Kuro5hin.org: technology and culture, from the trenches
create account | help/FAQ | contact | links | search | IRC | site news
[ Everything | Diaries | Technology | Science | Culture | Politics | Media | News | Internet | Op-Ed | Fiction | Meta | MLP ]
We need your support: buy an ad | premium membership

[P]
Beginner linux security question

By tayknight in Technology
Tue Nov 21, 2000 at 12:37:52 PM EST
Tags: Help! (Ask Kuro5hin) (all tags)
Help! (Ask Kuro5hin)

Ok. I've submitted poorer versions of this question before. Here goes a more complete question that might be posted.

I'm finally getting broadband dsl at home. I live close to my local office, so things might be fast (fingers crossed). I've got a couple hundred bucks to burn, so I'm thinking about buying a cheap 486 and installing Linux. The questions follow.


First off, I know eveybody has different ideas about a topic like this, and I don't want to start a flame war. I also believe that everybody has something to contribute, and there are no stupid questions.

I'm getting aDSL from Southwestern Bell. Dynamic IP. I have no idea how often the DHCP lease will expire. I've used Linux a little. Years ago. I slightly remember UNIX from the one programming class I took in college, 5 years ago. But I am willing to learn. I do Lotus Notes/Domino design, HTML, CGI, ASP, Access, and am a database designer/administrator. All well and good, but none of my skills get much into lower-level computer knowledge, and as you can see, no Linux. I've decided that it will be easier to set things up now than try to fix anything that breaks, or gets broken, down the line. I use Win 2000 Pro at home. From what I've read, 2000 is better but now good enough.
Plus I just want to learn. Below is a list of sites that I've either read, or am reading to get familiar with how IP works and what I need to do to make things a little secure.

This list should keep me busy for a while :)

I'm probably going to buy a reasonable 486 with 32MB ram, 500 MB hd, CD-ROM drive and 2 NIC's. I've got redheat on CD, so I'll start with that. But I'm not adverse to the idea of getting a different distro (talk about a flammable question). I'll do a minimal install so that I keep unwanted/unneeded services to a minimum.

I really want to do this right. Is there anything else I need to consider, read, buy, etc? From what I've read so far, this isn't exactly easy, buy I should be able to do it with some digilence and patience. Advice and help is what I'm looking for. Thanks.

Sponsors

Voxel dot net
o Managed Hosting
o VoxCAST Content Delivery
o Raw Infrastructure

Login

Related Links
o Linux Firewall-howto
o The The Linux Networking Overview HOWTO
o The Ethernet HOWTO
o IPchains Firewalling made Easy!
o Linux Network Address Translation
o The Net-3 HOWTO
o The NET-PPP HOWTO
o The Documentation for the TIS Firewall Toolkit
o Also by tayknight


Display: Sort:
Beginner linux security question | 61 comments (56 topical, 5 editorial, 0 hidden)
In answer to your question (3.84 / 13) (#1)
by Inoshiro on Tue Nov 21, 2000 at 01:58:56 AM EST

A good place for an overview of the security mindset, as well as examples of remote security, is right here. The security articles I authored cover the basics of the mindset, some theoretical attacks, encryption, and daemons to use/avoid. I also have a discussion of how we handled a break in on the old-old K5 server.

Enjoy.



--
[ イノシロ ]
another story (2.28 / 7) (#2)
by Justinfinity on Tue Nov 21, 2000 at 02:04:03 AM EST

i just submitted a similiar story© if you haven't seen it, go here :-¤

-justin
[ Parent ]
Practice makes perfect? (2.50 / 4) (#29)
by AndrewH on Tue Nov 21, 2000 at 12:25:57 PM EST

i just submitted a similiar story© if you haven't seen it, go <a href=" http://www©kuro5hin©org/?op=displaystory;sid=2000/11/18/22437/979"> here</a> :-¤

preview everything you post

Sure?


John Wilkes Booth, Lee Harvey Oswald, John Hinckley Jr — where are you now that we need you?
[ Parent ]
hmm, it looked ok for me (2.00 / 2) (#52)
by Justinfinity on Wed Nov 22, 2000 at 02:25:58 PM EST

some others told me that it looked funny, maybe something got fscked when IE did the final submission (never know with this MS stuff :-P )

-justin
[ Parent ]
I highly suggest additional security measures (3.00 / 6) (#3)
by pope nihil on Tue Nov 21, 2000 at 02:41:17 AM EST

I don't know if Inoshiro's articles cover this or not (because I honestly don't have time to read them), but I have been very impressed with program that detects portscans (and can tripwire ports) called "portsentry" from psionic.com.

I found it to be very simple to install and configure, and in a few days time it proved to be invaluable as far as showing me who was trying to poke around and what forbidden ports they tried to access first. Actually, I was kind of curious to see what all services they would try to access, but I'm not THAT curious, so I have it configured to drop all packets to any host that sets off the security alarm.


I voted.

Personal Opinion (3.66 / 6) (#4)
by spectatorion on Tue Nov 21, 2000 at 03:10:02 AM EST

My personal opinion is that FreeBSD or OpenBSD is better for firewalls which need to be bulletproof and secure (My personal pick: OpenBSD). If you're going to use Linux, I'd recommend Debian for stability and security, because, while RedHat reigns in ease of install and use, Debian kicks for security and stability. You said you want to do things right the first time and that you're willing to learn, so I would recommend OpenBSD (or Debian if you must do Linux--which may be true based solely on documentation available, although there is a wealth of information available on OpenBSD).
Plus, I would definitely not spend "a couple hundred bucks" on the system configuration you have described. 486 configed like that should cost you less that $100. You should even be able to get a similarly configured Pentium (or compatible...K6 is nice) for around that price, which will more than suffice as a firewall.
And hey, once you've got your firewall set up, you should play around with it and become comfortable in that environment so when the time comes, you can kick Bill Gates and his WIN2K or .NET or whatever craziness he's cooking up to the curb. :-)

PS if you're worried about price (since you have the RedHat CD already) you shouldn't. If you've got DSL, ftp install should be no sweat. If you must have a CD, FreeBSD and Debian publish ISO's, and you can make an OpenBSD CD by downloading a directory of from an OpenBSD ftp server if you have a burner (or buy a copy from Cheapbytes). Hope I was helpful in my suggestions :-)

DHCP in Debian (2.33 / 3) (#14)
by reshippie on Tue Nov 21, 2000 at 10:08:03 AM EST

This came up for me, and since you suggested Debian, it may come up for him. Whne I installed Debian I could not figure out how to tell my system that I was connecting through DHCP. It kept asking me for an IP address.

I got too frustrated with that, and some other things, but how does one fix this?

Those who don't know me, probably shouldn't trust me. Those who do DEFINITELY shouldn't trust me. :-)
[ Parent ]

Well, actually... (1.66 / 3) (#31)
by spectatorion on Tue Nov 21, 2000 at 01:55:00 PM EST

I must confess ignorance here. I have not used Debian in that type of environment. I've only seen a little Debian, but my experience has been that it is much more stable than RedHat and I take people's word for it that it is more secure as well. Sorry I couldn't help, but there should be lots of reference info about this online. Just hunt around a little.

[ Parent ]
DCHP in Debian - HOWTO (3.50 / 2) (#40)
by Keepiru on Tue Nov 21, 2000 at 08:41:41 PM EST

In the current version of Debian (potato), it will ask you during the install if you want to use DHCP. If you didn't do that, edit /etc/network/interfaces ; you will see the entry with your settings for eth0 (assuming you only have one ethernet card) that look something like this:

iface eth0 inet static
address 192.168.0.42
network 192.168.0.0
netmask 255.255.255.0
broadcast 192.168.0.255
gateway 192.168.0.1

Change it to:

iface eth0 inet dhcp

Similar setups with more than one net card are left as a trivial exercise to the reader.

Detailed information on this file is available through the man page for interfaces(5).

--Kai
--slashsuckATvegaDOTfurDOTcom


[ Parent ]
Did I miss something (2.00 / 12) (#5)
by FeersumAsura on Tue Nov 21, 2000 at 03:43:20 AM EST

Was I asleep when K5 became a tech support forum. We have newsgroups and IRC for this sort of post. K5 is there for spreading interesting news articles not Slashback style features. Gaaah where's the -5 button.
BTW I'd install Smoothwall from smoothwall.org.

I'm so pre-emptive I'd nuke America to save time.
bah... (3.75 / 4) (#6)
by djx on Tue Nov 21, 2000 at 04:00:17 AM EST

For starters, this should be an editorial.

Also, there's no law that says a few pieces such as this one will not both a) help out newbies to security / etc and b) allow us experienced users to share our knowledge in a semi-controlled forum.

I gave it +1 to section, because I feel that we, the experienced, should share our knowledge and experience so as to avoid newbies making the same mistakes we did.

Feel free to disagree with me here if you like, but it's my damn opinion and you can't have it.
-<end of transmission>-
NO CARRIER.
[ Parent ]
Because, you know... (3.40 / 5) (#9)
by Hillgiant on Tue Nov 21, 2000 at 08:14:01 AM EST

It's not "technology and culture, from the trenches" or anything.


-----
"It is impossible to say what I mean." -johnny
[ Parent ]

Then explain this... (3.20 / 5) (#23)
by fester on Tue Nov 21, 2000 at 11:04:06 AM EST

What the hell is the "Help!" topic for?

[ Parent ]
What help. (2.66 / 3) (#48)
by FeersumAsura on Wed Nov 22, 2000 at 11:08:58 AM EST

Where is this mysterious help topic?

I'm so pre-emptive I'd nuke America to save time.
[ Parent ]
This Help: (3.00 / 2) (#53)
by fester on Wed Nov 22, 2000 at 03:52:48 PM EST

Here is a listing of the recent Help topics posted. It's an valid topic that rusty and co. have given us...what's it for if you can't ask a question?

[ Parent ]
Firewalls on very simple hardware - e.g. no HDD (3.33 / 3) (#7)
by NKJensen on Tue Nov 21, 2000 at 04:01:48 AM EST

These 2 projects about firewalls on HDD-less PC's could be useful, I think.

http://www.zelow.no/floppyfw/

and

http://lrp.c0wz.com/
--
From Denmark. I like it, I live there. France is another great place.

Firewall on a floppy (3.00 / 3) (#8)
by BrynM on Tue Nov 21, 2000 at 04:47:49 AM EST

I'm using Coyote Linux (http://www.coyotelinux.com/). It's dirt simple to configure, so I recomend it for newbies. Save that RedHat install for a Workstation :)

[ Parent ]
FreeSCO - 1 disk firewall (3.00 / 1) (#60)
by dod1 on Sat Nov 25, 2000 at 12:45:44 PM EST

I've looked at a few single floppy firewalls for 486's, and found FreeSCO to be the most user friendly to setup for a novice. With a little knowledge of IP and some hardware settings you can configure this to routing between most comms devices.

http://www.freesco.org

It's free and simple - based around Linux not BSD. Even incudes a web interface to allow internal users to open and close ports as required. Only requires a 386 and 6Mb RAM - more RAM recommended though, I'm using a 486 with 12Mb RAM and it works fine doings DHCP, Firewalling and making my home LAN feel more secure...

[ Parent ]

Redhat for security?! (2.75 / 8) (#10)
by iCEBaLM on Tue Nov 21, 2000 at 08:45:02 AM EST

You're going to install Redhat on a firewall?

Redhat has more than HALF of Linux Aggregate security issues on Security Focus. I recommend Debian or Slackware.

