Re: Requesting security tips on network setup

From: Mike Reilly (jeltz@vogon.org)
Date: 04/08/02


From: Mike Reilly <jeltz@vogon.org>
Date: Sun, 07 Apr 2002 23:00:21 GMT

Ryan Gaudet wrote:

> Hi,
>
> I've just finished setting up my small business network and was hoping
> that someone could maybe suggest some tips to make my network as
> invisible to the outside world as I can. I'm not naive, I know that if
> someone really wants to get in that they will but I at least don't want
> to have my network sitting with a "Come and crack me" sign on it's back....
> I'm going to work from the outside (Internet) in;
>
> I have a DSL connection going into a Netgear RP114 router. The router
> itself has three ports being forwarded; port 22 (ssh) is going to a
> gateway that I use to work on the Servers from home, port 21 which is
> being forwarded to my FTP server (Currently wu-ftpd 2.6.1 but I'm in the
> testing phase of pro-ftpd which I will be switching to very soon), and
> port 143 which is being forwarded to my gateway (it also acts as a
> non-critical IMAP mail server).
>
> I've done scans using nmap and have nly had those three ports come up
> from the scan and I've tried some other third party scanning tools and
> nothing obvious comes up. I've also set my router up to block ICMP
> requests as well. Can anyone give me any extra suggestions or is that
> about all I can do? Is it worth installing portsentry on my boxes
> because I'm behind a router? I would hope that any port scans wouldn't
> get through to my Servers. Also, I am almost done reading the Maximum
> Linux Security book for other tips.
>
> Thanks In Advance
>
>
>
> Ryan
Imho, your #1 security problem is not neccesarily the flaws in the ports you
have open, your biggest problem is that you are using FTP. You should most
certainly also follow the security alerts on any installed packages, especially
those involved with services on those open ports,

FTP has the horrendous security flaw of allowing clear text passwords to be
sent across the internet. Anyone with a sniffer designed to catch this kind of
broadcast can capture them and add them to their database of known passwords.
Especially if you login with an account with shell access on that machine it's
dangerous. This can be fixed in a couple of ways. First, you could implement
sftp (secure ftp), which you get with openssh. It may take a little bit of
research and fiddling to set up, but it's good - it adds encryption to your ftp
sessions. Also, there are gui stfp clients available recently such as gftp.
The other solution is to just use anonymous ftp. This works well for
downloads, but can be a disaster for uploads - anyone could start using you for
a drop off for whatever files...

Other than that, the response from "those who know" covers it pretty well.



Relevant Pages

  • RE: Desktop Support Access
    ... To enable and disable ports would require access to the interface ... Better Management for Network Security ... Ensure robust IP security through policy-based management ...
    (Security-Basics)
  • RE: [Full-Disclosure] SQL Slammer - lessons learned
    ... > We've drifted from my original point, that ports used dynamically by IP ... > stacks should be distinct from service ports, so that ISPs or administrator ... I think Slammer has pointed one of the biggest problems with security ... everybody gets really concerned about wireless network. ...
    (Full-Disclosure)
  • Re: Getting around corporate firewalls to access ssh server
    ... pretty well takes care of the security angle. ... the ports on the two servers and put the release server on 22. ... with exceptions) inbound connection starts to most ports. ... Internet visible servers exist in the user segment of the network, ...
    (comp.os.linux.networking)
  • Re: Connecting to Windows Server 2003
    ... >>> Shouldn't be a security issue if your network is behind a firewall. ... How much of a problem it is depends on your network infrastructure. ... server or the client, then the battle is already lost). ... I think your remaining options are NFS of some kind, or FTP. ...
    (comp.sys.acorn.networking)
  • Re: RDP connection via dyndns
    ... Limited to that box's access to the local network and to that user account's access. ... That is CONSIDERABLY less exposure than a VPN connection. ... If you open many RDP ports to many computers as the numbers increase so does the likelihood of an easy to guess local administrator password. ... If you need the capability to RDP to more than a couple of computers on a network it is much easier to manage the security of one VPN port than several RDP ports. ...
    (microsoft.public.windows.server.networking)