Weblog entry #4 for sabin
See all weblog entries made by sabin.
#4
Sarge and Security
Posted by sabin on Sat 10 Sep 2005 at 02:44
Since we allways read about keeping a server with mostly minimal services running when it comes to security, I was wondering how secure my server is. This is my setup:
________
|internet|
________
|
Linksys WRT54G (router, firewall)
|
Netgear 8 port Switch
|
$debian sarge box and other clients
I run different services like ssh, http(s), samba, GNUMP3d, mysql, exim4, courier and hopefully cups as printserver soon in case I get this HP psc 1215 working.
I do redirect some ports only like: 22, 80, 143 to my server and the rest of named services are only from my lan available.
How secure am I with such a setup even if I have plenty services running?
Was just wondering...
./sabin -s
________
|internet|
________
|
Linksys WRT54G (router, firewall)
|
Netgear 8 port Switch
|
$debian sarge box and other clients
I run different services like ssh, http(s), samba, GNUMP3d, mysql, exim4, courier and hopefully cups as printserver soon in case I get this HP psc 1215 working.
I do redirect some ports only like: 22, 80, 143 to my server and the rest of named services are only from my lan available.
How secure am I with such a setup even if I have plenty services running?
Was just wondering...
./sabin -s
Comments on this Entry
Posted by Anonymous (12.1.xx.xx) on Sat 10 Sep 2005 at 08:12
I would evaluate it with a set of general criteria. First and foremost, always stay on top of security updates, patches, and that sort of thing.
I recommend SecurityFocus and Debian -- Security Information
Staying on top of versioning, patches, and other updates is great, but limiting access is another key area. What are the services the machine provides, and who are they provided to? As you've already done, making sure you have a firewall between your Debian machine and the Internet is a great idea. Limiting incoming traffic to specific ports is the first major step. The next is to make sure that if you have a service running on a multi-homed machine (aka, one connected to a local lan, and to the internet) that all services intended only for the local lan listen only on the local lan. This further limits any possible avenue of attack for people looking to break into your machine. The next area is to limit outgoing traffic. Your ability to do this could be severly limited by using the Linksys, but it can be very beneficial. Making sure that you only allow specific types of traffic out can be a great way to lessen any impact a potential breakin could have. Of course, this is fairly difficult, because it requires you to profile your internet usage, and configure the firewall to work in those limits.
The last area is to protect yourself at the application level in the Debian machine itself. If you allow remote users to connect -- friends, IRC buddies, etc -- you need to be very careful in what you allow them to do. Account limiting can be a great way to accomplish this. Put restrictions on the number of processes they can run. Restrict the amount of diskspace they can consume, the number of file descriptors they can have open at any given time. And do NOT allow them to run a process if they are not logged into the machine. Say goodbye to background screen sessions and everything of that nature.
I'm sort of rambling at this point in time, but you are 95% of the way there as it stands. The ideas i've outlined here can be ignored, and you'll stand a pretty good chance of never being rooted. However, each additional step you take really helps weed out potential ways of being exploited. It sounds like you have a good setup so far, by virtue of being run on a solid (but basic) router/firewall, and a hopefully patched and regularly updated OS.
I recommend SecurityFocus and Debian -- Security Information
Staying on top of versioning, patches, and other updates is great, but limiting access is another key area. What are the services the machine provides, and who are they provided to? As you've already done, making sure you have a firewall between your Debian machine and the Internet is a great idea. Limiting incoming traffic to specific ports is the first major step. The next is to make sure that if you have a service running on a multi-homed machine (aka, one connected to a local lan, and to the internet) that all services intended only for the local lan listen only on the local lan. This further limits any possible avenue of attack for people looking to break into your machine. The next area is to limit outgoing traffic. Your ability to do this could be severly limited by using the Linksys, but it can be very beneficial. Making sure that you only allow specific types of traffic out can be a great way to lessen any impact a potential breakin could have. Of course, this is fairly difficult, because it requires you to profile your internet usage, and configure the firewall to work in those limits.
The last area is to protect yourself at the application level in the Debian machine itself. If you allow remote users to connect -- friends, IRC buddies, etc -- you need to be very careful in what you allow them to do. Account limiting can be a great way to accomplish this. Put restrictions on the number of processes they can run. Restrict the amount of diskspace they can consume, the number of file descriptors they can have open at any given time. And do NOT allow them to run a process if they are not logged into the machine. Say goodbye to background screen sessions and everything of that nature.
I'm sort of rambling at this point in time, but you are 95% of the way there as it stands. The ideas i've outlined here can be ignored, and you'll stand a pretty good chance of never being rooted. However, each additional step you take really helps weed out potential ways of being exploited. It sounds like you have a good setup so far, by virtue of being run on a solid (but basic) router/firewall, and a hopefully patched and regularly updated OS.
[ Parent | Reply to this comment ]
Posted by Anonymous (62.99.xx.xx) on Sat 10 Sep 2005 at 12:47
First of all I wanted to mention here that I really appriciate your efort and wanted to thank you for this.
Concerning your posting, it was a good overview of things I've allready done on my system but also such like I started to think about and to lunch.
I installed shorewall on this box to limit outgoing traffic and just to have a second firewall on this system itself to double restrict access on it beside the linksys.
Thanks alot for your hints and suggestions!
./sabin -s
Concerning your posting, it was a good overview of things I've allready done on my system but also such like I started to think about and to lunch.
I installed shorewall on this box to limit outgoing traffic and just to have a second firewall on this system itself to double restrict access on it beside the linksys.
Thanks alot for your hints and suggestions!
./sabin -s
[ Parent | Reply to this comment ]
Posted by sabin (62.99.xx.xx) on Sat 10 Sep 2005 at 12:48
[ Send Message | View sabin's Scratchpad | View Weblogs ]
[ Send Message | View sabin's Scratchpad | View Weblogs ]
First of all I wanted to mention here that I really appriciate your efort and wanted to thank you for this.
Concerning your posting, it was a good overview of things I've allready done on my system but also such like I started to think about and to lunch.
I installed shorewall on this box to limit outgoing traffic and just to have a second firewall on this system itself to double restrict access on it beside the linksys.
Thanks alot for your hints and suggestions!
./sabin -s
Concerning your posting, it was a good overview of things I've allready done on my system but also such like I started to think about and to lunch.
I installed shorewall on this box to limit outgoing traffic and just to have a second firewall on this system itself to double restrict access on it beside the linksys.
Thanks alot for your hints and suggestions!
./sabin -s
[ Parent | Reply to this comment ]