-- iCEBaLM

OpenBSD, if you're feeling intrepid (3.75 / 4) (#12)
by Greyjack on Tue Nov 21, 2000 at 09:42:57 AM EST

If you don't mind getting down and close to the metal, try an OpenBSD ftp install--all you need is RAWRITE.EXE and floppy27.fs (soon to become floppy28.fs with the release of 2.8 in a couple weeks, I imagine) to make a bootdisk on your Microsoft box. The installer can pull down everything else via your DSL as it's required.

Personally, as a still somewhat neophyte *nix guy, I actually prefer OpenBSD to Linux, as it's spare, clean, well-documented, and damn near everything's turned off by default. I learn how to configure and use the services as I decide I need 'em and turn 'em on, which I personally find to be a much more effective learning process than the "everything's already turned on" approach in many Linux distros.

If you can get through the initial HD partitioning process and can live without X for a short time while you're learning the ropes, OpenBSD is actually pretty darned good for learning the ropes (if you've got the basic "this is how computers work" concepts down already, that is :)

(all that said, Mandrake ain't shabby if you want the full *nix/X/eye-candy/everything treatment, just make sure it's behind something more secure before you connect it to the 'net)

--
Here is my philosophy: Everything changes (the word "everything" has just changed as the word "change" has: it now means "no change") --Ron Padgett


Get a Lynksys Router (3.71 / 7) (#13)
by r0cket on Tue Nov 21, 2000 at 09:57:53 AM EST

Unless you want to become intimately familiar with IP and routing protocols, get one of those Lynksys broadband routers (about $179, if I remember right). It does its job well and uses a Linux kernel. It can deal with DHCP from your ISP and can dish out DHCP to your hosts. It also uses NAT, IP masking, etc., which will provide some security. If you just want to learn to use Linux to do some of your daily computing chores and not necessarily become a jr. network admin, I'd go with the Lynksys (or similar animal).

Agreed! (3.25 / 4) (#16)
by RocketJeff on Tue Nov 21, 2000 at 10:09:58 AM EST

I have a Linksys Cable/DSL router at home and it is great (at least it's great for the price). They actually have several different models depending on how many ports you need. Check it out at Linksys.

(There are several other similar products that probably work just as well, but I haven't tried them) When I'm at home I don't want to worry if I have everything configured properly - I just want security (and NAT, DHCP, etc). The Linksys box does this without me messing with it.

Some day I might replace it with a Linux (or BSD) box, but that will be when I have a lot more time to mess with things.

[ Parent ]

Nice little box (2.80 / 5) (#18)
by Mantrid on Tue Nov 21, 2000 at 10:33:17 AM EST

I've been using one for a few weeks now, works very well, except for bizzare corrupted downloads that went away with a firmware upgrade (which fortunately was not a corrupted download!) Browsing seems to be faster which I still haven't been able to figure out, don't know if it's caching stuff or what...ah well can't complain.

[ Parent ]
You rule.. (3.00 / 3) (#30)
by paxtech on Tue Nov 21, 2000 at 12:37:41 PM EST

I've been getting corrupted downloads periodically over the last few weeks.. Now I know why. Firmware update, here I come.

I do have to say, that even with my corrupted downloads, I still love my Linksys router..

But it certainly did suck to have to download CounterStrike 1.0 4 times before I got it uncorrupted.. at 80 megs per attempt.

--
PaxTech

I am smart..
much smarter than you..
Hibbert!

--
"Eggs or pot, either one." -- Ignignot
[ Parent ]
I'll second that (3.40 / 5) (#20)
by Fireblade on Tue Nov 21, 2000 at 10:36:07 AM EST

I have the Linksys with the integrated 4 port switch ($179) and it's been working great for about 4 months now. I set it up in under 5 minutes, threw it on the floor behind my tower and haven't had to touch it since. There is less flexibility in configuration as compared to an old 486 running Linux but it's smaller, quieter and uses less power than a PC. DLink, NetGear and UMAX also make similiar devices which may be worth looking into if you decide to go this route.

[ Parent ]
Good advice (2.33 / 3) (#35)
by kagaku_ninja on Tue Nov 21, 2000 at 02:54:19 PM EST

Much like the author of this article, I figured I would use my old PC as a LINUX firewall once I got my DSL. After a couple weeks of trying to get a network configured on both Windows and Linux boxes, I realized that there is a reason companies pay people to do this. Also, I didn't really want to leave my old machine turned on 24 hours a day (noisy, wastes energy), nor would I want to turn on two PCs just so I could get onto the net.

[ Parent ]
Rules of thumb for "normal" security (4.00 / 5) (#19)
by Luke Scharf on Tue Nov 21, 2000 at 10:34:04 AM EST

For real security, don't power on the machine.

For those of us who just want to get work done:

  • Choose good passwords
  • Don't run any unneeded services
  • Keep your packages up to date.
  • The first two item aren't that big of a deal - whenever you run passwd, stop to think for a second rather than typing something dumb. The second item talkes the most effort during the initial install. The last item takes due dilligance throughout the life of the machine.

    On a RedHat[0] box, keeping the packages up to date takes concious effort. Do it. I've seen unmaintained RedHat boxes turn into high profile security problems.

    I've been playing with Debian for a while and keeping things up to date seems to be a lot easier ("apt-get dist-upgrade"). I'd recommend it for anoyone who has a constant high-speed connection to the 'net. It relies pretty heavily on pulling packages over FTP and/or HTTP.

    Someone mentioned the Linksys firewall boxes. They seem to be secure and do a nice job with IP masqurading. My boss baught one and (at his request) I pounded on it for a while - it seems pretty tight. Of course, I only nmapped it and connected to ports and things like that. I'd highly recommend this box for anyone who just wants to connect a Windows box or two to DSL[1].

    If you need a flexible AND safe firewall, I've had good luck with OpenBSD. My co-sysadmin spent some time setting the thing up, but since then ipnat and ipf have been very easy to manage. We use it for port blocking and to arbitrarily map "outside" addresses to "inside" addresses. It can also do a very nice job with ip masqurading.

    [0] RedHat is great if you want to get a system up and running in a few minutes from a CD. I recommend it for home users with Windows experience who will only be connecting via modem. While a modem doesn't necessarily protect you, attacking a modem pool would be slow and the machines are hard to find again once they go away.

    [1] It's just as important to keep Windows patched - and it's easy to forget about an "I might need it later" service. The service packs are a good way to do this, but I wish they were more finely grained.



    Red Hat (2.25 / 4) (#32)
    by trhurler on Tue Nov 21, 2000 at 01:55:58 PM EST

    You think patching one hole some idiot found in this or that daemon and another over there is going to fix things? These guys have fixed over 3000 potential holes in a much smaller and cleaner codebase than Red Hat has, and they're still finding new ones every now and then. Linux is a good kernel; GNU is a horrible userland.

    How to secure Red Hat Linux: first, recompile your kernel, leaving out all networking options. Second. after verifying the new kernel, turn the machine off and put it in a closet somewhere. Hire a guard.

    --
    'God dammit, your posts make me hard.' --LilDebbie

    [ Parent ]
    The purpose is... (4.00 / 2) (#36)
    by Luke Scharf on Tue Nov 21, 2000 at 03:57:12 PM EST

    You think patching one hole some idiot found in this or that daemon and another over there is going to fix things?

    No, of course not.

    The aim of this kind of security is to keep the script kiddies and DOSers out. Doing this certainly won't stop a coordinated attack by real hackers.

    Of course, all a real hacker needs to do is call up my boss and say "I'm interested in what you all do - can you show me around?" If they're seriously interested, we'll gladly give him/her a copy of our latest work along with a lot of free help to get it up and running. I work in an academic research lab, BTW... :-)

    If someone is worried about a coordinated attack by real hackers, I would take an entirely different approach. The most of us just want to get work done. Someone reading our files might be embarrasing (badly written code and/or private e-mail to loved ones), but it wouldn't be like a breach of breach national security. Again, we just want to get our work done without some l33t d00d posting p0rn on our server.



    [ Parent ]
    Ahh... (3.33 / 3) (#37)
    by trhurler on Tue Nov 21, 2000 at 04:09:08 PM EST

    The aim of this kind of security is to keep the script kiddies and DOSers out. Doing this certainly won't stop a coordinated attack by real hackers.
    With the exception of the part about denial of service, I agree. The sad fact is, a DoS kiddie with half a brain and the ability to read can probably hit you no matter how well patched you are, because most of the interesting DoS attacks aren't really patchable.
    I work in an academic research lab, BTW... :-)
    Ah, that explains a lot. Get a DSL line or a cable modem and a static IP or two, and you'll see my point of view very quickly. If you plan on having a server publicly available that looks even remotely interesting(not necessarily contentwise, but in terms of bandwidth, likelihood of being caught messing with it, etc, and keep in mind we're talking appearance, not reality,) then you pretty much have to have some serious security unless you feel like being cracked regularly by hosers with too much free time and the latest and greatest in as-yet-unpatched-not-publicly-known exploit scripts. Contrary to popular belief, these things do not usually originate in the bugtraq crowd; the bad guys are inventing a lot more of them than anyone else, and they always have.

    --
    'God dammit, your posts make me hard.' --LilDebbie

    [ Parent ]
    Did I mention... (3.50 / 2) (#42)
    by Luke Scharf on Tue Nov 21, 2000 at 11:16:52 PM EST

    Get a DSL line or a cable modem and a static IP or two, and you'll see my point of view very quickly.

    I believe that my university has three T3's coming into it. I haven't checked (all I have to do is e-mail the guru), but I get about 80 kbytes/sec off average campus and about 300 kbytes/sec on campus. I'd think that this would look interesting even to a script kiddie.

    And yes, we've had our share of security problems - two on my server before we actually started paying attention. (Yes, it took two incidents to jolt me to the point where I am now) and several others that would have been outside my jurisdiction, except that I've got a reputation around here. All of the exploits used well-known holes that would have been patched if the responsible person would have just loaded the friggin' patches. No data was lost in any of the incidents, but they were all a pain in the @$$ to clean up after.

    Of course, to bring this discussion full-circle, we put up an OpenBSD firewall after we got serious about security. We wanted both the NAT capabilities and the port blocking. It's done the job very well, and I would recommend it to anyone with a system like we have here.

    P.S. At home, my roommate runs an IP Masq on a well-patched Linux box. The apartment complex provides Ethernet connectivity that's comparable to a 2-way cable modem. It works fine, and we haven't had any security incidents yet.



    [ Parent ]
    Well, I knew (2.00 / 2) (#51)
    by trhurler on Wed Nov 22, 2000 at 12:35:13 PM EST

    that you'd have good access at a university, but I'm a bit surprised you have had problems recently; most of the kiddies have given up on attacking anything that looks big and organized, because it usually IS, whereas the small home users often never even know someone was there, even if that someone was a blundering, incompetent moron with some tools he pulled off of l@mer.net or some stupid thing like that:)

    Then again, there are kiddies so stupid that these things don't occur to them, so I guess I'm not TOO surprised.

    --
    'God dammit, your posts make me hard.' --LilDebbie

    [ Parent ]
    Good call! (4.00 / 1) (#58)
    by Luke Scharf on Thu Nov 23, 2000 at 11:35:38 PM EST

    most of the kiddies have given up on attacking anything that looks big and organized, because it usually IS, whereas the small home users often never even know someone was there

    I hadn't thought of it that way! Still, Kaa's Law[0] applies to my university.

    There are about two other sysadmins in my department who I know to be excellent at their work. (Greetings to Bob and John!) I lean on them when I can use their expertise and they sometimes return the favor. Between the three of us, we are responsible for probably 200 machines. Since 200 is a small fraction of machines in our department, most of the machines either go unmaintained or are maintained by someone who may or may not be a good sysadmin.

