Linux Networking, Part 6: Securing Your Network - page 2
Preparing for the Worst
There are three areas where Linux network security can be compromised. The first is the network interface where the firewall exists. We look at all three in detail including the firewall, server-based services and remote access to the router or network via a PC connected to the Internet.
This security discussion is very basic, so those with serious security concerns should take a look at any one of a number of books on Linux server and network security. The details outlined here should be sufficient for an on-demand modem connection since the IP address of the router will change each time, providing an additional level of obscurity from an Internet point of view. Those with "always on" DSL or cable modem connections should pay close attention and probably pick up a book on security, as these types of connections are most prone to attack since the average user with this type of connection is typically unconcerned with security and is a prime target for hackers.
The ipchains firewall configurations in the last two articles were presented in an open and tight security version. The open version should be avoided. This allows Internet systems to access the router and possibly the internal network. Security tends to be better if NAT masquerading is used, but the router is still prone to attack.
The tight security version allowed local computers and the router to access the Internet through a single connection. The computers on the network have unlimited access to any IP port, but this can be tightened up by using ipchains to allow only selected ports to be used. This would be the case if access were restricted to POP3 email and web browsing. Port 80 is normally enabled for web browsing and POP3 mail uses ports 25 (SMTP) and 110 (POP3). The file
/etc/services lists the port numbers typically used by Linux applications.
The ipchains program has built in logging capabilities using the -l or --log options. This is handy when trying to debug a tighter router configuration. Check the ipchains online manual pages for more details.
Linux can run a number of services or daemons on a router such as a web server or FTP server. In general, these additional services should be avoided unless you have some security expertise with respect to the service. For example, the Apache web browser can be secured in a number of ways, especially if it is only serving up static web pages. Add a few forms or something even more complex and all bets are off. Keeping up with the latest releases and security updates for the respective application are important for preventing a security breach through the service.
If two servers are available, then use one for the router/firewall and the other for the Internet services. Configure the firewall to pass packets for a specific port through the router to the second server with the services. It is even possible to configure a router with three adapters so the server with the services is placed on its own network. The router can then provide Internet access to the local network and the network with the services server. This is a rather complex configuration and one more in line with a small to medium size business than a home network.
A simpler approach is to allow the service such as a web server to support only the local network. This is normally done through the service configuration file. For the Apache web server, the file is
httpd.conf. The service can be set up to listen to only the IP address of the network adapter for the local network. This approach is service specific.
Turning off excess services is relatively easy. Most are started by the inetd service configured using the
/etc/inetd.conf file. Each line in the file is either a comment or a specification such as:
; comment telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd
Online documentation provides the details, but in general few services are necessary for running Linux as a router. Likewise, certain services should not be used on the router for security reasons, such as the telnet server listed above because this can provide remote access to Linux. Just add a semicolon before the word telnet to disable this service when the system is restarted.
If you have a console on the Linux PC then you can disable just about everything. Do this incrementally if you do not know which service provides functionality that you may want to retain. If you need remote access then check out the next section about adding a secure remote access service before disabling remote access services such as telnet that you might already be using for configuration. The same is true if the Linux PC is being configured via a web browser interface.
If services like the Apache Web server must be enabled then consider using the tcp_wrappers program, written by Wietse Venema, who also wrote the SATAN network diagnostic package. SATAN can be used to test the security of a firewall from another Linux PC on the Internet.
The tcp_wrappers program is more efficient than inetd and allows services to be run using a specific user. This should be something other than root. The Linux file system security can then limit access to the service's resources even if the service is compromised. It is even possible to have multiple web services that are independent and assigned different user accounts.