Miles Brennan wrote:
I am still interested in feedback.
Linux Home Server HOWTO: www.brennan.id.au
This is an excellent introductory document for beginners - balancing concepts with practical example.
I do have some feedback.
In the SSH section - I highly recommend disabling protocol 1, making the sshd_config line:
Protocol 2
In my deployments I use the AllowGroups restriction you indicated, but also disable password authentication and deploy keys as the authentication method. But that is probably overkill for beginning users. I recommend you create a more advanced topics document when this one is completed, and insert links to it for the key based authentication topic. Other ideas for the more advanced tutorial would be:
- Package Management - creating and using a local repository mirror - useful for larger scale Linux deployments, or when your home network does not have broadband Internet, but your Linux laptop occasionaly does ;).
- Creating and using an nfs exported installation image for installs.
- Use of kickstart to automate installs.
- LDAP based authentication/authorization of users to httpd.
- Configuration of WebDAV folders in httpd (with SSL), as an alternative to FTP.
- Use of limit in iptables for some protection against attacks on permitted services, or against storms of denied packets rapidly generating log messages.
Back to the current document.
In the NFS section - an nfs3 configuration for which access can be restricted by firewall rules can be achieved easily.
Add /etc/sysconfig/nfs as follows
------------------ start of /etc/sysconfig/nfs --------------------------
# /etc/sysconfig/nfs
# Created 7-5-2004 by Christopher K. Johnson
# Based on earlier work by Chris Lowth,
# adjusted to use features supported by unmodified Fedora Core 2 init scripts.
# The following may be relevant in a virtual host environment #STATD_HOSTNAME=
STATD_PORT=4000 STATD_OUTGOING_PORT=4004
LOCKD_TCPPORT=4001 LOCKD_UDPPORT=4001
MOUNTD_PORT=4002
#Also see /etc/services to set rpc.rquotad port to 4003 # rquotad 4003/tcp # Fix a port for rpc.rquotad # rquotad 4003/udp # Fix a port for rpc.rquotad ------------------ end of /etc/sysconfig/nfs --------------------------
Then do make the additions to /etc/services (not commented out) as suggested by comments in the nfs file.
When portmap and nfs services are restarted they will use ports 4000:4003 tcp/udp in addition to 111 and 2049, not random high ports. So iptables rules can be designed accordingly. The following works as an insert in the typical system-config-security provided iptables:
# Permit NFS access sample
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 111 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 111 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 2049 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 2049 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 4000:4003 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 4000:4003 -j ACCEPT
You will need to adjust those rules consistent with your scripted iptables implementation.
By the way I believe in a stateful firewall the inquiries initiated by ntpd do not need firewall rules to permit their response. It is only when broadcasts are listened for that a firewall hole is needed to listen for them. So when using specific ntp servers and you have a rule such as your:
iptables -A FORWARD -i ppp0 -m state --state ESTABLISHED,RELATED -j ACCEPT
...then ntpd should work fine. It appears that the insertion of iptables rules in the ntpd start script is no longer done in FC3. If memory serves - those specifically targeted the RH-Firewall-1-INPUT table anyhow, and you are not using that table.
Lastly I would include a small section below Packet Forwarding within Firewall Concepts to introduce the use of sysctl.conf control of ecn and tcp window scaling since these can cause problems with some routers, firewalls, etc. So knowing how to turn them off is useful. Here is the snippet I add to sysctl.conf:
# Start CKJ additions for rubustness and security...
# Disable TCP ECN which some routers and servers cannot handle.
net.ipv4.tcp_ecn = 0
# Disable TCP window scaling which some routers and firewalls cannot handle. net.ipv4.tcp_window_scaling = 0
# Disable response to broadcast icmp echo requests. net.ipv4.icmp_echo_ignore_broadcasts = 1
# ...End CKJ additions for rubustness and security
Chris