    On the other hand, when Bad Things Happen, the big guns get come in. They are most the impressive hackers I've met, and can probably dispense with a script kiddie faster than I can type "telnet script.kiddie.net\n su \n rm -rf /".

    So, perhaps you're right about a large university - Kaa's Law applies, but there are some very excellent people who clean up after the idiots.

    You're defintly right about home users - the ones who run *nix boxes aren't looking for intrusions. And I wouldn't even know where to start looking for intrusions on a Win95/98/ME box, so I wouldn't expect my mother to be able to either...

    [0] Kaa's Law: In any sufficiently large group, most are idiots.



    [ Parent ]
    Interesting (3.00 / 2) (#56)
    by Jason H. Smith on Thu Nov 23, 2000 at 10:02:22 PM EST

    That brings up an interesing topic.

    Is it possible to compile all of a given BSD's userland for the Linux kernel? LinBSD?

    Or vice versa? GNU/OpenBSD?

    Anybody wanna try? I've got a spare partition.
    Ants. (two by two)
    [ Parent ]
    Details! (3.00 / 1) (#59)
    by Luke Scharf on Thu Nov 23, 2000 at 11:54:50 PM EST

    Is it possible to compile all of a given BSD's userland for the Linux kernel? LinBSD?

    What services do you have in mind? I'm pretty sure that things like the Gnu Tools come out of the same source tree for both. The GUI stuff that you might choose to install on OpenBSD (X11, xlib, gnome, kde) are definetly the same. On the other hand, I'm pretty sure that they use different versions of init and if*.

    The thing that makes OpenBSD harder for me to use is the stuff in userland. Of course, if I were to install OpenBSD on my desktop, I'd probably swear up and down that it's easier to use then the Linux that's there right now. :-)

    So, give me a list of programs you're interested in compiling and then we can try it. :-)



    [ Parent ]
    Linux Router ~ Maybe..... (3.50 / 6) (#22)
    by sitram on Tue Nov 21, 2000 at 10:44:36 AM EST

    When I ordered my DSL line, I started thinking a lot about security myself. That's when I stumbled upon the Linux Router Project. This is essentially a firewall that runs off a floppy disk. This makes things pretty tight since your filesystem will be stored in RAM and your important data will be write protected. It will do port forwarding, DHCP, etc... It's located here if you're interested. On the site, there are links to some pretty good documentation.

    Couple of suggestions (3.50 / 4) (#25)
    by Skippy on Tue Nov 21, 2000 at 11:56:16 AM EST

    First, I agree with the Linksys router group. I own one and it's wonderful. The newest firmware allows you to block certain ports incoming and outgoing and IIRC now supports syslog.

    Secondly, if you are serious about using a full distro, instead of a floppy solution, then I recommend you read the TrinityOS document at http://www.ecst.csuchico.edu/~dranch/LINUX/index-linux.html. Its LONG and complicated but it is a GOOD resource on how to harden linux for security.

    # I am now finished talking out my ass about things that I am not qualified to discuss. #

    A couple more details, a couple of suggestions. (3.33 / 6) (#26)
    by theR on Tue Nov 21, 2000 at 12:00:17 PM EST

    Even though I know a lot of people will be against a story like this, as I saw one person compare it to Ask Slashdot, I am probably voting +1, mainly because it is a subject that a lot of K5 readers probably deal with, are interested in, and have suggestions for. It will also probably spark some interesting conversations.

    I am wondering, though, what exactly the goal is. Do just want a simple to configure, effective firewall? Or do you want to use this as a learning experience? How in depth do you want to get? How many boxes are you planning on connecting? I think answers to these questions would help come up with a solution, but without the answers you will get a wider range of responses, which is probably better from K5's point of view.

    For a simple solution, without having to switch your OS from W2K, there is ZoneAlarm. It's free, easy to use, and from my experience, effective. If you would rather have a dedicated box as a firewall or get away from Windows, there is the NetBSD Firewall Project, among others. There are also many dedicated firewall/router combinations that would work, like the Lynksys. The possibilities are virtually endless. It just depends how in depth you want to get and what you want to get out of it.



    Minimal Distros (3.00 / 6) (#27)
    by Zane_NBK on Tue Nov 21, 2000 at 12:14:20 PM EST

    If you're wanting to setup a minimal system for a firewall you should find a smaller distribution than Redhat. Redhat is so high level in it's package selection that you're invariable going to get a TON of stuff that you don't need. There are mini distributions and embedded distributions (very small distros with just the minimum required to run linux and firewalling).

    -Zane


    Security, a firewall & BSD (3.50 / 6) (#28)
    by kibomaster on Tue Nov 21, 2000 at 12:22:44 PM EST

    If you're looking for something to increse your security, linux isn't it. Don't get me wrong, Linux is a wonderful OS, but for hardened security it falls a bit short. I'm assuming you want some sort of firewall, I highly reccomend openBSD IMHO it's the most secure OS out there. However, in order to get it working correctly you really have to know what you're doing and if you've never used a BSD OS before, it can be quite complicated. You may want to start out with freeBSD or netBSD I know I've seen freeBSD cd's and manuals avaliable at stores. (I know for a fact Best Buy sells them) I'm running freeBSD on my firewall in my Dorm. When I get some free time, (read never) I plan to switch it to openBSD.

    As far as Linux distributions go: For more pure Linux without all the crap go with Debian or Slackware. If you think you'll be needing more support RedHat has some easy to understand documentation and 24/7 Tech support. I currently use SuSE It's 6 cd's of everything you'll ever need. SuSE is geared more toward office/desktop, but they've got a professional version as well.

    If you really want to get into Linux I'd start out with debian or slackware. Once you're comfortable with the OS, you can move over to *BSD.

    http://www.helixcomputers.com/

    Having installed all the BSDs and many linuxes... (3.25 / 4) (#33)
    by trhurler on Tue Nov 21, 2000 at 02:00:57 PM EST

    I will say that I think OpenBSD is easier to install than just about any of them. It may not be moronproof in the sense of being easier to LEARN to install, but then, if you want security, nothing is moronproof; the fact that you can make FreeBSD install even if you're a retard will not make your FreeBSD machine any more secure than a Linux install; for that, you need actual brain cells to rub together. OTOH, if you just install OpenBSD, get it running, and don't change anything you don't understand, you're in pretty good shape.

