Is this a secure way to set up a home network (with network storage) ?
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Is this a secure way to set up a home network (with network storage) ?
Hello. I have recently lost some important data to an IBM deathstar (deskstar) HDD failure. I didn't have the data backed up. I intend never to let this happen again so I have purchased some new equipment (new HDDs mobo etc) to build a fileserver which will serve files to my two PC's (one XP one Ubuntu).
In the near future, I will be moving house and I expect more people will be joining my LAN. I would like to provide them with read only access to my files but I wish, above all else, to close as many security holes as possible so that nothing bad happens to my data.
As I am unaware of all of the possible vectors that exist through which an attack can be mounted I will sketch out my likely set up below and ask that any kind readers can offer me some tips and advice on locking down this setup.
[HTML]
WAN
|
NAT ROUTER - - - - NETWORK HUB
| | | | |
UBU BOX F/S XP XP XP
[/HTML]
Please excuse the crappy diagram, I think it does the trick though. The router has four ethernet ports, which is why there there is a hub attached, which the PCs of my prospective housemates (who unfortunately all run windows) will be attached to.
Security features I am aware of and will implement:
- I understand that my router will provide a hardware firewall. Is it worth locking it down to the extent that it only allows certain MAC IDs to connect? Will this cause any problems with filesharing programs (which will likely be run from every machine)?
- My fileserver will be a headless unit, administered remotely from my PC, via ssh. I will disable root logins and passwords and use private key authentication.
- My fileserver will be running some pared-down flavour of linux. I intend to have a go at gentoo because apparently its difficult to learn and is a good way to develop a deeper knowledge of linux. I believe that a good thing to do is to only allow the system services that are necessary, which are shh and samba (because its serving 'doze boxes too). Is this correct? Is it easily done? It sounds straightforward enough but most things in linux do until you actually get stuck in.
- All XP boxes will be firewalled with a 'deny all except explicitly allowed' policy. All will have virus protection and will use firefox.
As far as my fileserver is concerned, it will comprise five disks. One will contain the OS and will be about 8GB. Two will be 300GB and two 120GB. I will partition them with LVM and create four partitions across the four disks. Two partitions will be for music and be of identical size, two will be for visual media and be of identical size. I will set up rsynch to mirror the drives every day via cron. Is this fit for purpose? I considered a RAID 5 but decided on this because it seemed straightforward and adequate.
What I worry about most is some cracker compromising a friends XP box and wreaking havoc with my data; am I right to think this threat will be greatly reduced by complex passwords on root and user accounts (this sort of thing: P7r9E3s5Y7oW]#%) and by the cessation of unecessary system services on the f/s?
So, is this a sensible way to backup and protect my data and network? Am I missing anything or making any stupid mistakes? Any advice will be very gratefully recieved and TIA for taking the time to read my post.
Sound paranoic, but, as my clients says: better be paranoic than loser.
1. regarding MAC addresses. It's quite good security measure and I didn't heard that it can cause some problems with sharing (P2P, etc.) software. This security measure is affecting only your local net. My answer: yes, it is worth (and even recommended) to lock it down.
2. Right, with some exceptions. First, to administer your server you still must to use root account (user su (super user)). First, you logging in with your private key, then you must to use su (I assume, you've disabled root login), then you must to provide a root password. Do it as long as possible, it will prevent braking in. My server is atacked 200 - 300 times a day and it was never been broken. Enable blocking of portscans, it will help to keep your server secure.
3. Actualy, there are more services than ssh and Samba needed for Linux to work, but if you mean net services, thats a good choice. Another thing if you'll decide to run internal web server (for example internal photo database). Then you'll need at least Apache with php, Postgre or MySQL. In that case (assuming your router has two LAN cards, you may configure your Apache to listen only on a internal LAN card. Thats quite secure, because all requests to Apache made on a external LAN card will be rejected.
4. WRONG! If you will enable XP firewall, expect more requests from your clients to reboot your server machine. As experience shows, Windows firewall sometimes is working in wrong way, I mean it starts to block LAN traffic. Antivirus software on Windows machines is a mandatory, but firewall you should turn off.
More toughts:
I was confused with file locking on Samba, when Samba is working in workgroup mode. There is all ok when you are doing domain controller, but in workgroup mode Samba not always has informing the client, that this file is already locked by another user. It rather XP problems, not Samba's, but they exists. Please keep in mind, that domain controller you can make only if the client machines are running MS Windows XP Pro! It not works with Home Ed.
That is for now.
If you still have questions to solve, feel free to contact me.
Thanks for your reply, it's most appreciated. There are a couple of points I would like clarification on, though.
Quote:
First, you logging in with your private key, then you must to use su (I assume, you've disabled root login), then you must to provide a root password. Do it as long as possible, it will prevent braking in
I understand I need to su to root, I don't understand what I am to do for as long as possible.
Quote:
Enable blocking of portscans, it will help to keep your server secure.
How do I do this? If it's complicated I can always RTFM, I'm not trying to waste anybody's time, I just thought I'd ask.
Quote:
Another thing if you'll decide to run internal web server...you'll need at least Apache with php, Postgre or MySQL. In that case...you may configure your Apache to listen only on a internal LAN card. Thats quite secure, because all requests to Apache made on a external LAN card will be rejected.
Sounds like a great idea, thanks for the tip : )
Quote:
I was confused with file locking on Samba, when Samba is working in workgroup mode. There is all ok when you are doing domain controller, but in workgroup mode Samba not always has informing the client, that this file is already locked by another user. It rather XP problems, not Samba's, but they exists. Please keep in mind, that domain controller you can make only if the client machines are running MS Windows XP Pro! It not works with Home Ed.
If I understood you correctly, you are saying that other (XP) users may have write permissions on files that I do not want them to have write permissions on. I don't know the difference between workgroup mode and domain controller mode, I'll read up on that, but I am correct in thinking that I need XP users to be running XP pro in order for my files to be safe?
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.