Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Security question concerning home server
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
Spent
n00b
n00b


Joined: 30 May 2004
Posts: 55
Location: Bawlmer Hon!

PostPosted: Sat Dec 01, 2012 12:18 am    Post subject: Security question concerning home server Reply with quote

I currently have a headless Gentoo file/print server running these services:

NFS
Samba
Cups
sshd

I would also like to use the server as a router, but I'm not sure if my server would still be secure having the router and server being the same box. Right now the only contact the server has to the outside world is from portage, I'm sharing portage over NFS for my desktop. I currently have a cheap Cisco router, but I would like to consolidate and have less things running up my electric bill. Plus I'm drawn by the "coolness" factor of building a linux router and from the control having one would give me. Building a separate box just for a router seems overkill though and defeats my desire to save electricity.
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 21518

PostPosted: Sat Dec 01, 2012 1:08 am    Post subject: Reply with quote

The security issue depends on whether you plan to offer service to the outside world. If you configure the router to drop all connection attempts and unsolicited UDP from the Internet, then no one can contact those services, so it is as secure as though they were not running. Test your configuration from outside after it is prepared.
Back to top
View user's profile Send private message
Jaglover
Watchman
Watchman


Joined: 29 May 2005
Posts: 8291
Location: Saint Amant, Acadiana

PostPosted: Sat Dec 01, 2012 1:28 am    Post subject: Reply with quote

I've been running a home router/server for ages. If you leave ports open you'll see all kind of attacks. For instance, I run a mail server for local mail, to collect all email alerts my boxes send to me. I had port 110 open to the world. One day I noticed my connection is kind of slow. Closer inspection revealed there were so many attacks on port 110 they actually slowed down my net connection. Of course, Linux/Unix boxes can face outside world without hiding behind hardware firewalls (unlike some tiny-softy stuff), you just have to administer them responsibly.
_________________
My Gentoo installation notes.
Please learn how to denote units correctly!
Back to top
View user's profile Send private message
faemin
n00b
n00b


Joined: 16 Oct 2012
Posts: 22

PostPosted: Sat Dec 01, 2012 6:51 am    Post subject: Re: Security question concerning home server Reply with quote

...

Last edited by faemin on Sun Dec 02, 2012 9:41 pm; edited 2 times in total
Back to top
View user's profile Send private message
elmar283
Guru
Guru


Joined: 06 Dec 2004
Posts: 316
Location: Haarlem, Netherlands

PostPosted: Sat Dec 01, 2012 12:26 pm    Post subject: Reply with quote

I have made my gentoobox made a router and that computer is open to the world.
I have an iptables firewal. I followed the guide on http://www.gentoo.org/doc/en/home-router-howto.xml.

There are other guides like:
- http://www.gentoo-wiki.info/HOWTO_Iptables_and_stateful_firewalls
- http://www.gentoo.org/doc/en/articles/linux-24-stateful-fw-design.xml
- http://wiki.gentoo.org/wiki/Iptables
- and google.com can be your friend.
Back to top
View user's profile Send private message
Spent
n00b
n00b


Joined: 30 May 2004
Posts: 55
Location: Bawlmer Hon!

PostPosted: Sat Dec 01, 2012 1:27 pm    Post subject: Reply with quote

I was going to use the Gentoo home router guide to set up the router. I did some searching for an answer to my question, the Archwiki router guide specifically says not to run nfs or samba on the router. I thought it would be okay since I have them configured to only be accessible from IP's in my lan. I didn't know if whoever wrote their wiki was being overly paranoid or if I would be committing a "security faux pas" by combining the router and server, so I thought I would ask.
Back to top
View user's profile Send private message
elmar283
Guru
Guru


Joined: 06 Dec 2004
Posts: 316
Location: Haarlem, Netherlands

PostPosted: Sat Dec 01, 2012 1:34 pm    Post subject: Reply with quote

I agree with you. As long as you disable the wan card for samba and nfs it should be ok.
I did block them on my iptables rules and in the samba config file. I don not us NFS.
Back to top
View user's profile Send private message
Jaglover
Watchman
Watchman


Joined: 29 May 2005
Posts: 8291
Location: Saint Amant, Acadiana

PostPosted: Sat Dec 01, 2012 1:35 pm    Post subject: Reply with quote

NFSv4 is secure, can be used over internet. I've always had NFS in my router, to host portage for all boxes.
_________________
My Gentoo installation notes.
Please learn how to denote units correctly!
Back to top
View user's profile Send private message
gabrielg
Tux's lil' helper
Tux's lil' helper


Joined: 16 Nov 2012
Posts: 134

PostPosted: Sat Dec 01, 2012 1:50 pm    Post subject: Reply with quote

I used to run Gentoo as my router and home server some time ago without problems, I saw attacks and the like, but you'll always get those, nobody could make a successful one anyway. I had several services for the outside world, all HTTP(S), and of course SSH open. I got tired of seeing people trying to access by brute force on SSH so then I hid it behind 443 with a multiplexer (so, 443 would be HTTPS and SSH), no more attempts afterwards.

The only thing I'll say is that the iptables configuration got quite long. I know there are tools out there to manage it better but eventually I installed OpenBSD and kept Gentoo inside the LAN (you end up with two servers, but then again, I haven't got pets so I have to entertain myself with something :-) ).

In summary, it's perfectly safe so long as you manage it responsibly and keep it up to date. Gentoo is very good security-wise. Of course, this doesn't apply to zero days, but those are hard to find anyway. As an anecdote, when the local permission escalation bug came along a few years go (the one that allowed a local user to become root because of some vsplice bug) I successfully tested it in RH Linuxes (32 and 64 bits), Debian (of course) but not Gentoo. So, there you go.
Back to top
View user's profile Send private message
Jaglover
Watchman
Watchman


Joined: 29 May 2005
Posts: 8291
Location: Saint Amant, Acadiana

PostPosted: Sat Dec 01, 2012 1:58 pm    Post subject: Reply with quote

I didn't mention it, but my routers have always been running FreeBSD. Once I rebooted it and for some script error the firewall didn't load. I didn't notice it until someone started using my MPD ... it was without firewall for six months, under attacks, yet nobody managed to get in. Gotta love BSD.
_________________
My Gentoo installation notes.
Please learn how to denote units correctly!
Back to top
View user's profile Send private message
faemin
n00b
n00b


Joined: 16 Oct 2012
Posts: 22

PostPosted: Sun Dec 02, 2012 5:00 am    Post subject: Reply with quote

...

Last edited by faemin on Sun Dec 02, 2012 9:48 pm; edited 1 time in total
Back to top
View user's profile Send private message
cach0rr0
Bodhisattva
Bodhisattva


Joined: 13 Nov 2008
Posts: 4123
Location: Houston, Republic of Texas

PostPosted: Sun Dec 02, 2012 10:44 am    Post subject: Reply with quote

-there is no *functional* reason not to have these services running on this server/router. If the outside world cannot connect to them, where there are located is completely and totally 100% irrefutably irrelevant. If they cannot be connected to from the outside world, they are not an external attack vector - period. The only reasons not to run these services on an edge router are those of principle and dogma, not function. Can't connect? Can't exploit.

-there is absolutely zero you can do with a dedicated commercial firewall that you cannot do with netfilter, short of vendor-specific proprietary routing protocols. For a home environment, doing so is overkill. For most environments, doing so is overkill.
_________________
Lost configuring your system?
dump lspci -n here | see Pappy's guide | Link Stash
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum