I currently have a headless Gentoo file/print server running these services:
NFS
Samba
Cups
sshd
I would also like to use the server as a router, but I'm not sure if my server would still be secure having the router and server being the same box. Right now the only contact the server has to the outside world is from portage, I'm sharing portage over NFS for my desktop. I currently have a cheap Cisco router, but I would like to consolidate and have less things running up my electric bill. Plus I'm drawn by the "coolness" factor of building a linux router and from the control having one would give me. Building a separate box just for a router seems overkill though and defeats my desire to save electricity.
Security question concerning home server
Message
The security issue depends on whether you plan to offer service to the outside world. If you configure the router to drop all connection attempts and unsolicited UDP from the Internet, then no one can contact those services, so it is as secure as though they were not running. Test your configuration from outside after it is prepared.
I've been running a home router/server for ages. If you leave ports open you'll see all kind of attacks. For instance, I run a mail server for local mail, to collect all email alerts my boxes send to me. I had port 110 open to the world. One day I noticed my connection is kind of slow. Closer inspection revealed there were so many attacks on port 110 they actually slowed down my net connection. Of course, Linux/Unix boxes can face outside world without hiding behind hardware firewalls (unlike some tiny-softy stuff), you just have to administer them responsibly.
Re: Security question concerning home server
...
Last edited by faemin on Sun Dec 02, 2012 9:41 pm, edited 2 times in total.
I have made my gentoobox made a router and that computer is open to the world.
I have an iptables firewal. I followed the guide on http://www.gentoo.org/doc/en/home-router-howto.xml.
There are other guides like:
- http://www.gentoo-wiki.info/HOWTO_Iptab ... _firewalls
- http://www.gentoo.org/doc/en/articles/l ... design.xml
- http://wiki.gentoo.org/wiki/Iptables
- and google.com can be your friend.
I have an iptables firewal. I followed the guide on http://www.gentoo.org/doc/en/home-router-howto.xml.
There are other guides like:
- http://www.gentoo-wiki.info/HOWTO_Iptab ... _firewalls
- http://www.gentoo.org/doc/en/articles/l ... design.xml
- http://wiki.gentoo.org/wiki/Iptables
- and google.com can be your friend.
I was going to use the Gentoo home router guide to set up the router. I did some searching for an answer to my question, the Archwiki router guide specifically says not to run nfs or samba on the router. I thought it would be okay since I have them configured to only be accessible from IP's in my lan. I didn't know if whoever wrote their wiki was being overly paranoid or if I would be committing a "security faux pas" by combining the router and server, so I thought I would ask.
I used to run Gentoo as my router and home server some time ago without problems, I saw attacks and the like, but you'll always get those, nobody could make a successful one anyway. I had several services for the outside world, all HTTP(S), and of course SSH open. I got tired of seeing people trying to access by brute force on SSH so then I hid it behind 443 with a multiplexer (so, 443 would be HTTPS and SSH), no more attempts afterwards.
The only thing I'll say is that the iptables configuration got quite long. I know there are tools out there to manage it better but eventually I installed OpenBSD and kept Gentoo inside the LAN (you end up with two servers, but then again, I haven't got pets so I have to entertain myself with something
).
In summary, it's perfectly safe so long as you manage it responsibly and keep it up to date. Gentoo is very good security-wise. Of course, this doesn't apply to zero days, but those are hard to find anyway. As an anecdote, when the local permission escalation bug came along a few years go (the one that allowed a local user to become root because of some vsplice bug) I successfully tested it in RH Linuxes (32 and 64 bits), Debian (of course) but not Gentoo. So, there you go.
The only thing I'll say is that the iptables configuration got quite long. I know there are tools out there to manage it better but eventually I installed OpenBSD and kept Gentoo inside the LAN (you end up with two servers, but then again, I haven't got pets so I have to entertain myself with something
).In summary, it's perfectly safe so long as you manage it responsibly and keep it up to date. Gentoo is very good security-wise. Of course, this doesn't apply to zero days, but those are hard to find anyway. As an anecdote, when the local permission escalation bug came along a few years go (the one that allowed a local user to become root because of some vsplice bug) I successfully tested it in RH Linuxes (32 and 64 bits), Debian (of course) but not Gentoo. So, there you go.
- cach0rr0
- Bodhisattva
- Posts: 4123
- Joined: Thu Nov 13, 2008 11:14 pm
- Location: Houston, Republic of Texas
-there is no *functional* reason not to have these services running on this server/router. If the outside world cannot connect to them, where there are located is completely and totally 100% irrefutably irrelevant. If they cannot be connected to from the outside world, they are not an external attack vector - period. The only reasons not to run these services on an edge router are those of principle and dogma, not function. Can't connect? Can't exploit.
-there is absolutely zero you can do with a dedicated commercial firewall that you cannot do with netfilter, short of vendor-specific proprietary routing protocols. For a home environment, doing so is overkill. For most environments, doing so is overkill.
-there is absolutely zero you can do with a dedicated commercial firewall that you cannot do with netfilter, short of vendor-specific proprietary routing protocols. For a home environment, doing so is overkill. For most environments, doing so is overkill.