request for opinions: SuSE 9 secure as a web server?
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi folks, I'm planning to serve web pages from my personal box (family pictures and the like), running SuSE 9 stock with all patches. The machine will be handed all port 80 (or whatever port I decide to use) requests from my linksys router/ firewall, therefore being completely exposed on that port. I'll also be letting ssh through. So my question is: how dangerous is this? How secure is a SuSE 9 box (with no tweaks or anything, just configured everthing with yast). I'm asking your opinion as to whether SuSE is considered reasonably safe for what I have in mind or if I should look for other options. And perhaps if there are simple steps I can take to increase my chances of not being cracked. Just some more info: in my internal network I'm running NFS, so can't use the suse firewall (since it blocks that service). I'm also running rsync. Cheers, Adalberto -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iQIVAwUBP+Rz596AspoXaofZAQLWTRAAmvTlJMOuFYHaTl1jd0wBG783DT/EasRi +n2kvNw6h1miR1aAvkObE//+/h1Vu2SHdMTnwIJvaMfXpdYg4Id+114+uk8MhJ6F JuaRMx6WL3bjw2oh/yGUP/n8TMxrYDVKIDmm2lrFmAb35UMnqa4J9bfJyAnMt3gm fZii/bd+BRzf7aZrJG7BZeHNLBFDTLMemU+pTH3ZqjVwxNbV9uE7gfCnK05TSrdZ 7pUFCVe0zEeGglO2r9lxpjQ+Azd2Ml2CDUq7m7YXPTg5ZBYXlVX0x6HaxUkS/YT4 MvfNbSVGqRp5e2iVV7TzYasddXr7FKwSLHJ6myGxUKTwn3iMSX3Z0j8fS1tFHSRj 9KboPqjWdsrGf86CfJeUwLRL+ZtuAu3do96tooYRDbzrMkbCgKmGXfJw1dxC5QkZ ovGuLK6HumtG8FSJebSlLZRvR6ctuo/+BfcLlHfKHbwTrYx6wVpXcqA4iGMfg1Fy 2tJ85UhoEMQzUHmQ3s3EJTVoKASAdOSVB9cVQ3TpFdLCsqavKD4tiLxkMN021ExC f2V2Xq7Kd38F0FG5ZLbGzdlSnCQ3rcaX9llI7kSxXxVf1lipEdYStNJ5H1ZORx9D AvLsGNfLQa7nl5yPev+NdA6wmxHF/fTFxVWsRdhMpAIaglpWoTweOlNA3ll3ivr0 Tdv6s4wYs9I= =Y+/m -----END PGP SIGNATURE-----
Hi Adalberto !
I'm planning to serve web pages from my personal box (family pictures and the like), running SuSE 9 stock with all patches. The machine will be handed all port 80 (or whatever port I decide to use) requests from my linksys router/ firewall, therefore being completely exposed on that port. I'll also be letting ssh through.
Just some more info: in my internal network I'm running NFS, so can't use the suse firewall (since it blocks that service). I'm also running rsync.
--> As others have pointed out already, you should definitely run SuSEfirewall2 on your SuSE 9.0 server. Have a look into /etc/sysconfig/SuSEfirewall2 (I don't know the Yast-Interface for SuSEfirewall2 so I tell you what to put in the config file) and put FW_SERVICES_EXT_TCP="www ssh" FW_SERVICES_EXT_UDP="" FW_SERVICES_EXT_IP="" to allow port 80 (www) and SSH from external to your box and FW_TRUSTED_NETS="your.internal.net/netmask" to open your computer for the internal net. Of course you can restrict this to certain ports/portranges to restrict access from internal a bit. Don't forget to restart the firewall with rcSuSEfirewall2 restart HTH, Armin -- Am Hasenberg 26 office: Institut für Atmosphärenphysik D-18209 Bad Doberan Schloss-Straße 6 Tel. ++49-(0)38203/42137 D-18225 Kühlungsborn / GERMANY Email: schoech@iap-kborn.de Tel. +49-(0)38293-68-102 WWW: http://armins.cjb.net/ Fax. +49-(0)38293-68-50
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 First of all, thanks to all that replied to my original e-mail. I feel I have a better insight now on what to do: Linksys firewall is the main line of defense: only let http and ssh through, and only to one machine in the internal network. All other machines are not accessible from outside the firewall. Just for extra safety, turn off all non used services (they were off anyway). I don't like the idea of using a non-SuSE kernel, or external security software, since I'm very particular about keeping the system stock. Now I have another related question: what should I use, apache or apache 2? The web pages I'll be serving will be just html (and perhaps some php). Traffic is not a consideration, there will be very little (bandwith restrictions). Thanks in advance, Adalberto On Saturday 20 December 2003 11:07, Adalberto Castelo wrote:
Hi folks,
I'm planning to serve web pages from my personal box (family pictures and the like), running SuSE 9 stock with all patches. The machine will be handed all port 80 (or whatever port I decide to use) requests from my linksys router/ firewall, therefore being completely exposed on that port. I'll also be letting ssh through.
