LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 08-19-2014, 12:29 PM   #1
thealmightyos
Member
 
Registered: Mar 2009
Distribution: CentOS 6.5 / 7
Posts: 119

Rep: Reputation: 1
Security considerations for possible server/firewall/router combination


With this new CentOS 7 box I have a lot of ideas popping into my head faster than I can research them. This is the most work I have put into home server box and I am seeing very favorable results which makes me want to try more. However, one of my goals this time around is security. Building an awesome server that runs everything won't do me much good if it is easily compromised.

I have had a lot of issues remotely connecting to my home network. I thought it was incorrect settings on my various machines and programs. However, after careful diagnostics of the router (ex, removing it and pluging in the the pc directly to the modem) I discovered that my router would not follow the set port-forwarding rules without some major coaxing (it's 7 years old). It's obviously time for a new router. The one I want is pricey but still within budget, however I look at my newly installed server rig and wonder.

I know you can set up a linux box as both a firewall and a router for a small / medium network. But is it safe to also use the same box as a websever and a local file server? What are some of the security implications?
 
Old 08-19-2014, 01:22 PM   #2
pingu
Senior Member
 
Registered: Jul 2004
Location: Skuttunge SWEDEN
Distribution: Debian preferably
Posts: 1,350

Rep: Reputation: 127Reputation: 127
It all depends on your needs and resources. You can always raise the security level, no matter what you have. (Read "Oxbow Incident"? Old, blind man to a gunman: "it doesn't matter how fast you are, there is always someone faster." )
Since this is for home network, I'll keep my suggestions according to that.

Normallly I'd say don't use firewall for any other services, although there are distros with pretty good reputation doing exactly that. ClearOS is one, have used it myself actually earlier in a special situation.
But if you can, keep them separate. And since you have a CentOS box already all you need is a decent firewall. There are so many firewalls out there, lots of them free - you definitely don't need to buy a very expensive one!
My absolute favourite these days is pfSense
This is just the software, you install it on any computer you might have. You could also buy an appliance - see the links to "Recommended Hardware Vendors" or "The pfSense Store". Personally, I bought an appliance complete with wifi which suits my small company perfectly.
For a client, a larger company with pretty high security needs, we use Dell servers and put pfSense on them.
pfSense is based on BSD, but don't worry about that! It has a very nice web-GUI, you very seldom (if at all) need to go to the cli - and if you do, you'll find it's very close to Linux.

So my suggestion is: get a firewall of your choice, should not cost more than $500 in total. If you're at a lower budget, use an outdated PC you might have lying around in the closet and put an fw software like pfSense on it. It will work fine, and doesn't cost you anything.

Secondly, secure your server too.
You need to use it as web- & fileserver if I got you right.
Make sure no other unnecessary services are running, configure server and firewall so that these services can be reached only from necessary locations. For example, your file server should probably be reachable only by you & family, it's not a public service - am I right?
Then setup OpenVPN or similar on the firewall, only allow access to fileserver via vpn.
Do not allow root login to ssh on server, best is actually to use PAM and allow ssh-logon only to specified accounts.

There is of course a lot more to be said about security, just a few things to start the discussion.
 
Old 08-19-2014, 05:15 PM   #3
thealmightyos
Member
 
Registered: Mar 2009
Distribution: CentOS 6.5 / 7
Posts: 119

Original Poster
Rep: Reputation: 1
And away we go


So if I am understanding you right, you do not recommend having the server/router/firewall software all on the same box even if it is for a home environment. That was what I was thinking but wanted to make sure I wasn't being over paranoid. That, and I am trying to squeeze all the productivity I can out of that box

I was looking over the pfSense link. It looks great. But if I bring just one more box into the house the GF is going to throw it to the curb and me to the couch I am on pc acquisition probation until we move.

I noticed you mentioned firewall software but not router software. Can those two be on the same box or are they one in the same?
 
