Server exposed to internet

Joe of Loath · 04-09-2010, 04:21 AM

Hi there

My router REALLY doesn't like port forwarding. Using a dynamic DNS service I can log into the router, but can't access an SSH server I left running attached. If I was to put the server in the DMZ, with no hardware firewall whatsoever, how long before I'm hacked?

The server (the 'music PC' in my sig) is running Fedora 12 LXDE spin, and running an SSH server and VNC server, as well as LDAAP and NFS for local stuff (although it might be accessible over the internet).

Thanks
Joe

salasi · 04-09-2010, 05:45 AM

Quote:

Originally Posted by Joe of Loath

Using a dynamic DNS service I can log into the router...

You mean, you can log in from the outside world...

Quote:

If I was to put the server in the DMZ, with no hardware firewall whatsoever, how long before I'm hacked?

The normal convention is to hang the DMZ off the 'orange' interface of the firewall; is the point that you are trying to make that you have a software rather than a hardware firewall?

Quote:

...running Fedora 12 LXDE spin, and running an SSH server and VNC server, as well as LDAAP and NFS for local stuff (although it might be accessible over the internet).

...well, SSH is a clear security risk...not because SSH has any particular flaws, but people will try brute force approaches, which will work eventually if you leave it for long enough, and long enough might not be very long if you have guessable passswords...but it then depends on which of the obvious security measures that you have taken for it...

for nfs, I'd want to be sure that it was firewalled off from the outside world, and there is probably something in the nfs config itself about acceptable IP ranges, too.

jlinkels · 04-09-2010, 05:58 AM

If it is a server exposing all services you'd normally want to use, NO, it is a bad idea.

That doesn't mean you can't attach the box directly to the Internet, in general Linux is hardened enough, but you should expose only those services that are intended for exposure, like SSH.

Having said that, if you have only one box, you can close all outside connections, except an OpenVPN server and SSH. Connect to this computer using OpenVPN and/or SSH, and access you services thru these tunnels. It will require some tweaking of IPTables but it can be done.

OpenVPN works with keys (difficult to hack), make sure you don't allow access to root on SSH, and use complicated passwords of sufficient length and using random characters.

My preference tough is to have one separate firewall running IP tables, running OpenVPN and SSH and some port forwarding to internal servers. My firewall has only a few user accounts for user who really need to be on that box and passwords for myself and root which are different from the passwords on the NIS domain.

jlinkels

bakdong · 04-09-2010, 06:03 AM

You don't really want a machine on the internet unless it needs to be there. You need to be constantly aware of the security and it takes that much more effort to look after.

What router are you using? Some configurations can be a bit cryptic, but most can do port forwarding.

nonamenobody · 04-09-2010, 06:24 AM

Quote:

Originally Posted by bakdong

You don't really want a machine on the internet unless it needs to be there. You need to be constantly aware of the security and it takes that much more effort to look after.

I agree with that, it shouldn't be that tricky to set up port forwarding from your router - a lot less work than hardening you Linux box.

Don't forget to harden your ssh server e.g. using 'allow users' to limit who can log on, use keys rather than passwords (or if you must, use strong passwords), unSpawn has given quite a good link in the last post of this thread - another good one is Top 20 OpenSSH Server Best Security Practices. If you feel that some of them are beyond you, then implement what you can.

Joe of Loath · 04-09-2010, 07:55 AM

Thanks for the suggestions.

To clarify, the router has a DMZ option that bypasses all communications to and from that box past the firewall. I left a ubuntu box connected and in the DMZ all day once, and came back and the RSA fingerprint had changed. I wiped it.

The router is a Buffalo WBMR-G54. It's linux based, quite fun to play with in telnet (you can make the LED's flash). I opened a port for P2P, and that works, but when I use nmap on the DNS (or IP associated to the DNS) I only get ports 80 and 23 open. Maybe there's something I've missed...

If it helps I have an old celeron 433 box I could setup as a firewall for the server, but it's noisy, and I wanted to use just the dell box as a server because it's so quiet.

bakdong · 04-09-2010, 10:28 PM

So it's not as straightforward as this:

http://portforward.com/english/route...4/Echolink.htm

to forward a port to a machine on your internal network?

unixfool · 04-10-2010, 12:13 AM

Even if its still on the router's DMZ, its still exposed, which means it should be hardened before being placed in the DMZ. Close all unneeded ports by turning off unneeded services. Run iptables to filter all inbound and outbound traffic. Note that most ISP do their own filtering before inbound traffic reaches you, but they typically only filter the problematic ports (445 is usually one of those ports).

I wouldn't say that your machine would get owned if put on the DMZ without a firewall (I did this as an experiment a few years ago...I ran a colo machine without a FW for almost 3 years with no compromise of that host). I feel that if you do this, you should know the impact if that machine gets cracked. Not only are you affected, other people are also usually affected, as your machine will more than likely be used to participate in attacking other hosts.

I think your original post should've actually read like this:

Quote:

My router REALLY doesn't like port forwarding. Using a dynamic DNS service I can log into the router, but can't access an SSH server I left running attached. Can someone help me troubleshoot why there's a problem logging into my box via SSH?