So my question is: how dangerous is this? How secure is a SuSE 9 box (with no tweaks or anything, just configured everthing with yast). I'm asking your opinion as to whether SuSE is considered reasonably safe for what I have in mind or if I should look for other options. And perhaps if there are simple steps I can take to increase my chances of not being cracked.
Just some more info: in my internal network I'm running NFS, so can't use the suse firewall (since it blocks that service). I'm also running rsync.
Cheers, Adalberto -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux)
iQIVAwUBP+W/O96AspoXaofZAQK8mRAApw5wrj0A3zMwrpQj1VsgsLd3GfIVQIUx mXWn5urJRY9h5fNjxNk0sD645D6WfW6Ckl605kAZ8mDKHyGUnETtEUbsGzHwfK0K /ohEELng+sS2VssTZZ723xNqF7+mW0ZaiWufyHChnSjOEFDc8oyPnr/MUVLddEAJ ijVS/ouDlBmfpO93tlV04Qdo4qD6kMp2F5B+2r4DZtWtu12XrsLT06euvmn0OUwI mfjHGixy+qFkSV3meCNYal3tA0SAAUrXeD0JRLnM0G0xudq0ESOnrY2NxO8/BZjS KlCGUXOzyVRlQNIXyeF/sor7R5HHPrOvrd3a21dNMgGjKTKOjUngyqBiTSoMkMqU ZYjqSduX+gkTvCS9IeGG5/rKWtqUqF4WllNXW9LiS4oyNJRRtAannUcY6P/YJ9BX XjQxawrZN7rFY16Ldl99TGnbbBragCarH52HeQZvsSg323+BQA9ceSVFWqFiF3J4 Z1jFNgZxkXN6F+SjaGKYNm4L0Byc3UJlgoVWQu7LWawD2K/1q1rVk+N332zoHNVO M6EqMWk+EXFsZ3WCQ+JJ1o4G1aUq9gslS+9oxkrDD0DN0I6hHrcsGyzjcJcMPSB+ EaQGj1IvtVrK9w36Zf2V0LAxd5ckgwQyBeaNGOTP0rCJ/56F/0sxdIUGAbh+Gmag 2nibVJ7GOas= =ivkk -----END PGP SIGNATURE-----
On Sunday 21 December 2003 06:41, Adalberto Castelo wrote:
Linksys firewall is the main line of defense: only let http and ssh through, and only to one machine in the internal network. All other machines are not accessible from outside the firewall. Just for extra safety, turn off all non used services (they were off anyway).
I don't like the idea of using a non-SuSE kernel, or external security software, since I'm very particular about keeping the system stock.
How does the last paragrapth square with the first? If you don't like the idea of non-suse or external security why trust Linksys? Who audits their code? What can you do with linksys that you can not do with a mimimal suse box with two nics and suse firewall or shorewall (either of which ONLY set up iptables for you) on a stock suse kernal. -- _____________________________________ John Andersen
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sunday 21 December 2003 18:28, John Andersen wrote:
On Sunday 21 December 2003 06:41, Adalberto Castelo wrote:
Linksys firewall is the main line of defense: only let http and ssh through, and only to one machine in the internal network. All other machines are not accessible from outside the firewall. Just for extra safety, turn off all non used services (they were off anyway).
I don't like the idea of using a non-SuSE kernel, or external security software, since I'm very particular about keeping the system stock.
How does the last paragrapth square with the first?
The first paragraph is a summary of how things are going to work out on my side. The second refers to Littke's suggestion of using a grsecurity kernel.
If you don't like the idea of non-suse or external security why trust Linksys?