Old 08-19-2014, 06:40 PM   #4
frieza
Senior Member
 
Registered: Feb 2002
Location: harvard, il
Distribution: Ubuntu 11.4,DD-WRT micro plus ssh,lfs-6.6,Fedora 15,Fedora 16
Posts: 3,233

Rep: Reputation: 405Reputation: 405Reputation: 405Reputation: 405Reputation: 405
for a home network, the router can be a simple linksys box, the 'firewall' can be a garage sale special with an added nic running a firewall distribution such as smoothwall express or ipcop, then you would set up the system like this

Code:
|modem|-|router|(switch)--[firewall]--workstation
                   |
                 server
most home routers have a switch built into them

note if you are going to use the server via the internet then it is best to leave the server outside the firewall and let the router and iptables rules protect it, then the 'firewall' pevents any traffic from further entering your private network, this is known as a 'dmz' setup

otherwise if the server is not to be exposed to the internet then it can be inside the firewall as well.

and in answer to your query it is best to have them as separate units, for several reasons, though the main reasons are that the various parts (router/server/firewall) take up resources, so it's best to have a machine dedicated to each as to not overcrowd the resources of the machine

secondly is that putting them all on the machine is putting all your eggs in one basket, leaving more of a surface area to attack.
 
Old 08-20-2014, 04:42 AM   #5
pingu
Senior Member
 
Registered: Jul 2004
Location: Skuttunge SWEDEN
Distribution: Debian preferably
Posts: 1,350

Rep: Reputation: 127Reputation: 127
Quote:
Originally Posted by thealmightyos View Post
But if I bring just one more box into the house the GF is going to throw it to the curb and me to the couch I am on pc acquisition probation until we move.
Considering this, and the fact it's for home use, I'm backing out. Those are good reasons to put everything in the same box. You can do that, just be very thorough when setting up the rules.
And maybe a specialized distribution would suit your needs, like the ClearOS I used before.

To continue the discussion about security:
frieza wrote about the main considerations putting everything on one box, I'd just like to provide some more details.
The problems securitywise are:
1. If an attack against one service succeeds, attacker might get control of everything on that server. So attacking the web server could give attacker control of your firewall and access to every file in the fileserver.
2. Running only one main service per server makes it easier to really tighten the rules thus locking down your network as much as possible. This is not very practical in your situation, but for a really secure network I'd use different servers for web, filesharing and database. The db-server should also be on a separate network not reachable from outside.
But for home needs I'd say normally the best is one firewall, one server. And it's OK to keep GF happy and put everything on one box - just pay attention to access rules, don't expose any service to public internet if it's not absolutely necessary! Use vpn for own connections.
Quote:
I noticed you mentioned firewall software but not router software. Can those two be on the same box or are they one in the same?
Well, router and firewall are different things but firewalls has router functions. For big networks you need dedicated, real routers for routing. For smaller networks you will never notice the difference between a firewall-router and a real router.

And as for frieza's suggested setup, for a home/SOHO net you can simplify it like this:
Code:
|modem|-[firewall]--workstation
             |
           server
But then, as I said, for you in your situation, use the server as a server & firewall.
 
Old 08-20-2014, 08:34 AM   #6
sundialsvcs
LQ Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 9,078
Blog Entries: 4

Rep: Reputation: 3177Reputation: 3177Reputation: 3177Reputation: 3177Reputation: 3177Reputation: 3177Reputation: 3177Reputation: 3177Reputation: 3177Reputation: 3177Reputation: 3177
Nevertheless, I wouldn't put everything into the same box.
 
Old 08-20-2014, 02:49 PM   #7
thealmightyos
Member
 
Registered: Mar 2009
Distribution: CentOS 6.5 / 7
Posts: 119

Original Poster
Rep: Reputation: 1
Firstly, thank you all for your input. I am learning a lot about security from this.

