Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I had trouble deciding where to post this but I felt as the central theme was security it's best off here. My question does veer off towards Software, so I can edit it later to split my questions across forums. It's also a long enough post ....
At work I deal with Solaris and I'm used to strict division of funtion across server and zones within a secured environment. However, dealing with my home network and Linux has proved more difficult.
I have a low end Pentium running Mandrake 9.0 very happily. It's primary function is to run Shorewall and serve my ADSL connection to a WiFi router. There are two machines connecting regularly to the router; the RedHat box and a Mac and I occassionally connect my work laptop. Sometime back I decided to make more use of the disk space on the firewall box by sharing some spare partitions using SAMBA. Before there is a big collective yell of 'that's your F*ng' firewall, I made this choice based on the content stored there; mp3s (personal use only - no sharing or p2p clients involved), iso images and html/graphics that I was working on (content that would be public anyway). Convenience of access had a far, far higher value than the security of the information in this case. I added a second network card and gave it an ip in the same subnet as the existing clients. I configured shorewall to allow only lan machines to connect to SAMBA (HTTP(S), mail, ftp and ssh are open to the internet). This has worked exceptionally well and I'm delighted with the flexibility and ease of use this has given me.
Now I'm forced to replace the firewall box and the higher spec machine which will replace it has led me to think about expanding the range of services I offer .... to ... ummm .... myself :-). This is where I'm forced to stop and think about what I'm doing. This is why I would like advice. Here's what I would like to do:
- use the shared partitions as general backup i.e. content with potential security value becomes involved
- Play around with WebDAV in apache (open to the internet)
I'm sure some may suggest adding another machine on the lan to handle these tasks; space (my g/f thinks 3 PCs are way more than anyone needs), heat (it's already 30C where I live) and cost (electricity bills are high enough keeping me cool!). I've had difficulty applying security advisories to this sort of setup, what I've seen assumes more ideal setups than a [simple] home network. So I'd like to know what others think or maybe what sort of tools/software/configuration other people have.
I appreciate you taking the time to read all this.
I would suggest a second machine for ""private" files, but I understand you....
In my opinion you should have different partitions for "private" and "public" files (of course, you may have more than 2 partitions for data). I suggest you to look carefully at your firewall - it's a good idea to check it from time to time.
What else: chrooted ftp server, restricted ssh (are you sure you need ssh from outside?), maybe an IDS?
Thanks for the input, I'm now debating a second machine on the network to store the files and do some 'extras' - the more I try to see how everything on one machine could be done, the more a 2nd box seems to the best course of action.. Guess what I really need is a single machine allowing multiple domains :-)
I already keep a reasonably close eye on the firewall, but I do need to look at catering for intrusion detection. I don't allow ftp into the box at the moment. SSH from outside is necessary because I travel quite a bit and need to look in from time to time on how it's doing.
I guess it's time to research my options on low power consumption and low heat generation (this is actually the primary factor).
It might be a pain to set up, but here's an idea for low power/low heat... A laptop! Try to find one on e-bay that has a broken screen, they usually sell really cheap. You can use it's VGA port for the display, connect a keyboard/mouse for the terminal, and use a PCMCIA network card, if it's not integrated. Low power/Low heat, and as a bonus, it's really small. ;^) What do you think?
If you're using it to share files, storage might be an issue, but this might be a very good platform for the firewall....
Thanks for the suggestion - I do actually have a Toshiba Satellite which is kind of idle at the moment. It's in perfect working order but my PowerBook is my day to day machine now :-) I had discounted this machine as it had a tendency to run hot, but your suggestion made me think about running it with the battery out just to see how much heat would be generated. So it's going to get an overnight idle test. The laptop would be good as I could then locate it somewhere more convenient and maybe distribute some of the heat!
Just a quick update on this:
I decided to go with the suiggestion from Aes of using a laptop and have just completed a custom install of RH9, running Shorewall and the Alcatel Speedtouch USB modem drivers on my Toshiba Satellite 1640. All seems well - I can surf! Am going to start my next project soon.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.