Hello, I only have few knowledge in the area of security an so i like to ask for some hint on the expert list - please appologize when the question is not really professional. Here is the problem, I need to runn a productive server SuSE 8.0 to which some real terminals are connected (-> no harddrive) the terminals boot via tfpt and mount the certain drives via nfs. For "online"backups I run rsync. The server must be reachable for remote maintenance via isdn dialin, also telnet and ftp. The temporary connects to the internet for surfing and email should also be possible. What would you suggest to protect the machine? It would be great if you could point me to the right direction that way I can focus on the things which are really needed. Thanks a lot Michael -- Encrypted eMail welcome! GnuPG/OpenPGP-Key: 0xC82CD70C. Fingerprint: BB76 0DED 1329 D3B7 04D0 F6BB 2033 3B11 C82C D70C
Am Son, 2003-03-09 um 10.46 schrieb Michael Hoeller:
Hello,
I only have few knowledge in the area of security an so i like to ask for some hint on the expert list - please appologize when the question is not really professional.
Here is the problem, I need to runn a productive server SuSE 8.0 to which some real terminals are connected (-> no harddrive) the terminals boot via tfpt and mount the certain drives via nfs. For "online"backups I run rsync.
The server must be reachable for remote maintenance via isdn dialin, also telnet and ftp.
ouch. If possible drop ftp and telnet and use ssh / sftp instead. Or at least chroot the ftp process and don't let it run as root. (There is no point in chrooting a SUID process)
The temporary connects to the internet for surfing and email should also be possible.
What would you suggest to protect the machine? It would be great if you could point me to the right direction that way I can focus on the things which are really needed.
If it's connected to the internet install a *tight* firewall. Remove all unnecessary services Remove unnecessary software (tcpdump, compiler, sources etc) Check for security updates once a day. Better would be each hour with cron. Install IDS software (eg AIDE) Install chkchroot. Install portsentry in case your firewall is dropped for some reason. HTH -- Matthias Hentges Cologne / Germany [www.hentges.net] -> PGP welcome, HTML tolerated ICQ: 97 26 97 4 -> No files, no URL's My OS: Debian Woody: Geek by Nature, Linux by Choice
On Sun, Mar 09, 2003 at 10:46:51AM +0100, Michael Hoeller wrote:
I only have few knowledge in the area of security an so i like to ask for some hint on the expert list - please appologize when the question is not really professional.
Here is the problem, I need to runn a productive server SuSE 8.0 to which some real terminals are connected (-> no harddrive) the terminals boot via tfpt and mount the certain drives via nfs. For "online"backups I run rsync. The server must be reachable for remote maintenance via isdn dialin, also telnet and ftp. The temporary connects to the internet for surfing and email should also be possible.
What would you suggest to protect the machine? It would be great if you could point me to the right direction that way I can focus on the things which are really needed.
Use SuSEfirewall2. Edit the configuration file /etc/sysconfig/SuSEfirewall2 (I think that's right, I'm not using a SuSE machine at the moment) If you have any difficulties with doing this, post the problems you are having. There is also a large SuSEfirewall2 manual, linked from the unofficial SuSE FAQ (susefaq.souceforge.net). HTH...
Hello David, This is the constellation:
Here is the problem, I need to runn a productive server SuSE 8.0 to which real terminals are connected (-> no harddrive) the terminals boot via tfpt and mount the certain drives via nfs. For "online"backups I run rsync. The server must be reachable for remote maintenance via isdn dialin, also telnet and ftp.
David Smith wrote:
Use SuSEfirewall2. Edit the configuration file /etc/sysconfig/SuSEfirewall2
Would it really be enough to run SuSEfirewall2? I like to hook on Matthias answer:
If possible drop ftp and telnet and use ssh / sftp instead. Or at least chroot the ftp process and don't let it run as root. ok, ssh and sftp are no problem but for some maintenace tasks root asscess is needed. What would be a strategie in this case?
The temporary connects to the internet for surfing and email should also be possible. If it's connected to the internet install a *tight* firewall. Guess SuSEfirewall2 can do this but what about ssh and sftp and dailin?