    --
    'God dammit, your posts make me hard.' --LilDebbie

    [ Parent ]
    Re: Having installed all the BSDs and many linuxes (4.00 / 2) (#46)
    by Kartoffel on Wed Nov 22, 2000 at 10:42:26 AM EST

    OpenBSD may not be moronproof in the sense of being easier to LEARN to install, but then, if you want security, nothing is moronproof

    Yes! OpenBSD certainly does not give you a dumbed-down GUI install. For example, disklabel required during a fresh install is about as friendly as ed, but at least they warn you to have the manpage ready ahead of time. Like the old saying goes, UNIX *is* user friendly, it's just picky about who its friends are.

    Making a product accessible to people who refuse to learn can be a liability. In most parts of the world, they don't let you drive until you pass a test and get a license.

    I dunno about products like Bastille Linux. If security is a big deal, why not make your own distro? Running a kiddie-friendly script to patch over what's probably the worst security offender of all (Red Hat) just doesn't make sense. Maybe the idea is to make it accessible to more people, since RH seems to be so popular. Last I checked, *BSD was freely downloadable. Cheapbytes has BSD CDs too. Hell, even CompUSA is selling FreeBSD these days.

    [ Parent ]

    Re: Security, a firewall & BSD (4.00 / 1) (#57)
    by Jason H. Smith on Thu Nov 23, 2000 at 10:39:58 PM EST

    Don't get me wrong, Linux is a wonderful OS, but for hardened security it falls a bit short

    Yes, it certainly does. But one thing to keep in mind is that hardened security is not always quite so necessary. Linux is more featureful, and in terms of DSL security, I feel that it is adequate. In computers, everything is a compromise. I feel that Linux is the most feature-rich free OS and its security is still far higher than the majority of cable or DSL users. As such, I would suggest Linux over Microsoft to somebody who asked me what to do with cable or DSL. (Yes, I would suggest OpenBSD over Linux if they posed such a question.)

    At home, I basically run everything + kitchen sink behind a 486 OBSD firewall, which logs script kiddie scans. The majority of them are looking for Windows shares, since the majority of cable users are running Windows. The others are typically rpc service scans. I have not tested this, but I believe that such scans would be unsuccessful to any decent distribution today. And DoS with respect to the Linux kernel is not much of an issue when you are an end user (what services do you have to deny?).

    I say that just because Linux is not as secure as the BSDs, that doesn't automatically discount its use for desktop/NAT with cable or DSL. In my opinion, if a user finds Linux more friendly than BSD (I find the contrary to be true, but I dream in man pages, so...), I say have at it.


    Ants. (two by two)
    [ Parent ]
    Bastille (3.33 / 6) (#34)
    by micco on Tue Nov 21, 2000 at 02:28:49 PM EST

    Bastille Linux is a set of scripts you can run on Redhat which guides you through making the system more secure. I haven't used it since I run Slackware, but I've heard good things.

    As suggested by others, TrinityOS offers a good checklist for securing a system, and Tripwire or some other intrusion detection will allow you to log exploits so you can learn from them.

    Portsentry (3.33 / 3) (#38)
    by strepsil on Tue Nov 21, 2000 at 07:16:43 PM EST

    Whatever you choose to run, I can't recommend Portsentry highly enough. It runs on any unused ports, and waits for a port scan, then can drop access from the scanning IP.

    It's not foolproof, by a long shot, but most script kiddies will port scan a machine before anything else. If you're using Portsentry, they just cut themselves off from your box.

    This, of course, goes hand in hand with NOT RUNNING SERVICES YOU'RE NOT USING! The more well known service ports that portsentry can attach to, the more effective it is.

    Not to sounds whatever, but... (3.50 / 4) (#39)
    by jcamp on Tue Nov 21, 2000 at 08:26:51 PM EST

    I bought myself one of those Linksys DSL routers. I think it was about 200 bucks. It was nice cause I wanted something to just drop in and work. It's a DHCP server, supports NAT, built in 4 port switch, will work with PPPoE, allows you to assign your own IP blocks (doesn't force you to use 192.168.1), let's you specify a DMZ host to do port forwarding, and best of all it was easy. 5 mins of config.

    I know it's always fun to do it yourself, but just a suggestion that worked well for me, and if a 486 will cost you that much (you should see if you can get one for free), then this is a cool way to go. Linksys as a company sucks, they don't put out updates fast enough for me, and apparantly host their FTP server off of a T1 which tends to be slooooow around update releases. This ist the only applicance I've dealt with like this, I know there are other brands, you might wanna check them out.

    Jason

    thoughts .. (4.00 / 5) (#41)
    by gbroiles on Tue Nov 21, 2000 at 09:11:40 PM EST

    If you just want a cheap firewall to protect other machines, go with the Linksys and don't look back.

    If you want a hardened server, you want OpenBSD.

    If you want a machine secure enough to be a server but still useful as a personal computer, you want FreeBSD.

    If you want something even friendlier but less secure than that, Linux is what you want - Debian seems to have fewer security issues than Red Hat does, and I think its "apt-get" system is much easier to use than the RPM, but YMMV. If you want Debian, I have been very impressed with the Stormix distribution.

    In any event, think about buying more RAM if you're planning to use the box for anything involving X and graphics - RAM is pretty cheap now, and the performance difference between 32 and 64 or 128 megs is dramatic.

    Why openBSD (3.00 / 2) (#43)
    by blackhole_1 on Wed Nov 22, 2000 at 04:45:02 AM EST

    Many posts here keep mentioning that OpenBSD is the way to go. What exact feature of openBSD makes it better than Linux? I thought that a bug in sendmail can be equally well exploited in openBSD as in Linux. Is that assumption wrong?

