Server exposed to internet - how safe?
Hi there
My router REALLY doesn't like port forwarding. Using a dynamic DNS service I can log into the router, but can't access an SSH server I left running attached. If I was to put the server in the DMZ, with no hardware firewall whatsoever, how long before I'm hacked? :) The server (the 'music PC' in my sig) is running Fedora 12 LXDE spin, and running an SSH server and VNC server, as well as LDAAP and NFS for local stuff (although it might be accessible over the internet). Thanks Joe |
Quote:
Quote:
Quote:
for nfs, I'd want to be sure that it was firewalled off from the outside world, and there is probably something in the nfs config itself about acceptable IP ranges, too. |
If it is a server exposing all services you'd normally want to use, NO, it is a bad idea.
That doesn't mean you can't attach the box directly to the Internet, in general Linux is hardened enough, but you should expose only those services that are intended for exposure, like SSH. Having said that, if you have only one box, you can close all outside connections, except an OpenVPN server and SSH. Connect to this computer using OpenVPN and/or SSH, and access you services thru these tunnels. It will require some tweaking of IPTables but it can be done. OpenVPN works with keys (difficult to hack), make sure you don't allow access to root on SSH, and use complicated passwords of sufficient length and using random characters. My preference tough is to have one separate firewall running IP tables, running OpenVPN and SSH and some port forwarding to internal servers. My firewall has only a few user accounts for user who really need to be on that box and passwords for myself and root which are different from the passwords on the NIS domain. jlinkels |
You don't really want a machine on the internet unless it needs to be there. You need to be constantly aware of the security and it takes that much more effort to look after.
What router are you using? Some configurations can be a bit cryptic, but most can do port forwarding. |
Quote:
Don't forget to harden your ssh server e.g. using 'allow users' to limit who can log on, use keys rather than passwords (or if you must, use strong passwords), unSpawn has given quite a good link in the last post of this thread - another good one is Top 20 OpenSSH Server Best Security Practices. If you feel that some of them are beyond you, then implement what you can. |
Thanks for the suggestions.
To clarify, the router has a DMZ option that bypasses all communications to and from that box past the firewall. I left a ubuntu box connected and in the DMZ all day once, and came back and the RSA fingerprint had changed. I wiped it. The router is a Buffalo WBMR-G54. It's linux based, quite fun to play with in telnet (you can make the LED's flash). I opened a port for P2P, and that works, but when I use nmap on the DNS (or IP associated to the DNS) I only get ports 80 and 23 open. Maybe there's something I've missed... If it helps I have an old celeron 433 box I could setup as a firewall for the server, but it's noisy, and I wanted to use just the dell box as a server because it's so quiet. |
So it's not as straightforward as this:
http://portforward.com/english/route...4/Echolink.htm to forward a port to a machine on your internal network? |
Even if its still on the router's DMZ, its still exposed, which means it should be hardened before being placed in the DMZ. Close all unneeded ports by turning off unneeded services. Run iptables to filter all inbound and outbound traffic. Note that most ISP do their own filtering before inbound traffic reaches you, but they typically only filter the problematic ports (445 is usually one of those ports).
I wouldn't say that your machine would get owned if put on the DMZ without a firewall (I did this as an experiment a few years ago...I ran a colo machine without a FW for almost 3 years with no compromise of that host). I feel that if you do this, you should know the impact if that machine gets cracked. Not only are you affected, other people are also usually affected, as your machine will more than likely be used to participate in attacking other hosts. I think your original post should've actually read like this: Quote:
|
Quote:
Quote:
|
Why not configure iptables to block all of the ports besides SSH/whatever else you want open?
Code:
# Set policy to accept, then flush all rules Code:
iptables -N SLOWSSH That will jump the traffic into the custom SLOWSSH chain where it checks to see how recently the IP address last connected. If it has made more than 4 connections in the last 40 sec it will drop the packet. If they keep trying (which they do) it will continue to be dropped indefinitely. |
You could also add a rule in that accepts all traffic from your local network.
Code:
iptables -A INPUT --source 10.1.1.0/24 -j ACCEPT |
After investigating, my problem is with with the router. It won't even let me set a static IP... Thanks for all the help, if the router still won't open ports I shall fiddle with iptables and put the box in the DMZ.
|
It is possible that the problem is not with your router, but your ISP.
Also, you can't just set a static IP on your router, you have to have one allocated by your ISP, otherwise, you're stuck with DHCP. |
Quote:
I meant a static IP on the LAN. It keeps forgetting that my box should always be at the same IP, and gives it a different one every time no matter what I try. |
Quote:
__ |
All times are GMT -5. The time now is 09:12 PM. |