Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have just been reading a few articles related to security on Linux systems and it made me a little jittery about my home network. The home net work I have is very simple, it includes two linux computers and one windows, all strictly for home, non-mission critical stuff. My router has a good firewall and scans from an internet port scanner service indicated that I have no open ports accessible from the internet. However, just running a port scan shows the following:
[HTML]Port State Service
22 open ssh
111 open sunrpc
139 open netbios-ssn
445 open microsoft-ds
631 open ipp
746 open unknown
2049 open nfs
43447 open unknown
53923 open unknown[/HTML]
Now am I aware of the ssh ports, the nfs and the printing ports. But, if an expert reading this would not mind responding, just how vulnerable is a simple home network to the above. If I could be at serious risk of someone outside my home network (via wireless) having access to my files, what ports should I close. Also, I have had difficulty getting wireless to work with any encryption, so my network is "key off".
I'm no expert, but certainly the biggest hole is your unencrypted network. Any files/printers you share between machines will be available to anyone who gets on your network.
If you're going to leave it unencrypted, I would see if your router will let you put the wireless network in the DMZ (demilitarized zone) if at all possible. Basically, that would make it so no wireless clients could connect to the wired machines on the home network, but they would have internet access.
If you want to learn a whole lot about linux security, I would recommend installing Bastille (it's in the debian repositories for sure). It will help walk you through securing your system and explain a lot in the process.
Thank you for your response. I know (I've been told before) that it is unwise to have my network unencrypted, but I have not been able to get all the machines set up using it (different distros in use). While I know that it is possible for someone to access with wireless if they are in proximity, it is highly unlikely where I live, unless someone recognizes an unsecured "hotspot" and parks in front of my house.
I will take your advise and install that program. I am running Debian on one of the machines, and I will also see if it will install in Ubuntu.
You definitely want to use wpa encryption.
Which distro has a problem with it?
I create a random 64 digit hexadecimal psk.
Code:
head -c32 /dev/random | od -tx1 | sed '3d;s/^.\{7\}//;s/ //g' | tr -d '\n'; echo
I will then cut and paste this into a text file and save it to a pen drive. That way, I can get the key (which is to complicated to remember or type in manually) from the pen drive when I need it.
Depending on your type of wireless configuration and your distro, you may have an /etc/sysconfig/network/ifcfg-wlan0 or /etc/sysconfig/networking/ifcfg-wlan0 file that you could manually edit to insert the key. Other distro's will use an /etc/wpa_supplicant.conf file instead. In this case there should be sample configurations in /usr/share/wpa_supplicant/ that you can model your file on.
There are other things to do to lock down your home wireless router:
Use WPA encryption
Disable the router's WAN configuration
Disable wireless configuration, only allow configuration via wired connection
Configure the router to use HTTPS for configuration
Be sure to change the default username/password for the router's web interface. Use a strong administration password.
Disable uPNP
Change the routers password and the network PSK periodically
Use a random 64 hex digit (32 byte) pre-shared key for WPA encyption.
Thank you, jschiwal. I know I must do this and I am going to search the web and learn how to do it this weekend. In the meantime, I have turned off wireless on the network and will on connect wired until I get this sorted out. The router is a Belkin 54g and has the ability to generate hex keys for me to set this up, I just never learned to do it on the linux and windows computers. My difficulty will be setting it all up on five different distros ( I use all of them at different times.) I guess I have been luck so far, so I am not going to push my luck any further.
Once you have a random hex key set up in the router, you can (using a wired connection) cut and paste that key to each host.
My wireless router just has an input field so I generate a random key on my laptop, and then cut & paste it into the router's configuration and the other hosts. The pendrive allows me to transport the key (sneaker net) to the other hosts.
Disabling uPNP and upgrading the router's firmware are important as well. Some routers have known vulnerabilities that a hacker can use to break through your routers firewall. A hacker could even replace your routers firmware with the hacker's own firmware and you would be none the wiser. ( I.E. a rootkit'ed router). uPNP allows a cross site scripting attack which reconfigures your routers configuration. This can punch a large whole in your network & do things like enable man in the middle attacks by replacing the DNS server your network uses with that of the attackers.
Another method of generating a random key is very simple. Roll three dice and through away any number over 16. Keep going until you have 64 hexidecimal digits.
Have you tried updating the firmware of your wireless?
If you can't get encryption working I would buy a new wireless. Either way I also recommend only allowing wireless connections from a MAC access list; your wireless should provide this capability.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.