The server (the 'music PC' in my sig) is running Fedora 12 LXDE spin, and running an SSH server and VNC server, as well as LDAAP and NFS for local stuff (although it might be accessible over the internet). Can someone assist me in utilizing iptables so that the local services aren't actually accessible from the internet?

The root of your issue is that you can't access the SSH server from outside the network. Putting it into the DMZ is called a workaround (and a bad one at that). I'd focus on why you can't shell into your machine. After that, I'd try to understand how to port forward services so that they can be accessed from outside your LAN. Note that NFS across the internet is usually considered a bad thing to do.

Joe of Loath · 04-11-2010, 09:16 AM

Quote:

Originally Posted by bakdong

So it's not as straightforward as this:

http://portforward.com/english/route...4/Echolink.htm

to forward a port to a machine on your internal network?

That's the method I've been using. It works for games and P2P, but I can't see the ports from the outside world, nor connect.

Quote:

Originally Posted by unixfool

Even if its still on the router's DMZ, its still exposed, which means it should be hardened before being placed in the DMZ. Close all unneeded ports by turning off unneeded services. Run iptables to filter all inbound and outbound traffic. Note that most ISP do their own filtering before inbound traffic reaches you, but they typically only filter the problematic ports (445 is usually one of those ports).

I wouldn't say that your machine would get owned if put on the DMZ without a firewall (I did this as an experiment a few years ago...I ran a colo machine without a FW for almost 3 years with no compromise of that host). I feel that if you do this, you should know the impact if that machine gets cracked. Not only are you affected, other people are also usually affected, as your machine will more than likely be used to participate in attacking other hosts.

I think your original post should've actually read like this:

The root of your issue is that you can't access the SSH server from outside the network. Putting it into the DMZ is called a workaround (and a bad one at that). I'd focus on why you can't shell into your machine. After that, I'd try to understand how to port forward services so that they can be accessed from outside your LAN. Note that NFS across the internet is usually considered a bad thing to do.

That makes sense, thanks. I'll mess around with the router some more, see if I'm missing something or there's a more advanced way to port forward.

SuperJediWombat! · 04-15-2010, 08:55 AM

Why not configure iptables to block all of the ports besides SSH/whatever else you want open?

Code:

# Set policy to accept, then flush all rules
iptables -P INPUT ACCEPT
iptables -F INPUT

# Allow all local traffic
iptables -A INPUT -i lo -j ACCEPT

# All all established or related traffic through
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# Allow things you want in (Copy this line as many times as you want for additional services, make sure you change tcp to udp if necessary)
iptables -A INPUT -p tcp --dport 22 -j ACCEPT

# Drop everything not specifically mentioned above
iptables -P INPUT DROP

Personally, to help stop brute force attacks I would add this for SSH

Code:

iptables -N SLOWSSH
iptables -A SLOWSSH -m recent --set --name SSH
iptables -A SLOWSSH -m recent --update --name SSH --seconds 40 --hitcount 4 -j DROP
iptables -A SLOWSSH -j ACCEPT
iptables -A INPUT -p tcp --dport 22 --state NEW --j SLOWSSH

The last line above should replace the line allowing port 22 in from the previous example.
That will jump the traffic into the custom SLOWSSH chain where it checks to see how recently the IP address last connected. If it has made more than 4 connections in the last 40 sec it will drop the packet. If they keep trying (which they do) it will continue to be dropped indefinitely.

SuperJediWombat! · 04-15-2010, 07:23 PM

You could also add a rule in that accepts all traffic from your local network.

Code:

iptables -A INPUT --source 10.1.1.0/24 -j ACCEPT

Add that in bellow the SSH rule.

Joe of Loath · 04-27-2010, 02:00 PM

After investigating, my problem is with with the router. It won't even let me set a static IP... Thanks for all the help, if the router still won't open ports I shall fiddle with iptables and put the box in the DMZ.

nowonmai · 04-28-2010, 05:31 AM

It is possible that the problem is not with your router, but your ISP.
Also, you can't just set a static IP on your router, you have to have one allocated by your ISP, otherwise, you're stuck with DHCP.

Joe of Loath · 05-11-2010, 10:55 AM

Quote:

Originally Posted by nowonmai

It is possible that the problem is not with your router, but your ISP.
Also, you can't just set a static IP on your router, you have to have one allocated by your ISP, otherwise, you're stuck with DHCP.

That's possible, and very annoying. We're going to change ISP when our contract runs out though, so we'll have a look at the alternatives.

I meant a static IP on the LAN. It keeps forgetting that my box should always be at the same IP, and gives it a different one every time no matter what I try.

Hangdog42 · 05-11-2010, 11:19 AM

Quote:

I meant a static IP on the LAN. It keeps forgetting that my box should always be at the same IP, and gives it a different one every time no matter what I try.

How about setting the static IP at the server? Most routers use a fairly limited number of the available IP addresses for DHCP, so as long as you set the server to an IP outside of that range, it should be good.
__