Install IDS software (eg AIDE) HIDS or NIDS?, an attach from the inner side is a less reasonable issue, though still (in theory) possible.
Install chkchroot. Install portsentry in case your firewall is dropped for some reason. I never used them, what can they do in the current senario?
I guess the main probelm are the temporarely connects to the internet and the dial in connection for maintenace. How can I make sure that only *one* certain number can dialin? Thanks again Michael -- Encrypted eMail welcome! GnuPG/OpenPGP-Key: 0xC82CD70C. Fingerprint: BB76 0DED 1329 D3B7 04D0 F6BB 2033 3B11 C82C D70C
MichaelHoeller@t-online.de (Michael Hoeller) writes:
Hello David,
This is the constellation:
Here is the problem, I need to runn a productive server SuSE 8.0 to which real terminals are connected (-> no harddrive) the terminals boot via tfpt and mount the certain drives via nfs. For "online"backups I run rsync. The server must be reachable for remote maintenance via isdn dialin, also telnet and ftp.
David Smith wrote:
Use SuSEfirewall2. Edit the configuration file /etc/sysconfig/SuSEfirewall2
Would it really be enough to run SuSEfirewall2? I like to hook on Matthias answer:
If possible drop ftp and telnet and use ssh / sftp instead. Or at least chroot the ftp process and don't let it run as root. ok, ssh and sftp are no problem but for some maintenace tasks root asscess is needed. What would be a strategie in this case?
The temporary connects to the internet for surfing and email should also be possible. If it's connected to the internet install a *tight* firewall. Guess SuSEfirewall2 can do this but what about ssh and sftp and dailin?
Install IDS software (eg AIDE) HIDS or NIDS?, an attach from the inner side is a less reasonable issue, though still (in theory) possible.
Install chkchroot. Install portsentry in case your firewall is dropped for some reason. I never used them, what can they do in the current senario?
I guess the main probelm are the temporarely connects to the internet and the dial in connection for maintenace. How can I make sure that only *one* certain number can dialin?
You can use isdnctrl for this task. See "man isdnctrl" for "addphone" and "secure". You may additionally want to use papcrypt for ipppd (man ipppd). Now: How do you want to connect to the internet? Also via ISDN or via another interface? Regards, Matthias
On Sun, Mar 09, 2003 at 02:00:01PM +0100, Michael Hoeller wrote:
Hello David,
This is the constellation:
Here is the problem, I need to runn a productive server SuSE 8.0 to which real terminals are connected (-> no harddrive) the terminals boot via tfpt and mount the certain drives via nfs. For "online"backups I run rsync. The server must be reachable for remote maintenance via isdn dialin, also telnet and ftp.
David Smith wrote:
Use SuSEfirewall2. Edit the configuration file /etc/sysconfig/SuSEfirewall2
Would it really be enough to run SuSEfirewall2? I like to hook on Matthias answer:
It depends on how secure you want the system to be. My answer was maybe a little simplistic, and others have suggested extra security measures which are a good idea.
If possible drop ftp and telnet and use ssh / sftp instead. Or at least chroot the ftp process and don't let it run as root. ok, ssh and sftp are no problem but for some maintenace tasks root asscess is needed. What would be a strategie in this case?
ssh in as a normal user, then su to root. Alternatively, you can allow ssh logins as root, but this is slightly less secure. If you know the IP (or range of IPs) which you will use to log in over ssh, you can restrict the firewall to allow only these IPs to contact the SSH port.
The temporary connects to the internet for surfing and email should also be possible. If it's connected to the internet install a *tight* firewall. Guess SuSEfirewall2 can do this but what about ssh and sftp and dailin?
ssh and sftp/scp are implemented by the SSH daemon running on the server. All the firewall has to do is to allow the port connections through. This is simple to configure. If you want really good security, you might consider a separate firewall machine, running a dedicated firewall distribution (e.g. IPCop). This could handle your dialout needs; you would then either need a second ISDN card for the server for dialins (where you would probably still want SuSEfirewall2 running), or you could run a more standard SuSE distribution on your firewall machine, suitably tied down. HTH...
participants (4)
-
David Smith -
Matthias Hentges -
Matthias Riese -
MichaelHoeller@t-online.de