What you guys are suggesting is actually close to what I wanted to do before my GF revoked my pc procurement permissions. (We only have 8 pc's in a 900sqft apt. What is her problem? ).

So reading your posts, it looks like the firewall is primarily to protect the internal network. I understand the reasoning behind this. Also, putting everything on separate boxes so if one is compromised the others are isolated. I understand that too.

This is my GF-COMPROMISE setup I am using currently:

Code:
[MODEM]--[dd-wrt ROUTER w/SW FW]--[SERVER + REST OF NETWORK]
I am very new to the whole securing web-servers thing but I know THAT is majorly insecure which is why I was thinking of adding firewall duty to the server.

Currently this server is internal/external. There are some forward facing sites/services but they are for my benefit and those of my friends/family. Not meant to be public. Then there are then internal services. I have scripts that make backup's of specific folders on different PC's on the network, I have shared files and folders and also a media server to feed the geebox.

Based on what you guys told me in this thread my setup SHOULD look something like this?

Code:
[MODEM]--[ROUTER]--[FIREWALL]--[SERVER-DATA]--[OVERSIZED-HOME-NETWORK]
            |
       [SERVER-WEB]
In conclusion, I think I need to lose a GF and pull out some old hardware I saved from the trash heap (think I got my old AMD Athlon cpu/mobo/ram hidden in the closet) and build a firewall box. I wonder... if I don't actually put it in a case would it count towards my GF's restrictions? lol

Seriously though, thanks a lot for taking the time to go though what must be security 101 with me.
 
Old 08-20-2014, 04:25 PM   #8
pingu
Senior Member
 
Registered: Jul 2004
Location: Skuttunge SWEDEN
Distribution: Debian preferably
Posts: 1,350

Rep: Reputation: 127Reputation: 127
No, that's not it.
Here's the real challenge: Keep your GF happy and design a good network for your needs.
This is the kind of challenge you face when working as a network technician or sysadmin. It's not easy, but it has to be done - and it can be done! It just takes a whole lot more of thinking, arguing, redesigning and whatever.
For a starter, go through your closets, check what you already have. Old computers can be very useful put in the right place.
Then design your network from there, making it as good & secure as possible using only the equipment you already have without upsetting girlfriend.
There's a good challenge for you!
 
Old 08-20-2014, 04:57 PM   #9
thealmightyos
Member
 
Registered: Mar 2009
Distribution: CentOS 6.5 / 7
Posts: 119

Original Poster
Rep: Reputation: 1
Friend, what you are describing is what me and my geeky counterparts call a Kobayashi Maru. I have been down this road many times with my GF. It always comes down to the same thing: SPACE. And I do understand her thinking. My little 1-bed/1-bath apartment isn't exactly spacious. Heck, both her and my gaming rigs are set up at the same desk to save space as there would be no place to put a second desk!

I DO have two mobo/cpu/ram combos and one box in the closet. Would need a PSU and HDD, but I could build a system right quick that I could use for a firewall. But I would have to put it somewhere. Unless I mount the board/psu/hdd to the ceiling of the closet (yes, I was seriously thinking about this for a build at one point) I do not think I can avoid my gf noticing.

We will be moving at the end of the year. Just got a new job with a big bump in pay so we are moving out of this crappy apartment once the lease is up. And I have been promised that after we move and I have my own office/mancave/room that the restrictions are off as long as I don't start putting pc's in random parts of the house. At that time I can build for my needs: Firewalls, Routers, UPS's, Servers.... I got's lotsa ideas
 
Old 08-20-2014, 05:09 PM   #10
frieza
Senior Member
 
Registered: Feb 2002
Location: harvard, il
Distribution: Ubuntu 11.4,DD-WRT micro plus ssh,lfs-6.6,Fedora 15,Fedora 16
Posts: 3,233

Rep: Reputation: 405Reputation: 405Reputation: 405Reputation: 405Reputation: 405
note that some of the machines (such as a file server) could be low power small sized units such as a raspberry pi which could be built into a box not much bigger than a portable hard drive.
 
Old 08-20-2014, 05:26 PM   #11
pingu
Senior Member
 
Registered: Jul 2004
Location: Skuttunge SWEDEN
Distribution: Debian preferably
Posts: 1,350

Rep: Reputation: 127Reputation: 127
Quote:
Originally Posted by thealmightyos View Post
Friend, what you are describing is what me and my geeky counterparts call a Kobayashi Maru.
Exactly, now you're getting me!
How about this for a solution:
Make your CentOS server a virtualization host, on it you install a software firewall and all the servers you want.
The servers you put in internal networks, internet will go only to firewall guest.
It's not quite as good as having separate hardware, but I believe it's good enough for you at the moment. (Although I must say, only 8 pc's in a 900sqft apt - the real problem here is there are too few of them! But then, women doesn't always understand that... )
 
Old 08-20-2014, 06:28 PM   #12
thealmightyos
Member
 
Registered: Mar 2009
Distribution: CentOS 6.5 / 7
Posts: 119

Original Poster
Rep: Reputation: 1
Quote:
Originally Posted by pingu View Post
(Although I must say, only 8 pc's in a 900sqft apt - the real problem here is there are too few of them! But then, women doesn't always understand that... )
I KNOW Right? Only 8 pc's (and one UPS) and she is acting like I brought home DELL's entire overstock!

I may virtualize like you said but JUST got this new job and with it a bigger paycheck to play with. I know that I have to get a new router no mater what and the GF knows that too. This one is causing major issues for both of us. And when I do that I MIGHT be able to plead the case for a HW firewall as well... I do want one anyway and they have such a small footprint so....

I think this will all work it out with time. Once I move I can start looking into rack-mounts!
 
Old 08-21-2014, 07:59 AM   #13
louigi600
Member
 
Registered: Dec 2013
Location: Italy
Distribution: Slackware
Posts: 487
Blog Entries: 13

Rep: Reputation: 47
Make your own router/firewall and learn from doing it. If that's to vague here's a starting point: http://docs.slackware.com/howtos:mis..._slackware_box
I've hacked into most of the low end SOHO appliances I've had and appart from some proprietary drivers for the hardware and proprietary web management interface the rest was all open source software ... noting that you could not do on any ordinary Linux system.
 
Old 08-21-2014, 04:56 PM   #14
thealmightyos
Member
 
Registered: Mar 2009
Distribution: CentOS 6.5 / 7
Posts: 119

Original Poster
Rep: Reputation: 1
That is definitely an idea that I have been thinking about: create a Firewall/Router box (again, another box, same problem ) which is why I was investigating possible security issues of putting them all together with my server. It seems like the general consensuses is that it would be a bad idea. And I am going to have to agree especially since I can't even lock down my ftp server right now (another thread).

But yeah, I got lots of choices once I get the space: http://www.dslreports.com/shownews/E...Distros-118897

I look forward to that project
 
Old 08-22-2014, 04:36 AM   #15
louigi600
Member
 
Registered: Dec 2013
Location: Italy
Distribution: Slackware
Posts: 487
Blog Entries: 13

Rep: Reputation: 47
"Exploring DIY Linux Router Distros" ... but where's the do it yourself if you use a ready-made router oriented distro ?
If you like the DIY you should be using the most neutral linux distribution you can find ... or you will be learning just about that specific distribution ... well that's how I feel about it anyway.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Apache: Multiple VirtualHosts - Security Considerations Spetnik Linux - Server 12 07-01-2010 11:54 AM
Laptop Firewall Considerations - MAC Addresses Meson Linux - Security 17 10-28-2007 12:04 PM
Will a new router increase security- hardware firewall? M$ISBS Linux - Security 4 05-20-2006 08:24 PM
Firewall considerations - 2 Dual boot PCs rickh Fedora 3 04-26-2005 11:06 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 08:20 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration