in light of yet another windows virus, i am hoping some of you
can shed some light on the level of security provided by my
home-net configuration.

I have a linux 2.4 (debian) system running as an internet gateway. I run stateful firewall (iptables) which does NAT for other machines behind 2nd NIC. Normally *unless i temporarily 'open' a port* the firewall basically drops all packets that do not match an 'established' connection. Everything is hardwired (no wireless) with static IPs, etc.

Is there any way that I can be vulnerable to worms, viruses, etc. on the home LAN?

Can i safely run windows machines behind this firewall?

Is there any difference between my configuration and say, a windows machine serving the same firewall purpose - ie. running a windows machine with internet connection sharing, plus a firewall such as provided by microsoft or perhaps sygate or other 3rd party?

I am confused regarding all the claims that linux is inherently more secure at the network layer.

Any advice appreciated!
danimal

Of couse. If you get one in your email or download one off the net yourself (eg. from a dodgy site) the firewall won't stop that.

You can't run Windows safely anywhere
But yes you should be pretty safe.

Not on the face of it no.

Linux generally has fewer remote vulnerabilities, less services run as a priveleged user, there is more scope for locking down the machine with things like chroot and SELinux, Linux distros usually enable the firewall by default, Linux users don't run as root, Linux email clients don't execute attachments, etc. etc. However your Windows box serving the same purpose may do the job just as well and be just as secure if you set it up carefully and properly.

There is nothing magically more secure about having a Linux box do a particular task instead of a Windows box , after all security is a process, not a product. However you'll find a lot of people (incl. me) feel that Linux is easier to secure and more reliably secure and offers much more scope to enable you to lock it down.

This sounds like an excellent setup, as long as you're keeping up with updates for that Debian box. Keep going with it.

Thanks so much, tk...

Regarding updates, i run apt-update/upgrade often, and have the following line in my
sources.list

deb http://security.debian.org stable/updates main contrib non-free

Is that sufficient for keeping updated?


Lastly, I am interested in any package that might help to detect possible infections, trojans, etc., by logging suspicious LAN-side requests out to the internet. I have learned that when surfing the net, many-many-many connections are 'established' over time and i suppose if they are initiated from 192.168.etc.etc. then the firewall is not bothered. Is there any way to detect connection requests that are made (for example) by a rogue program, and log them?

..Or any other generic package that could be run to further harden the box?

Thx again!

Three great security tools that I personally use and recommend for increasing security on a Linux box are chkrootkit, Rootkit Hunter, and Bastille. The first two are excellent utilities to check for rootkits on Linux and Unix systems. Bastille is a wonderful little utility that aids in locking down a Linux or Unix system as well as providing some newly integrated vulnerability-assessment tools.

Two good system integrity tools are Tripwire and AIDE. You can do various things with both of those tools, but I've used them to monitor file changes on my server. My machine will email me if/when certain critical files are touched/moved/modified/etc.

If you're concerned about viruses, Clam AntiVirus is a great virus scanner. Although I'm not too concerned about contracting a virus on my Linux machine, I do use Clam to scan files/email that pass through my Linux server to Windows machines to ensure that I'm not part of the virus distribution chain. There are nice graphical front-ends to Clam such as KlamAV if you prefer the QT/KDE look, or if you're comfortable with the command line, plain old ClamAV is great for that too. You can set up cron jobs to scan your machine, integrate it with other programs such as email daemons, etc.

Hope that helps!

I don't know much about debian but that looks correct.

Programs like chkrootkit and rkhunter will look for rootkits (http://en.wikipedia.org/wiki/Rootkit), you can't do any harm setting them to run every night.
AIDE is an example of a host-based intrusion detection system and Snort a network based IDS. Network based IDSes are designed to log any suspicious traffic. However generally IDSes are a bit overkill for a home user - they can be complex and time consuming.

The line you have for your sources.list is fine if you are running Sarge.

You might want to check out Securing Debian Manual

You could always run a mail server on your Debian box, and scan for viruses with ClamAV or F-Prot.

Also, the set of harden packages for Debian are quite useful (at the very least, they ensure that known vulnerable debs are not installed)...

thx everyone..!

this is best linux forum!