Re: Requesting security tips on network setup

From: Mike Reilly (jeltz@vogon.org)
Date: 04/08/02


From: Mike Reilly <jeltz@vogon.org>
Date: Sun, 07 Apr 2002 23:00:21 GMT

Ryan Gaudet wrote:

> Hi,
>
> I've just finished setting up my small business network and was hoping
> that someone could maybe suggest some tips to make my network as
> invisible to the outside world as I can. I'm not naive, I know that if
> someone really wants to get in that they will but I at least don't want
> to have my network sitting with a "Come and crack me" sign on it's back....
> I'm going to work from the outside (Internet) in;
>
> I have a DSL connection going into a Netgear RP114 router. The router
> itself has three ports being forwarded; port 22 (ssh) is going to a
> gateway that I use to work on the Servers from home, port 21 which is
> being forwarded to my FTP server (Currently wu-ftpd 2.6.1 but I'm in the
> testing phase of pro-ftpd which I will be switching to very soon), and
> port 143 which is being forwarded to my gateway (it also acts as a
> non-critical IMAP mail server).
>
> I've done scans using nmap and have nly had those three ports come up
> from the scan and I've tried some other third party scanning tools and
> nothing obvious comes up. I've also set my router up to block ICMP
> requests as well. Can anyone give me any extra suggestions or is that
> about all I can do? Is it worth installing portsentry on my boxes
> because I'm behind a router? I would hope that any port scans wouldn't
> get through to my Servers. Also, I am almost done reading the Maximum
> Linux Security book for other tips.
>
> Thanks In Advance
>
>
>
> Ryan
Imho, your #1 security problem is not neccesarily the flaws in the ports you
have open, your biggest problem is that you are using FTP. You should most
certainly also follow the security alerts on any installed packages, especially
those involved with services on those open ports,

FTP has the horrendous security flaw of allowing clear text passwords to be
sent across the internet. Anyone with a sniffer designed to catch this kind of
broadcast can capture them and add them to their database of known passwords.
Especially if you login with an account with shell access on that machine it's
dangerous. This can be fixed in a couple of ways. First, you could implement
sftp (secure ftp), which you get with openssh. It may take a little bit of
research and fiddling to set up, but it's good - it adds encryption to your ftp
sessions. Also, there are gui stfp clients available recently such as gftp.
The other solution is to just use anonymous ftp. This works well for
downloads, but can be a disaster for uploads - anyone could start using you for
a drop off for whatever files...

Other than that, the response from "those who know" covers it pretty well.