Re: Secured Linux box for Windows access
From: N407ER (n407er_at_myrealbox.com)
Date: Tue, 03 Feb 2004 01:59:12 -0500 To: firstname.lastname@example.org
Matthew White wrote:
> Hello all,
> Ideally, if I could have my Windows clients to be able to map a drive or
> use a UNC share to the Linux box that would be perfect - this way I'd
> not have to greatly retrain them.
I know virtually nothing about SMB file sharing. But I've used Samba
previously. This is what it is for. It works fine, with no need to
reconfigure the Windows clients. It's painful for me, being ignorant of
SMB. For you, it should be easy enough.
> The difficult parts are that I'll need the server to accessible over the
> Internet, for it to be Open Source or low cost and to be able to
> administer the box remotely also.
Remote administration is usually best accomplished with just OpenSSH, in
my opinion. I rarely, if ever, use graphical configuration utilities.
This is personal preference, though, and there's no need to be
masochistic if you prefer more graphically oriented environments. Check
out X11-forwarding over SSH (you'll need a Windows X server like Cygwin
on the client) instead of VNC; it's a bit more secure (VNC doesn't
encrypt sessions, if I remember right; it just does challenge-response
authentication, but if you ``su'' once logged in, you're SOL). And you
mentioned WebMin, which is a nice utility.
> Here's what I've picked up so far:
> I need a form of encryption and preferably a form of authentication.
> * On the server I think I need: Linux, Samba, OpenVPN server (or similar
> VPN server), Webmin (and therefore Apache).
> * On the client I need OpenVPN client (or other VPN client).
> Authentication, however, I don't know what to choose.
Do you need to provide your Windows clients with VPN? Or are you just
doing this to protect the shares? If the Windows machines are all on one
LAN, you could do a VPN tunnel (using IPSEC or PPTP) network bridge
between the server and the router on the LAN, and it would be totally
ransparent to the Windows clients. That would probably be easiest. Check
out FreeS/WAN for the Linux side, or the new 2.6 kernel built-in IPSEC.
Also, Webmin (at least used to) includes its own webserver. You don't
need Apache for it if you don't want to use Apache.
> Q. I'm using Mandrake and finding it easy to use. Generally though I'm
> the one telling people that Security is inversely proportional to
> Convenience so I wonder if the ease of use with Mandrake comes at the
> price of being less secure. If so is there a better flavour of Linux to
> use? (eg I've heard of Trustix but know almost nothing about it).
Linux is Linux is Linux. But what I'd think about for security are:
How fast do patches come out?
Is the software included bleeding-edge, stable/tried-and-true, or stale?
Is the default configuration secure (extraneus services turned off,
better password hashing (MD5 or blowfish), shadow passwords, etc)?
And so forth. If you choose something so hard to use that you can't make
it secure, what's the point? Most of all, I'd say, look for good package
management, which you'll appreciate later when trying to keep your
system up to date (Debian's apt, also available for RedHat and others,
is excellent; Gentoo's portage is also very nice, but as a whole Gentoo
may not quite be production-quality).
> Q. Would it be feasible / recommended to only store PGP/GPG files on
> this datastore location as it is just sitting out there on the net and
> not under daily scrutiny like my client machines, or is there some flaw
> in my strategy that makes this just misplaced paranoia?
If people can get unauthorized access to the shares, you're probably in
trouble either way. If you're worried about the integrity of the files
as they are transmitted between authenticated clients and the server,
try the aforementioned VPN solution. Then you don't need to mess with
manual, clumsy encryption interfaces per-file.
> Q. What sort of protective logging can I do for it? Is it wise to have
> it notify me of possible security abnormalities? If so what products
> would you suggest?
Look into things like Tripwire, AIDE, and Samhain. All three are good
Host-based IDS's. Snort is the leading NIDS, but I wouldn't use it on a
production server (better on a more disposable box that can only listen
to the network and do no harm; Snort itself can be a vulnerability).
Bastille-Linux is also a very easy-to-use set of scripts to harden your
current installation. I think you'll like it.
And of course there are also kernel-based patchsets and IDS's, such as
SELinux, GRSecurity, and LIDS. Check them out as well, if you like reading.
Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off any
course! All of our class sizes are guaranteed to be 10 students or less.
We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention,
and many other technical hands on courses.
Visit us at http://www.infosecinstitute.com/securityfocus to get $720 off