LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 08-22-2006, 06:43 AM   #1
phildacey
LQ Newbie
 
Registered: Nov 2005
Posts: 11

Rep: Reputation: 0
Is this a secure way to set up a home network (with network storage) ?


Hello. I have recently lost some important data to an IBM deathstar (deskstar) HDD failure. I didn't have the data backed up. I intend never to let this happen again so I have purchased some new equipment (new HDDs mobo etc) to build a fileserver which will serve files to my two PC's (one XP one Ubuntu).

In the near future, I will be moving house and I expect more people will be joining my LAN. I would like to provide them with read only access to my files but I wish, above all else, to close as many security holes as possible so that nothing bad happens to my data.

As I am unaware of all of the possible vectors that exist through which an attack can be mounted I will sketch out my likely set up below and ask that any kind readers can offer me some tips and advice on locking down this setup.

[HTML]
WAN
|
NAT ROUTER - - - - NETWORK HUB
| | | | |
UBU BOX F/S XP XP XP
[/HTML]

Please excuse the crappy diagram, I think it does the trick though. The router has four ethernet ports, which is why there there is a hub attached, which the PCs of my prospective housemates (who unfortunately all run windows) will be attached to.

Security features I am aware of and will implement:

- I understand that my router will provide a hardware firewall. Is it worth locking it down to the extent that it only allows certain MAC IDs to connect? Will this cause any problems with filesharing programs (which will likely be run from every machine)?

- My fileserver will be a headless unit, administered remotely from my PC, via ssh. I will disable root logins and passwords and use private key authentication.

- My fileserver will be running some pared-down flavour of linux. I intend to have a go at gentoo because apparently its difficult to learn and is a good way to develop a deeper knowledge of linux. I believe that a good thing to do is to only allow the system services that are necessary, which are shh and samba (because its serving 'doze boxes too). Is this correct? Is it easily done? It sounds straightforward enough but most things in linux do until you actually get stuck in.

- All XP boxes will be firewalled with a 'deny all except explicitly allowed' policy. All will have virus protection and will use firefox.


As far as my fileserver is concerned, it will comprise five disks. One will contain the OS and will be about 8GB. Two will be 300GB and two 120GB. I will partition them with LVM and create four partitions across the four disks. Two partitions will be for music and be of identical size, two will be for visual media and be of identical size. I will set up rsynch to mirror the drives every day via cron. Is this fit for purpose? I considered a RAID 5 but decided on this because it seemed straightforward and adequate.

What I worry about most is some cracker compromising a friends XP box and wreaking havoc with my data; am I right to think this threat will be greatly reduced by complex passwords on root and user accounts (this sort of thing: P7r9E3s5Y7oW]#%) and by the cessation of unecessary system services on the f/s?

So, is this a sensible way to backup and protect my data and network? Am I missing anything or making any stupid mistakes? Any advice will be very gratefully recieved and TIA for taking the time to read my post.

Cheers, Phil.
 
Old 08-23-2006, 03:45 PM   #2
gintaras46
LQ Newbie
 
Registered: Dec 2005
Posts: 7

Rep: Reputation: 0
Just my toughts, as I have experience with this.

Sound paranoic, but, as my clients says: better be paranoic than loser.

1. regarding MAC addresses. It's quite good security measure and I didn't heard that it can cause some problems with sharing (P2P, etc.) software. This security measure is affecting only your local net. My answer: yes, it is worth (and even recommended) to lock it down.

2. Right, with some exceptions. First, to administer your server you still must to use root account (user su (super user)). First, you logging in with your private key, then you must to use su (I assume, you've disabled root login), then you must to provide a root password. Do it as long as possible, it will prevent braking in. My server is atacked 200 - 300 times a day and it was never been broken. Enable blocking of portscans, it will help to keep your server secure.

3. Actualy, there are more services than ssh and Samba needed for Linux to work, but if you mean net services, thats a good choice. Another thing if you'll decide to run internal web server (for example internal photo database). Then you'll need at least Apache with php, Postgre or MySQL. In that case (assuming your router has two LAN cards, you may configure your Apache to listen only on a internal LAN card. Thats quite secure, because all requests to Apache made on a external LAN card will be rejected.

4. WRONG! If you will enable XP firewall, expect more requests from your clients to reboot your server machine. As experience shows, Windows firewall sometimes is working in wrong way, I mean it starts to block LAN traffic. Antivirus software on Windows machines is a mandatory, but firewall you should turn off.

More toughts:

I was confused with file locking on Samba, when Samba is working in workgroup mode. There is all ok when you are doing domain controller, but in workgroup mode Samba not always has informing the client, that this file is already locked by another user. It rather XP problems, not Samba's, but they exists. Please keep in mind, that domain controller you can make only if the client machines are running MS Windows XP Pro! It not works with Home Ed.

That is for now.

If you still have questions to solve, feel free to contact me.
 
Old 08-24-2006, 04:25 AM   #3
phildacey
LQ Newbie
 
Registered: Nov 2005
Posts: 11

Original Poster
Rep: Reputation: 0
Thanks for your reply, it's most appreciated. There are a couple of points I would like clarification on, though.


Quote:
First, you logging in with your private key, then you must to use su (I assume, you've disabled root login), then you must to provide a root password. Do it as long as possible, it will prevent braking in
I understand I need to su to root, I don't understand what I am to do for as long as possible.


Quote:
Enable blocking of portscans, it will help to keep your server secure.
How do I do this? If it's complicated I can always RTFM, I'm not trying to waste anybody's time, I just thought I'd ask.


Quote:
Another thing if you'll decide to run internal web server...you'll need at least Apache with php, Postgre or MySQL. In that case...you may configure your Apache to listen only on a internal LAN card. Thats quite secure, because all requests to Apache made on a external LAN card will be rejected.
Sounds like a great idea, thanks for the tip : )


Quote:
I was confused with file locking on Samba, when Samba is working in workgroup mode. There is all ok when you are doing domain controller, but in workgroup mode Samba not always has informing the client, that this file is already locked by another user. It rather XP problems, not Samba's, but they exists. Please keep in mind, that domain controller you can make only if the client machines are running MS Windows XP Pro! It not works with Home Ed.
If I understood you correctly, you are saying that other (XP) users may have write permissions on files that I do not want them to have write permissions on. I don't know the difference between workgroup mode and domain controller mode, I'll read up on that, but I am correct in thinking that I need XP users to be running XP pro in order for my files to be safe?

Thanks again for your response.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Suggestions to secure a home business network Gnarg Linux - Security 6 06-21-2006 07:33 AM
Secure Home Network blacky_5251 Linux - Security 4 10-20-2005 08:45 PM
HowTo set up a home network purefan Linux - Networking 3 04-08-2005 11:39 AM
ok, how do i set up home network? grrr Niflheim Linux - Networking 6 04-01-2005 01:05 PM
Want to set up a home network Kaiyon Alatar Linux - Networking 4 09-22-2004 07:53 PM


All times are GMT -5. The time now is 12:08 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration