At home I use a linux firewall/proxy/router . I have everything running smoothly. I have read a lot of articles and about security and to never leave your machines logged in as root and to login with a weaker account and sudo to configure anything for you server. I understand that but I have setup squid,iptables and etc under the root account so when I login as another account certain stuff does not work. My question is as such:

1 - should I have done all of my configurations under another account with less privileges other than root and just have used sudo to configure SQUID,IPTABLES and etc?

2 - Even though I setup everything under root and I login under a weaker account why is that only somethings work and others don't like IP forwarding?

3 - Can somebody give me a list of security item that I should address for my firewall/router/proxy at home and for any future server I will build?

1 - should I have done all of my configurations under another account with less privileges other than root and just have used sudo to configure SQUID,IPTABLES and etc?
Most of the configs are meant to only be modified/read/executed by root on purpose. For example having normal users be able to read or modify your firewall rules or webserver config would be a security risk. If you are the only user on the system, then that may not seem to be a concern, but giving open access to system files would still weaken overall system security and could make a minor compromise worse. There are a number of ways to have commands executed with root privileges with little or no user interaction. You can have various applications started and scripts executed on startup using your init scripts or at regular intervals as a cron job. You can also make things SUID root, but I would recommend only using that as a last resort as SUID files can be abused. Maybe if you list specific examples of what you're trying to do, we can come up with a viable solution.

2 - Even though I setup everything under root and I login under a weaker account why is that only somethings work and others don't like IP forwarding? Some commands need to access configs that require root read privleges or simply are things only root can do (like enabling kernel level packet forwarding). Again maybe if you give a specific example of what you are trying to do.


3 - Can somebody give me a list of security item that I should address for my firewall/router/proxy at home and for any future server I will build? What kind of server are you planning on running? Is it going to be local access only or are you going to make it accessible over the internet?

here is my current setup:

dsl modem
'''
''''
Suse linux Router/Firewall (only a root account)
'''
'''
Dlink 624 wireless router/switch
''
''
2 Wireless PC's (windows 2000)


the linux box is alway logged in as root and I just lock the console. I allow ssh through port 22 for admin purposes.

this is what I want:

dsl modem
'''
''''
Suse linux Router/Firewall/RADIUS
'''
'''
Dlink 624 wireless router/switch
''
''
2 Wireless PC's (windows 2000)

I am just trying to secure my home network in the best possible way. I want my windows 2000 workstations using RADIUS on my linux box. So since that is the case I need to create extra accounts for my two windows machines on my linux box, correct? Can you please suggest the best security approach for my home network. It all of this feasible?

P.S Captain_Cave I just wanted to say thanks for every reply that you have given me in the past. you have been a great help. how do I delete previous accounts that I have opened up on this forum?

Generally when administering the system you would login under your own account and use either the su or (preferably) the sudo command to change system config files, which should only be editable by root (the default).

To setup sudo for your user account:
Then to say edit the squid config:
All of that stuff should be controlled with the start/stop scripts in /etc/init.d. So for example to enable squid you would do:
So you should be able to reboot the machine and those essential services will startup automatically at boot and will not require you to login as root (or use sudo) to start them.


Make sure you have setup the following and its working good:
firewall blocking incoming connections from the net
automatic fetching of updates for your distro (eg. apt-get update for debian-based, urpmi --update --auto-select for Mandrake, yum update for Fedora etc)
Install logwatch and check through its emails every day to see if anything suspicious turns up in the logs
Install chkrootkit and check its email to you every day to try and catch root kit installations
Optional (can get quite complex and may be going overboard for a home network):
maybe configure an intrusion detection system of some kind, eg. AIDE. If you're using Mandriva msec serves as a rudimentry IDS

1 - what about about SNORT for IDS?

2 - how should I best protect SSH and how would I change the port # from 22 to another. I do not use inetd.

the linux box is alway logged in as root and I just lock the console. I allow ssh through port 22 for admin purposes.
Why do you need to be physically logged into the console as root at all times?

So since that is the case I need to create extra accounts for my two windows machines on my linux box, correct?
I'm not really that familiar with RADIUS, but my understanding is that it can use several authentication mechanisms, like an SQL database for example, and is not limited to only using standard linux accounts. Not using actual accounts would probably be more secure if a login was somehow compromised, but it would likely be a bit more work to get RADIUSd working with an alternative authentication scheme. So it's really up to you, how much work you want to put into it vs. how much added security that would give you.

Can you please suggest the best security approach for my home network. It all of this feasible?
Sure it's feasible. It may just take some work to get everything playing nicely. In fact I plan on setting something similar up in the future. My only advice in terms of your firewall would be the following: In most cases internal wireless links need to be treated with caution. Usually this means treating the entire wireless portion of your network as an untrusted DMZ. Virtually all of the current authentication protocols are crackable in realistic timeframes (it doesn't take weeks of sniffing packets like it used to in order to crack WEP). Even the more "secure" protocols like WPA are not that great. However, all that means is that you need to treat it with some caution. For example, make your iptables rules on the gateway/RADIUS firewall more restrictive on the internal network and don't just give it total access. Having an internal network IDS is a good idea as well. On my own wireless link, I have a snort sensor sitting directly upstream of my wireless AP and my wireless clients are firewalled as if they were exposed to the internet.

Captain_Cave I just wanted to say thanks for every reply that you have given me in the past. you have been a great help.
Glad to help

how do I delete previous accounts that I have opened up on this forum?
We don't normally delete accounts except under very extreme circumstances (like profanity or racist usernames) or unless they have 0 posts and haven't logged in for several years.

1 - what about about SNORT for IDS?
Great tool. Does require some initial tweaking in order to eliminate false positives otherwise you'll start accumulating very large alert logs in a short time. See my post above on implementing it inside the LAN as well.

2 - how should I best protect SSH and how would I change the port # from 22 to another. I do not use inetd.
Disallow root logins (ssh in as a normal user and then use "su -" to become root). Also make sure that you have reasonably secure passwords or think about using key-based authentication. There's also a number of good tips in the thread on "Failed SSH Logins", like lower the number of failed logins and simultaneous login sessions. To change the default port SSHd listens on, modify the "Port" directive in the sshd_config file (usually /etc/ssh/sshd_config).

- In most cases internal wireless links need to be treated with caution. Usually this means treating the entire wireless portion of your network as an untrusted DMZ -

my currenty is as such:

dsl modem
'''
''''
Suse linux Router/Firewall/RADIUS
'''
'''
Dlink 624 wireless router/switch (no DMZ)
''
''
2 Wireless PC's (windows 2000)

So the better method for securing the wireless side is to put it into a DMZ and treat it as though it were a web server,right?

Should I be using the firewall feature on my wireless router to firewall my wireless side of my network. So in essence I would have my linux firewall up front and also have my wireless side firewalled through my wireless router? Would this setup be the best approach. I am studying security and one day want to become a security analysty so the opinion from a guru like yourselfs really counts. many thanks

Ex.

dsl modem
'''
''''
Suse linux Router/Firewall/RADIUS
'''
'''
Dlink 624 wireless router/switch/Firewall (DMZ)
''
''
2 Wireless PC's (windows 2000)

I really just meant that the internal wireless network (including the Access Point) should be treated as a DMZ by the SuSE firewall. In most network topologies, the internal LAN side of the SuSE box would have a much less restrictive firewall (or no internal firewall at all). However with the wireless AP on the LAN, I would filter traffic coming into the SuSE box from the LAN side as well as the internet side. So you can think of it like this, where internal/external firewall are still on the SuSE box:

dsl modem
'''
'''
external firewall
Suse linux Router/RADIUS
internal firewall
'''
'''
Dlink 624 wireless router/switch/
''
''
2 Wireless PC's (windows 2000)

can you give me an example of an internal firewall setup so I can get an idea of how to setup my iptables for my INTERNAL traffic, in essence my wireless side? thanks