Securing a linux box

KAGY

Hi all,
I've a media / HTPC server that I want to be able to access from the 'net, primarily for scheduling and because it sounds interesting!

It's running mythbuntu 11.10 and an apache server is already setup along with some other services like calibre-server and openssh. I'll be able to set up the port forwarding and dyndns!

I'm just a bit wary of the risk of hacking because this box also has my backups on it. So do you have any tips for properly securing it? Not looking for step by step, rather a list of things I should be doing.

Any tips appreciated.

syklops

About the only service I trust to sit on the internet is SSH with keys and a passphrase.

Should be all you need.

harney

You'll find industry standard hardening guides in here for most operating systems

http://benchmarks.cisecurity.org/en-us/?route=downloads.browse.category.benchmarks.os.linux

You will have to tweak the guide to re-enable what ever particular services you require for your system.

azzeretti

syklops wrote: »

About the only service I trust to sit on the internet is SSH with keys and a passphrase.

Should be all you need.

syklops++

I have many Linux boxes facing the internet all with SSH key authentication and passphrases. For added security I use Fail2Ban to DROP all packets from the messers!

matrim

If I have to do something like that I only forward to SSH so that is the only public service. I then access the web server over SSH.

Alternatively if where you want to access it from has a static IP you could only allow access if you are coming from that IP address.

And the last option which is probably overkill is set up an openvpn server and VPN into your home network to access it.

KAGY

matrim wrote: »

If I have to do something like that I only forward to SSH so that is the only public service. I then access the web server over SSH.

Alternatively if where you want to access it from has a static IP you could only allow access if you are coming from that IP address.

And the last option which is probably overkill is set up an openvpn server and VPN into your home network to access it.

Hmm bit more reading to do. I'll be mainly accessing it from an android phone / wirk pc and I only know how to SSH from a terminal on the phone. I've nx nomachine installed which connects through SSH so that might be the easiest way from the work PC.

syklops

Being able to ssh into your home network from your phone. The future is here. About bleedin time!

PogMoThoin

Dont forget to install Denyhosts if you're leaving ssh port open
http://denyhosts.sourceforge.net/

KAGY

Thanks to all the replies,
I've finally got it set up - for those following in my footsteps here's a short recap of what I did:

• set up openssh (already done)
• configure sshd to only allow key authentication, only allow connections from users in an sshusers group, change listening port to non standard
• at end of sshd_config I used a MatchAddress 192.168.10.0/24 to allow password auth from LAN machines so i don't need to setup keys on all the pc's in the house.
• using a key with a passphrase in case my USB key goes walkabouts (converted one with PuttyGen) and add public file to authorizedkeys in .ssh/)
• set up an account with no-ip.org
• apt-get install noip2 on host machine to keep no-ip up to date with my dynamic ip address
• create custom NAT service on netopia box to forward connections to my non standard ssh port
• set firewall on eircoms netopia router to low (medium blocks NAT, though nothing tells you that, that frustrated me for ages)
• using PortablePutty to connect to blah.no-ip.org:1234, setting up a tunnel to forward localhost(client) port 8081 to localhost:80 (the server, as far a ssh is concerned, the localhost is the server)
• use browser to view http://localhost:8081/myth and I can see schedules, etc

now to try nxclient, just for kicks.
Again, thanks for pointing me in the right direction:)

druidhill

KAGY wrote: »

Thanks to all the replies,

I've finally got it set up - for those following in my footsteps here's a short recap of what I did:

• ...
• ...

Again, thanks for pointing me in the right direction:)

Thanks for taking the time to reply, most OP's do not do this and it's a shame.

KAGY

druidhill wrote: »

Thanks for taking the time to reply, most OP's do not do this and it's a shame.

No problem, I hate it too when a thread is left dangling (though I'm guilty of that too often).
If anyone needs me to expand on any point, just ask.

To follow up even more, i've managed to get the port forwarding working on Android with ConnectBot, using same key. It was even simpler than I thought it might be, I was able to add more than one forward to the connection so I can connect to my ebook server running on a different port.


Now, off to try and fix nx. Apparently it uses it's own keys in some other location before it even authenticates a user, and some of my security setting are obviously blocking it.

KAGY

KAGY wrote: »

Now, off to try and fix nx. Apparently it uses it's own keys in some other location before it even authenticates a user, and some of my security setting are obviously blocking it.

problem was twofold: nx uses old authorised_keys2 file and I've disabled password login. fixed using http://www.benmccann.com/dev-blog/security-lockdown-for-linux/

and
~/.ssh$ cat authorized_keys2 >> authorized_keys

equivariant

matrim wrote: »

If I have to do something like that I only forward to SSH so that is the only public service. I then access the web server over SSH.

Alternatively if where you want to access it from has a static IP you could only allow access if you are coming from that IP address.

And the last option which is probably overkill is set up an openvpn server and VPN into your home network to access it.

Interesting thread. I'm also a bit of a Linux noob and I am curious about this. I have my linux (Ubuntu 11.10) box set up at home with sshd listening on port 22 (passwords disabled). At the moment I have port 80 open aswell but i have set apache so that it requires a password from anyone coming from outside.

How can "I access the web server over ssh". Does this mean that I can close port 80 and still access the web server (presumably through port 22)?

PogMoThoin

equivariant wrote: »

Interesting thread. I'm also a bit of a Linux noob and I am curious about this. I have my linux (Ubuntu 11.10) box set up at home with sshd listening on port 22 (passwords disabled). At the moment I have port 80 open aswell but i have set apache so that it requires a password from anyone coming from outside.

How can "I access the web server over ssh". Does this mean that I can close port 80 and still access the web server (presumably through port 22)?

yes, you'll need to forward port 22 on your router to the ip of your server

KAGY

equivariant wrote: »

Interesting thread. I'm also a bit of a Linux noob and I am curious about this. I have my linux (Ubuntu 11.10) box set up at home with sshd listening on port 22 (passwords disabled). At the moment I have port 80 open aswell but i have set apache so that it requires a password from anyone coming from outside.

How can "I access the web server over ssh". Does this mean that I can close port 80 and still access the web server (presumably through port 22)?

You'd need an SSH client on the local machine - the one you're at away from home, putty is what I use on windows, connectbot on android.
In a nut shell, you connect to your server through SSH on port 22 as normal but with extra options to forward the local port say 8080 to the server port 80 ( you wouldn't forward local port 80 or all local web traffic would be directed to your server) can't recall exact cli option but its like -L 8080:localhost:80 (Where local host in this case is the local host according to the server, I.e, the server it self)
To access you server web, go to http://local host:8080/home.HTML or wharever.

The port 8080 is the SSH connection which connects through port 22 on the firewall / server where it is then passed to the servers port 80 - simples :-)

Actually reading back you could forward port 80 if you had no web apps on the away from home machine.

You can pick this book cheaply on Amazon.

It's a great read on the subject.

syklops

There is also the free hardening guide written by the NSA