View previous topic :: View next topic |
Author |
Message |
Spent n00b
Joined: 30 May 2004 Posts: 55 Location: Bawlmer Hon!
|
Posted: Sat Dec 01, 2012 12:18 am Post subject: Security question concerning home server |
|
|
I currently have a headless Gentoo file/print server running these services:
NFS
Samba
Cups
sshd
I would also like to use the server as a router, but I'm not sure if my server would still be secure having the router and server being the same box. Right now the only contact the server has to the outside world is from portage, I'm sharing portage over NFS for my desktop. I currently have a cheap Cisco router, but I would like to consolidate and have less things running up my electric bill. Plus I'm drawn by the "coolness" factor of building a linux router and from the control having one would give me. Building a separate box just for a router seems overkill though and defeats my desire to save electricity. |
|
Back to top |
|
|
Hu Moderator
Joined: 06 Mar 2007 Posts: 21670
|
Posted: Sat Dec 01, 2012 1:08 am Post subject: |
|
|
The security issue depends on whether you plan to offer service to the outside world. If you configure the router to drop all connection attempts and unsolicited UDP from the Internet, then no one can contact those services, so it is as secure as though they were not running. Test your configuration from outside after it is prepared. |
|
Back to top |
|
|
Jaglover Watchman
Joined: 29 May 2005 Posts: 8291 Location: Saint Amant, Acadiana
|
Posted: Sat Dec 01, 2012 1:28 am Post subject: |
|
|
I've been running a home router/server for ages. If you leave ports open you'll see all kind of attacks. For instance, I run a mail server for local mail, to collect all email alerts my boxes send to me. I had port 110 open to the world. One day I noticed my connection is kind of slow. Closer inspection revealed there were so many attacks on port 110 they actually slowed down my net connection. Of course, Linux/Unix boxes can face outside world without hiding behind hardware firewalls (unlike some tiny-softy stuff), you just have to administer them responsibly. _________________ My Gentoo installation notes.
Please learn how to denote units correctly! |
|
Back to top |
|
|
faemin n00b
Joined: 16 Oct 2012 Posts: 22
|
Posted: Sat Dec 01, 2012 6:51 am Post subject: Re: Security question concerning home server |
|
|
...
Last edited by faemin on Sun Dec 02, 2012 9:41 pm; edited 2 times in total |
|
Back to top |
|
|
elmar283 Guru
Joined: 06 Dec 2004 Posts: 316 Location: Haarlem, Netherlands
|
|
Back to top |
|
|
Spent n00b
Joined: 30 May 2004 Posts: 55 Location: Bawlmer Hon!
|
Posted: Sat Dec 01, 2012 1:27 pm Post subject: |
|
|
I was going to use the Gentoo home router guide to set up the router. I did some searching for an answer to my question, the Archwiki router guide specifically says not to run nfs or samba on the router. I thought it would be okay since I have them configured to only be accessible from IP's in my lan. I didn't know if whoever wrote their wiki was being overly paranoid or if I would be committing a "security faux pas" by combining the router and server, so I thought I would ask. |
|
Back to top |
|
|
elmar283 Guru
Joined: 06 Dec 2004 Posts: 316 Location: Haarlem, Netherlands
|
Posted: Sat Dec 01, 2012 1:34 pm Post subject: |
|
|
I agree with you. As long as you disable the wan card for samba and nfs it should be ok.
I did block them on my iptables rules and in the samba config file. I don not us NFS. |
|
Back to top |
|
|
Jaglover Watchman
Joined: 29 May 2005 Posts: 8291 Location: Saint Amant, Acadiana
|
|
Back to top |
|
|
gabrielg Tux's lil' helper
Joined: 16 Nov 2012 Posts: 134
|
Posted: Sat Dec 01, 2012 1:50 pm Post subject: |
|
|
I used to run Gentoo as my router and home server some time ago without problems, I saw attacks and the like, but you'll always get those, nobody could make a successful one anyway. I had several services for the outside world, all HTTP(S), and of course SSH open. I got tired of seeing people trying to access by brute force on SSH so then I hid it behind 443 with a multiplexer (so, 443 would be HTTPS and SSH), no more attempts afterwards.
The only thing I'll say is that the iptables configuration got quite long. I know there are tools out there to manage it better but eventually I installed OpenBSD and kept Gentoo inside the LAN (you end up with two servers, but then again, I haven't got pets so I have to entertain myself with something ).
In summary, it's perfectly safe so long as you manage it responsibly and keep it up to date. Gentoo is very good security-wise. Of course, this doesn't apply to zero days, but those are hard to find anyway. As an anecdote, when the local permission escalation bug came along a few years go (the one that allowed a local user to become root because of some vsplice bug) I successfully tested it in RH Linuxes (32 and 64 bits), Debian (of course) but not Gentoo. So, there you go. |
|
Back to top |
|
|
Jaglover Watchman
Joined: 29 May 2005 Posts: 8291 Location: Saint Amant, Acadiana
|
Posted: Sat Dec 01, 2012 1:58 pm Post subject: |
|
|
I didn't mention it, but my routers have always been running FreeBSD. Once I rebooted it and for some script error the firewall didn't load. I didn't notice it until someone started using my MPD ... it was without firewall for six months, under attacks, yet nobody managed to get in. Gotta love BSD. _________________ My Gentoo installation notes.
Please learn how to denote units correctly! |
|
Back to top |
|
|
faemin n00b
Joined: 16 Oct 2012 Posts: 22
|
Posted: Sun Dec 02, 2012 5:00 am Post subject: |
|
|
...
Last edited by faemin on Sun Dec 02, 2012 9:48 pm; edited 1 time in total |
|
Back to top |
|
|
cach0rr0 Bodhisattva
Joined: 13 Nov 2008 Posts: 4123 Location: Houston, Republic of Texas
|
Posted: Sun Dec 02, 2012 10:44 am Post subject: |
|
|
-there is no *functional* reason not to have these services running on this server/router. If the outside world cannot connect to them, where there are located is completely and totally 100% irrefutably irrelevant. If they cannot be connected to from the outside world, they are not an external attack vector - period. The only reasons not to run these services on an edge router are those of principle and dogma, not function. Can't connect? Can't exploit.
-there is absolutely zero you can do with a dedicated commercial firewall that you cannot do with netfilter, short of vendor-specific proprietary routing protocols. For a home environment, doing so is overkill. For most environments, doing so is overkill. _________________ Lost configuring your system?
dump lspci -n here | see Pappy's guide | Link Stash |
|
Back to top |
|
|
|