Background:

I've just installed a backup email server in a remote (unmanned) location and I'm now wondering about security. The system runs on Fedora Core 3 and is connected to the internet as follows:

ntl <--> router (with NAT) <--> linux box

Being a simple backup box, I have "port forwarded" port 25 on the router to the linux box. The server itself is running iptables in a very basic fashion.

My Questions:

1) Is it secure to simply port forward another port for remote admin i.e. ssh on port 22??

2) What is the benefit of stopping remote root access, when I could login as a standard user and then SU?

3) do I need to worry about iptables in a serious way if I'm behind a nat firewall? if so could anyone recommend a good guide or set of rules to use?

Thanks!

Trying to login with root is the first thing a cracker will go for. If your account is say, jo-jo, or some such, it is less transparent to them.

Yes. Best rule is: deny everything you do not absolutely need to have access. Here is the project page with a lot of good documentation: http://www.netfilter.org/

I'll add some pointers, but first

I've just installed a backup email server in a remote (unmanned) location and I'm now wondering about security.
...isn't that the opposite of careful planning? :-]
If this is a backup in the sense of fall-back MX, then in essence all you have to do is mimick the requirements and setup of the first MX server. If you didn't configure that one yourself IMHO you could save yourself troubles by familiarizing yourself with its setup, tasks, performance and problems. In any case please make sure you harden the box properly (regardless of it being NATted or not) and regularly audit the box running at least some file integrity checker like Aide or Samhain. Please check out the LQ FAQ: Security references for more info.


1) Is it secure to simply port forward another port for remote admin i.e. ssh on port 22??
Yes, but in addition to what Anomie said (block root access to sshd) you should:
- use the firewall to narrow access down to "known good" networks administration tasks will be done from,
- use /etc/hosts.{deny,allow} to do the same (if OpenSSH is compiled with -libwrap which it usually is on Linux),
- use sshd_config (or PAM) to allow only (a few) non-privileged users to access to ssh.
I would also like to suggest running either software to keep sshd up (like Monit) or add a fall-back ssh entry to Xinetd (if you run that) if the server doesn't run.


3) do I need to worry about iptables in a serious way if I'm behind a nat firewall? if so could anyone recommend a good guide or set of rules to use?
Yes. Best rule is: deny everything you do not absolutely need to have access.
I agree this is the best stance. In the LQ FAQ: Security references you'll find amongst others a lead to the Netguru's Iptables site. Also, if the LAN segment you're in is shared by other hosts having nothing to do with your setup, you may want to block access from them specifically (just my experience). If you want to show us what you want to set up, please do and we'll try to add to that.

Hi,

Thanks anomie & unSpawn for your help / advice - I disallowed root ssh login and within a day or so (looking at my logwatch reports), some urchin tried his luck. but was denied pleasure...

Regarding the primary mail server, I configured it myself and it's located where I can access it on my local lan - the advantage being I can (and have!) locked down almost all WAN access on it (obviously excluding mail ports), so I am somewhat less concerned about it.

I'm interested in using the firewall and hosts.allow/deny to lock down the server more - given that I will be accessing it from a home DSL line, with a (semi) dynamic ip address, what is my best way forward? Ultimately I do not wish to lock myself out because my IP address has changed.

I have setup automatically updating dyndns addresses for both locations, lets say mainsite.dyndns.org and backupsite.dyndns.org. Can I add mainsite.dyndns.org into the /etc/hosts.allow file at the backup site and deny all other access or would my access be denied through a reverse lookup of my actual ip address, which I imagine would be something like: customerx.ntlworld.com?

Thanks for all your help!

Make sure you utilize a kernel memory protection patch (against stack and heap overflows). I recommend / use grsecurity