    If you install an ultra-minimal version of any Unix you should be OK. By ultra-minimal, I mean *NO* publicly accessible server software.

    Some common things to help do that:

    o Use ipchains to block all incoming TCP connection requests.

    o Use tcpserver instead of inetd wherever possible (http://cr.yp.to) so that your servers listen only to the
    address bound to the home-LAN part of your network.

    If you do run some publicly visbile server software on the "firewall", it is no longer a firewall. You are deep in system admin territory.

    I strongly believe that lusers :-) should not be running servers from home machines. It is too much work for casual users to update packages.

    On the whole, I stronly subscribe to the view that firewall appliances are the way to go for almost all users.


    [ Parent ]
    OpenBSDs default install is secure (3.50 / 2) (#44)
    by ewan on Wed Nov 22, 2000 at 08:44:20 AM EST

    That's the mail difference. RedHat, SuSE, etc, are all insecure when first installed, you have to go round patching and disabling before you do anything else.

    OpenBSD on the other hand generally doesn't install the extra software like sendmail by default, so you don't have to worry about removing them.

    Ewan

    [ Parent ]

    Re: Why OpenBSD (3.50 / 2) (#45)
    by Kartoffel on Wed Nov 22, 2000 at 10:22:47 AM EST

    What exact feature of openBSD makes it better than Linux?

    Because *BSD is not Linux. In the BSD world,

    • There is a clear and definite boundary between the core operating system everything else-- additional ports, user features, and optional stuff.
    • There is no single leader of kernel development, as in Linux. The BSD core teams are appointed approximately annually. The kernel folks care about *BSD as a complete package, whereas Linus has openly admitted that all he cares about is the kernel and what everyone else does with the OS doesn't really concern him.
    • BSD is sane. Tools are well documented. Things work logically. BSD just gives me a warm fuzzy feeling, unlike the anarchy of Linux.
    • OpenBSD in particular is famous (notorious?) for painstaking code reviews and top notch security. OpenBSD has also helped further projects such as OpenSSL, OpenSSH, ipf, Photuris, and KAME IPv6.
    • All 3 free flavors of BSD come out of the box with a "turned off by default" philosophy. If you don't need a service, it's not turned on. They assume if you need a new service, you'll have enough clue to figure out how to turn it on. Look at how many home Linux systems (RH in particular) are running all sorts of unnecessary services where the users/admins aren't even aware of the problem!
    • /usr/ports ;-)

    Having said all that, if Linux is your bag, then by all means go ahead and use it. Linux can be a fine operating system if you care to deal with the mediocrity and disorganization.

    [ Parent ]

    DoS Vulnerabilities (3.00 / 3) (#47)
    by Chiron on Wed Nov 22, 2000 at 10:58:01 AM EST

    Linux still has some considerable ip-fragmentation vulnerabilities in the 2.2.x kernels, making it very easy to take them down with a few crafted packets. (Unsure whether the current 2.3.x development kernels still have these problems) IP-Chains won't help you with this one, either.

    I think people recommend OpenBSD over Linux or even FreeBSD for exposed hosts because OpenBSD's focus is security and stability over features and speed. Linux accretes features and new capabilities much faster than either FreeBSD or OpenBSD, due to the developers' goals, however, it does so at the cost of stability and security.

    It basically comes down to how exposed the server is, and what it is expected to do. The conventional wisdom in the open source world seems to be, FreeBSD for moderate progress on features and high stability, Linux for features, variety and bleeding edge hardware, OpenBSD for security and NetBSD for bizarre orphan hardware. Each kernel and distribution has its distinct advantages, and disadvantages.

    I agree that, money and space limitations being little to no object, a webserver should not be placed on an exposed host without an intervening firewall, a properly locked down and well monitored system which is kept up to date by a hobbyist's fanatical care, should be safe enough to keep the casual kiddies at bay.


    [ Parent ]
    Why OpenBSD? Security! (4.00 / 3) (#49)
    by gromm on Wed Nov 22, 2000 at 11:20:02 AM EST

    >Many posts here keep mentioning that OpenBSD is the way to go. What exact feature of
    >openBSD makes it better than Linux? I thought that a bug in sendmail can be equally well
    >exploited in openBSD as in Linux. Is that assumption wrong?

    Sure, but the default install of openbsd is secure. It doesn't run any servers you don't put on it on purpose.

    That, and IIRC, noone's broken into a default install of OpenBSD in the past two years. Which makes it good enough for a damn secure firewall, eh? :)

    One consideration though, is that if you're making a firewall-only box, the *best* way to go is to ditch the harddrive and run a stripped-down version of the OS off a floppy along with ipchains or ipfw. That way if anyone decides to lay waste to your firewall, you just pop the floppy back in and reboot... no worries about whether the filesystem is corrupt or not, since it was just a ramdisk and now it's gone. :)

    Some people have suggested the use of one of those consumer-grade Cable modem firewalls like what Linksys sells. In my personal and professional opinion, they suck. Sure, they'll keep script kiddies out of your windows smb shares, but not much beyond that. They're usually using old firewall technology and are limited in functionality. If you wanna be socially responsible or keep your Electric bill down, (or both) then a better alternative is to buy an old laptop instead of a desktop machine. With space for a couple PCMCIA network cards and features like a built-in keyboard, monitor and UPS, you'd also be using about the same amount of watts as a linksys firewall. Of course, it's about twice as expensive to buy a comparative laptop, and spare parts are often obnoxious to find. But you'd have a router in the same amount of space as a hardware router, so there's a coolness factor too. ;)

    Anyway, that's just my 2 bytes. :)
    Deus ex frigerifero
    [ Parent ]
    OpenBSD is cleaner (4.00 / 1) (#54)
    by Jason H. Smith on Thu Nov 23, 2000 at 09:47:27 PM EST

    What exact feature of openBSD makes it better than Linux? I thought that a bug in sendmail can be equally well exploited in openBSD as in Linux. Is that assumption wrong?