You misunderstood. I meant it in my personal workstation. I run SuSE, and only SuSE, in it. If something doesn't work properly in it, there are less variables to deal with.
Who audits their code?
What can you do with linksys that you can not do with a mimimal suse box with two nics and suse firewall or shorewall (either of which ONLY set up iptables for you) on a stock suse kernal.
OT, but the answer is "probably nothing". I just figure a US $50 linksys router will be cheaper/require less effort than anything else I can think of. But a minimal Linux or BSD box would probably be a more complete solution. Cheers, Adalberto
-- _____________________________________ John Andersen -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux)
iQIVAwUBP+Zbpt6AspoXaofZAQLLFhAAkzyajTrbL7qMgaJvTdRWfyWYx7MocKNu EYLp7dX9BQWPe5PtHKULh7FEJpXRbklkTFzBoSw/3VOgp2gHHNHIhXzYa7pRWwVl qcM8yXPNdTBwotyHHz+/rl/1OkhqN+AgLfsqAm2VVXUDVmhxhjl+cIkOs4aozQbq otDWL5mcw708o1BpnCf8I8GL6/dMZdl2KHgQ0Rwvp05nu5j9HwCHsa7vdLycC3Lg s6M6CZu0Qha6bgVK7585umbG0zMFVjOD9M/WDFR9zc0ph7FapnupFr1pyLKXYL74 t2D/GfoUPUX/cMIa/cxLRhI/1yo9WfLclubcvc400tOfXGK+j2+eK0lL4QpYlh2W aGO61/k9lJynRS24sx0yOlz1/yeHuTStS0DJZoUQbGrUzi2smil6UKlvm5DsJwWm +eZTtiJ1Epky6P26ueVDoRHWwTp2BD/FRCnFgIYT8S+Pya5euzvvobCckuqYfSG9 u6vFews/svme6NmsKNDt9OatYD7v5Q52Rllc5M5XUppJE9MkQm15COTa+LUoJqhU XdcaCYEykVutTyu5nNytqJNJl8x34IKjXQ0F9EYgi3l73TekE2oE+JrCR8/93XyR Bz2ghSlTSXNUfbaTEmZICJLo5AaJBcqzvyjNpkDX1773bwk4KUtHY+a3+ezfLhKR l/0hO4cTZhI= =xYyY -----END PGP SIGNATURE-----
On Sun, Dec 21, 2003 at 02:28:49PM -0900, John Andersen wrote:
If you don't like the idea of non-suse or external security why trust Linksys?
Who audits their code?
What can you do with linksys that you can not do with a mimimal suse box with
What do you think linksys runs inside? Many of them do run embedded Linux, so what's the advantage of assembling a big box to run firewall instead of using linksys? Regards, -Kastus
What do you think linksys runs inside? Many of them do run embedded Linux, so what's the advantage of assembling a big box to run firewall instead of using linksys?
The advantage is that you know what is running. You also get decent logging. A friend of mine recently bought a linsys or netgear, rumoured to run Linux, took it out of the box, ran nmap against it once, it crashed, he packed the crap straight back into the box. Mini-ITX stuff isn't that big, and also has the advantage of enough grunt for squid etc. Volker -- Volker Kuhlmann is possibly list0570 with the domain in header http://volker.dnsalias.net/ Please do not CC list postings to me.
On Sunday 21 December 2003 20:21, Kastus wrote:
What do you think linksys runs inside? Many of them do run embedded Linux, so what's the advantage of assembling a big box to run firewall instead of using linksys?
Well most folks who have a network to protect have older boxes around that would serve perfectly well for a firewall. Any old pentium can do the job and pass all the packets you can muster. Further, you can configure your box the way you want it, and it will be faster than the linksys, in almost all cases. Those are really whimpy processors in those boxes. Further, you can patch your suse firewall box with the latest security fixes. Who know when linksys will get around to patching theirs, and in the process of flashing a new update onto a linksys box more than a few have been rendered useless. The linux they run is often still 2.2 based, and farily old, although that alone does not render them insecure. The most significant thing they have going for them is price. Very cheap, and almost fool proof to set up. These are reasons enough to use them in many cases especially home users, but guys with big networks (or evem small networks) I would expect to set up one of their own. -- _____________________________________ John Andersen
participants (5)
-
Adalberto Castelo -
Armin Schoech -
John Andersen -
Kastus -
Volker Kuhlmann