Re: Secured Linux box for Windows access

From: N407ER (
Date: 02/03/04

  • Next message: "Related to: sqwebmail web login reported on BugTraq"
    Date: Tue, 03 Feb 2004 01:59:12 -0500

    Matthew White wrote:
    > Hello all,
    > [...]
    > Ideally, if I could have my Windows clients to be able to map a drive or
    > use a UNC share to the Linux box that would be perfect - this way I'd
    > not have to greatly retrain them.

    I know virtually nothing about SMB file sharing. But I've used Samba
    previously. This is what it is for. It works fine, with no need to
    reconfigure the Windows clients. It's painful for me, being ignorant of
    SMB. For you, it should be easy enough.

    > The difficult parts are that I'll need the server to accessible over the
    > Internet, for it to be Open Source or low cost and to be able to
    > administer the box remotely also.

    Remote administration is usually best accomplished with just OpenSSH, in
    my opinion. I rarely, if ever, use graphical configuration utilities.
    This is personal preference, though, and there's no need to be
    masochistic if you prefer more graphically oriented environments. Check
    out X11-forwarding over SSH (you'll need a Windows X server like Cygwin
    on the client) instead of VNC; it's a bit more secure (VNC doesn't
    encrypt sessions, if I remember right; it just does challenge-response
    authentication, but if you ``su'' once logged in, you're SOL). And you
    mentioned WebMin, which is a nice utility.

    > Here's what I've picked up so far:
    > I need a form of encryption and preferably a form of authentication.
    > * On the server I think I need: Linux, Samba, OpenVPN server (or similar
    > VPN server), Webmin (and therefore Apache).
    > * On the client I need OpenVPN client (or other VPN client).
    > Authentication, however, I don't know what to choose.

    Do you need to provide your Windows clients with VPN? Or are you just
    doing this to protect the shares? If the Windows machines are all on one
    LAN, you could do a VPN tunnel (using IPSEC or PPTP) network bridge
    between the server and the router on the LAN, and it would be totally
    ransparent to the Windows clients. That would probably be easiest. Check
    out FreeS/WAN for the Linux side, or the new 2.6 kernel built-in IPSEC.

    Also, Webmin (at least used to) includes its own webserver. You don't
    need Apache for it if you don't want to use Apache.

    > Q. I'm using Mandrake and finding it easy to use. Generally though I'm
    > the one telling people that Security is inversely proportional to
    > Convenience so I wonder if the ease of use with Mandrake comes at the
    > price of being less secure. If so is there a better flavour of Linux to
    > use? (eg I've heard of Trustix but know almost nothing about it).

    Linux is Linux is Linux. But what I'd think about for security are:

    How fast do patches come out?

    Is the software included bleeding-edge, stable/tried-and-true, or stale?

    Is the default configuration secure (extraneus services turned off,
    better password hashing (MD5 or blowfish), shadow passwords, etc)?

    And so forth. If you choose something so hard to use that you can't make
    it secure, what's the point? Most of all, I'd say, look for good package
    management, which you'll appreciate later when trying to keep your
    system up to date (Debian's apt, also available for RedHat and others,
    is excellent; Gentoo's portage is also very nice, but as a whole Gentoo
    may not quite be production-quality).

    > Q. Would it be feasible / recommended to only store PGP/GPG files on
    > this datastore location as it is just sitting out there on the net and
    > not under daily scrutiny like my client machines, or is there some flaw
    > in my strategy that makes this just misplaced paranoia?

    If people can get unauthorized access to the shares, you're probably in
    trouble either way. If you're worried about the integrity of the files
    as they are transmitted between authenticated clients and the server,
    try the aforementioned VPN solution. Then you don't need to mess with
    manual, clumsy encryption interfaces per-file.

    > Q. What sort of protective logging can I do for it? Is it wise to have
    > it notify me of possible security abnormalities? If so what products
    > would you suggest?

    Look into things like Tripwire, AIDE, and Samhain. All three are good
    Host-based IDS's. Snort is the leading NIDS, but I wouldn't use it on a
    production server (better on a more disposable box that can only listen
    to the network and do no harm; Snort itself can be a vulnerability).

    Bastille-Linux is also a very easy-to-use set of scripts to harden your
    current installation. I think you'll like it.

    And of course there are also kernel-based patchsets and IDS's, such as
    SELinux, GRSecurity, and LIDS. Check them out as well, if you like reading.


    Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off any
    course! All of our class sizes are guaranteed to be 10 students or less.
    We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention,
    and many other technical hands on courses.
    Visit us at to get $720 off
    any course!

  • Next message: "Related to: sqwebmail web login reported on BugTraq"