    Yes. You have a point. If I had a nickel for every time I heard, "No remote exploits in the default install in three years . . . ." Yes. OpenBSD's default install leaves many services to be desired. (IMHO, the rationale behind this is solid; you can now install only what you want. And installing what you want is typically a breeze. See below.) But yes. I do see your point. If you install sendmail and sendmail has a bug your system has a hole. Still, what system wouldn't?

    However, people are, IMO, very correct about it's coherent design. I remember very clearly the feeling I had when I first started getting used to *BSD. It felt exactly like the feeling that I had when I started to grok Linux. Clean design. Stuff just works. For instance, installing enlightenment in OpenBSD works something like this:

    $ su
    # cd /usr/ports/x11/enlightenment
    # make install
    
    Hell that at least puts it on par with RPM or apt-get.

    Things are easy to do, and I always find myself saying, "Oh, neat! That totally makes sense." Also, I was suprised by the similarities between Linux and the BSDs. Both have bash, both have tcsh, both run XFree86, both have GTK+, both have KDE, both have color ls (my fave), etc. ad nauseum. On my machine at home, I multi-boot NetBSD, OpenBSD, and Linux, and they all share the same /home partition.

    Where I think the crucial difference lies is the quality of the code. This sets OpenBSD apart from the pack. People sit down and read every line of code trying to eliminate bugs. Not security holes, but bugs. A system with fewer bugs probably has fewer holes in the first place. But also, and more importantly for you, it has less bugs! Just today I saw a problem with rcp posted to Bugtraq that I could reproduce on Linux, NetBSD, and Solaris, but not on OpenBSD. I checked the code and somebody had gone through and taken care of it already. That is what impresses me with OpenBSD. The big-picture design really shows.

    To be fair, OpenBSD in particular does not have the latest features. Especially with eye-candy and other niceties. As I wrote this, I realized that, for some reason, GNOME is not in the ports tree, for instance. This says nothing about the latest features with networking and security, however. OpenBSD can do swap space encryption and has support for hardware encryption, IPSEC, etc. The OpenSSH implementation done by the OpenBSD group is used on Debian and RedHat. Still, some of the flexibility is most certainly not there. I would not suggest OpenBSD as a desktop system for no reason (besides the obvious: to learn). Linux works just fine and is more featureful with the stuff that counts for a desktop system. However, if you are going to use your computer to do anything but "desktopping," I say BSD all the way.


    Ants. (two by two)
    [ Parent ]
    re: cleaner (3.00 / 1) (#55)
    by Jason H. Smith on Thu Nov 23, 2000 at 09:49:30 PM EST

    OpenBSD has a more colorful founder, besides! :)
    Ants. (two by two)
    [ Parent ]
    BSD's firewall code much better than IPChains (4.00 / 1) (#61)
    by Malor on Mon Dec 04, 2000 at 04:21:48 PM EST

    I assume this is true of the other BSD's as well, but my experience is with OpenBSD.

    If you want to set up a firewall, DON'T use Linux. It's just not that good. It doesn't do stateful inspection. You can set up a tolerable firewall but it's a major pain in the ass -- your rules list can be 90+ lines for even a vanilla config. There are www-based wizards online that will ask you questions and write you an IPchains rules set. They're nice tools, but it doesn't hide the fact that you NEED these insanely complex rules sets to do most normal things.

    OpenBSD does stateful inspection -- that is, it UNDERSTANDS the net traffic passing through it. You can make a much stronger firewall with far fewer lines. As a matter of fact, you can set up a very basic firewall in about three lines, which allows outgoing connections, *allows replies to those connections*, and blocks all unsolicited inbound traffic. Allowing replies is basically impossible with Linux. You can sort of simulate this effect with the complex rules sets, but the final effect ends up being a firewall that allows traffic through that it shouldn't.

    Simplicity in firewalls is critical. It is very easy to make a mistake when you get more than about ten rules. OpenBSD, due to its simplicity and robustness, makes an excellent firewall, NAT, and DHCP device.

    But note that it will still take 8 to 10 hours for a solid setup in OpenBSD -- 'easier' doesn't directly translate to 'easy'. You can set up a Linksys router/switch in about 30 minutes by comparison, and it's a lot cheaper to boot. You get a really amazing degree of control with the BSD solution, but for most people I'd suggest doing Linksys.

    In any case, Linux makes a superb router, but it's a rotten firewall. Don't use it for that. I'm really surprised more people don't talk about this!

    [ Parent ]
    486 ! Why bother (1.16 / 6) (#50)
    by Sherman Peabody on Wed Nov 22, 2000 at 12:04:20 PM EST

    Sorry, but don't be a cheap jerk. Spend some money and get a decent machine. An adult with a job has no business running a 486 for anything. People are throwing away pentium 75's, get one!

    It doesn't cost a fortune. Any OS you buy will look like crap on that 486. You will be frustrated and not learn anything except that you don't have enough RAM.

    If all you want is a firewall, go with the Linksys and be done with it. If you want to learn a classic Un*x, get Slackware or *BSD. If you want all the fun stuff without having to worry about compatibility, go with Red Hat.

    Do not go with a 486.



    Beginner linux security question | 61 comments (56 topical, 5 editorial, 0 hidden)
    Display: Sort:

    kuro5hin.org

    [XML]
    All trademarks and copyrights on this page are owned by their respective companies. The Rest © 2000 - Present Kuro5hin.org Inc.
    See our legalese page for copyright policies. Please also read our Privacy Policy.
    Kuro5hin.org is powered by Free Software, including Apache, Perl, and Linux, The Scoop Engine that runs this site is freely available, under the terms of the GPL.
    Need some help? Email help@kuro5hin.org.
    My heart's the long stairs.

    Powered by Scoop create account | help/FAQ | mission | links | search | IRC | YOU choose the stories!