA
> sjenkin at canb.auug.org.au http://members.tip.net.au/~sjenkin
> --
> linux mailing list
> linux at lists.samba.org
> https://lists.samba.org/mailman/listinfo/linux

More information about the linux mailing list