[wplug] Linux network security poll
Patrick Wagstrom
patrick at wagstrom.net
Sat Feb 9 19:42:28 EST 2008
Zach wrote:
> I need to get serious about security since I will be soon connected to
> the net almost 24x7 (barring a power outage etc.) so I was wondering
> if list members could explain their security setup (network
> configuration, DMZ, firewalls, IDS, logging, etc.). Also what would
> you recommend for someone like me who is still on an entry level in
> terms of my understanding of Linux and network security and what would
> recommend for later on down the road once I get more sophisticated? I
> run Debian lenny with a 2.6.18 kernel. I will be getting ADSL next
> week and plan on having a DSL modem/router doing NAT. I only have one
> machine now but plan on adding another one within the next 3 months or
> so.
This is sorta my standard answer:
Get a wireless access point/router. These boxes do network address
translation, which means you get a non-world-routable IP address for
systems behind them, which means any open ports you have will not be
accessible. For the ports you need open, use the port-forwarding feature
of your router to redirect those ports only. For HTTP you'll want to pass
through port 80 and port 443 (latter only if running a TLS secured server).
For SSH you'll want port 22.
However, I have to strongly caution against running SSH on port 22, as
you'll get lots of random connections. What I do on my system is run SSH
on port 22, but on my router, I tell it to route port 5164 (random number)
on the external interface to port 22 on my SSH machine. That way when
people use SSH bots, they don't find my system. Especially nice since SSH
has a nasty habit of advertising what version it is when you connect.
Really, security isn't that big of a deal. Use the router, which will
block all incoming connection attempts except to ports you open and make
sure to update your software once in a while. Pretty straight forward.
Once again, I recommend the Linksys WRT54GL (note the L at the end there)
running DD-WRT firmware. Great little boxes. Anyone know of something
similar that runs 802.11n (or 802.11n draft to be precise since 802.11n
will never be standardized)?
--Patrick
More information about the wplug
mailing list