Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
At home I use a linux firewall/proxy/router . I have everything running smoothly. I have read a lot of articles and about security and to never leave your machines logged in as root and to login with a weaker account and sudo to configure anything for you server. I understand that but I have setup squid,iptables and etc under the root account so when I login as another account certain stuff does not work. My question is as such:
1 - should I have done all of my configurations under another account with less privileges other than root and just have used sudo to configure SQUID,IPTABLES and etc?
2 - Even though I setup everything under root and I login under a weaker account why is that only somethings work and others don't like IP forwarding?
3 - Can somebody give me a list of security item that I should address for my firewall/router/proxy at home and for any future server I will build?
Last edited by metallica1973; 07-18-2005 at 10:26 PM.
1 - should I have done all of my configurations under another account with less privileges other than root and just have used sudo to configure SQUID,IPTABLES and etc?
Most of the configs are meant to only be modified/read/executed by root on purpose. For example having normal users be able to read or modify your firewall rules or webserver config would be a security risk. If you are the only user on the system, then that may not seem to be a concern, but giving open access to system files would still weaken overall system security and could make a minor compromise worse. There are a number of ways to have commands executed with root privileges with little or no user interaction. You can have various applications started and scripts executed on startup using your init scripts or at regular intervals as a cron job. You can also make things SUID root, but I would recommend only using that as a last resort as SUID files can be abused. Maybe if you list specific examples of what you're trying to do, we can come up with a viable solution.
2 - Even though I setup everything under root and I login under a weaker account why is that only somethings work and others don't like IP forwarding? Some commands need to access configs that require root read privleges or simply are things only root can do (like enabling kernel level packet forwarding). Again maybe if you give a specific example of what you are trying to do.
3 - Can somebody give me a list of security item that I should address for my firewall/router/proxy at home and for any future server I will build? What kind of server are you planning on running? Is it going to be local access only or are you going to make it accessible over the internet?
I am just trying to secure my home network in the best possible way. I want my windows 2000 workstations using RADIUS on my linux box. So since that is the case I need to create extra accounts for my two windows machines on my linux box, correct? Can you please suggest the best security approach for my home network. It all of this feasible?
P.S Captain_Cave I just wanted to say thanks for every reply that you have given me in the past. you have been a great help. how do I delete previous accounts that I have opened up on this forum?
should I have done all of my configurations under another account with less privileges other than root and just have used sudo to configure SQUID,IPTABLES and etc?
Generally when administering the system you would login under your own account and use either the su or (preferably) the sudo command to change system config files, which should only be editable by root (the default).
To setup sudo for your user account:
Code:
su
visudo
# User privilege specification
root ALL=(ALL) ALL
username ALL=(ALL) ALL
Then to say edit the squid config:
Code:
sudo vi /etc/squid/squid.conf
Quote:
Even though I setup everything under root and I login under a weaker account why is that only somethings work and others don't like IP forwarding?
All of that stuff should be controlled with the start/stop scripts in /etc/init.d. So for example to enable squid you would do:
Code:
sudo /sbin/chkconfig squid on #make squid start at boot automatically
sudo /sbin/service squid start #start squid now
So you should be able to reboot the machine and those essential services will startup automatically at boot and will not require you to login as root (or use sudo) to start them.
Quote:
Can somebody give me a list of security item that I should address for my firewall/router/proxy at home and for any future server I will build?
Make sure you have setup the following and its working good:
firewall blocking incoming connections from the net
automatic fetching of updates for your distro (eg. apt-get update for debian-based, urpmi --update --auto-select for Mandrake, yum update for Fedora etc)
Install logwatch and check through its emails every day to see if anything suspicious turns up in the logs
Install chkrootkit and check its email to you every day to try and catch root kit installations Optional (can get quite complex and may be going overboard for a home network):
maybe configure an intrusion detection system of some kind, eg. AIDE. If you're using Mandriva msec serves as a rudimentry IDS
the linux box is alway logged in as root and I just lock the console. I allow ssh through port 22 for admin purposes.
Why do you need to be physically logged into the console as root at all times?
So since that is the case I need to create extra accounts for my two windows machines on my linux box, correct?
I'm not really that familiar with RADIUS, but my understanding is that it can use several authentication mechanisms, like an SQL database for example, and is not limited to only using standard linux accounts. Not using actual accounts would probably be more secure if a login was somehow compromised, but it would likely be a bit more work to get RADIUSd working with an alternative authentication scheme. So it's really up to you, how much work you want to put into it vs. how much added security that would give you.
Can you please suggest the best security approach for my home network. It all of this feasible?
Sure it's feasible. It may just take some work to get everything playing nicely. In fact I plan on setting something similar up in the future. My only advice in terms of your firewall would be the following: In most cases internal wireless links need to be treated with caution. Usually this means treating the entire wireless portion of your network as an untrusted DMZ. Virtually all of the current authentication protocols are crackable in realistic timeframes (it doesn't take weeks of sniffing packets like it used to in order to crack WEP). Even the more "secure" protocols like WPA are not that great. However, all that means is that you need to treat it with some caution. For example, make your iptables rules on the gateway/RADIUS firewall more restrictive on the internal network and don't just give it total access. Having an internal network IDS is a good idea as well. On my own wireless link, I have a snort sensor sitting directly upstream of my wireless AP and my wireless clients are firewalled as if they were exposed to the internet.
Captain_Cave I just wanted to say thanks for every reply that you have given me in the past. you have been a great help.
Glad to help
how do I delete previous accounts that I have opened up on this forum?
We don't normally delete accounts except under very extreme circumstances (like profanity or racist usernames) or unless they have 0 posts and haven't logged in for several years.
1 - what about about SNORT for IDS?
Great tool. Does require some initial tweaking in order to eliminate false positives otherwise you'll start accumulating very large alert logs in a short time. See my post above on implementing it inside the LAN as well.
2 - how should I best protect SSH and how would I change the port # from 22 to another. I do not use inetd.
Disallow root logins (ssh in as a normal user and then use "su -" to become root). Also make sure that you have reasonably secure passwords or think about using key-based authentication. There's also a number of good tips in the thread on "Failed SSH Logins", like lower the number of failed logins and simultaneous login sessions. To change the default port SSHd listens on, modify the "Port" directive in the sshd_config file (usually /etc/ssh/sshd_config).
- In most cases internal wireless links need to be treated with caution. Usually this means treating the entire wireless portion of your network as an untrusted DMZ -
So the better method for securing the wireless side is to put it into a DMZ and treat it as though it were a web server,right?
Should I be using the firewall feature on my wireless router to firewall my wireless side of my network. So in essence I would have my linux firewall up front and also have my wireless side firewalled through my wireless router? Would this setup be the best approach. I am studying security and one day want to become a security analysty so the opinion from a guru like yourselfs really counts. many thanks
I really just meant that the internal wireless network (including the Access Point) should be treated as a DMZ by the SuSE firewall. In most network topologies, the internal LAN side of the SuSE box would have a much less restrictive firewall (or no internal firewall at all). However with the wireless AP on the LAN, I would filter traffic coming into the SuSE box from the LAN side as well as the internet side. So you can think of it like this, where internal/external firewall are still on the SuSE box:
can you give me an example of an internal firewall setup so I can get an idea of how to setup my iptables for my INTERNAL traffic, in essence my wireless side? thanks
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.