RE: Linux Home Server HOWTO - Open For Review

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Is the available as a download in PDF format?

Thanks

-----Original Message-----
From: fedora-list-bounces@xxxxxxxxxx
[mailto:fedora-list-bounces@xxxxxxxxxx] On Behalf Of Christopher K.
Johnson
Sent: Saturday, January 08, 2005 10:48 AM
To: For users of Fedora Core releases
Subject: Re: Linux Home Server HOWTO - Open For Review


Miles Brennan wrote:

> I am still interested in feedback.
>
> Linux Home Server HOWTO: www.brennan.id.au

This is an excellent introductory document for beginners - balancing 
concepts with practical example.
I do have some feedback.

In the SSH section - I highly recommend disabling protocol 1, making the

sshd_config line:
Protocol 2
In my deployments I use the AllowGroups restriction you indicated, but 
also disable password authentication and deploy keys as the 
authentication method.  But that is probably overkill for beginning 
users.  I recommend you create a more advanced topics document when this

one is completed, and insert links to it for the key based 
authentication topic.  Other ideas for the more advanced tutorial would
be:
- Package Management - creating and using a local repository mirror - 
useful for larger scale Linux deployments, or when your home network 
does not have broadband Internet, but your Linux laptop occasionaly does
;).
- Creating and using an nfs exported installation image for installs.
- Use of kickstart to automate installs.
- LDAP based authentication/authorization of users to httpd.
- Configuration of WebDAV folders in httpd (with SSL), as an alternative

to FTP.
- Use of limit in iptables for some protection against attacks on 
permitted services, or against storms of denied packets rapidly 
generating log messages.

Back to the current document.
In the NFS section - an nfs3 configuration for which access can be 
restricted by firewall rules can be achieved easily.
Add /etc/sysconfig/nfs as follows
------------------ start of /etc/sysconfig/nfs
-------------------------- # /etc/sysconfig/nfs # Created 7-5-2004 by
Christopher K. Johnson # Based on earlier work by Chris Lowth, #
adjusted to use features supported by unmodified Fedora Core 2 init 
scripts.

# The following may be relevant in a virtual host environment
#STATD_HOSTNAME=

STATD_PORT=4000
STATD_OUTGOING_PORT=4004

LOCKD_TCPPORT=4001
LOCKD_UDPPORT=4001

MOUNTD_PORT=4002

#Also see /etc/services to set rpc.rquotad port to 4003
# rquotad        4003/tcp        # Fix a port for rpc.rquotad
# rquotad        4003/udp        # Fix a port for rpc.rquotad
------------------ end of /etc/sysconfig/nfs --------------------------

Then do make the additions to /etc/services (not commented out) as 
suggested by comments in the nfs file.
When portmap and nfs services are restarted they will use ports 
4000:4003 tcp/udp in addition to 111 and 2049, not random high ports.  
So iptables rules can be designed accordingly.  The following works as 
an insert in the typical system-config-security provided iptables: #
Permit NFS access sample -A RH-Firewall-1-INPUT -m state --state NEW -m
tcp -p tcp --dport 111 -j 
ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 111 -j

ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 2049 
-j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 2049 
-j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 
4000:4003 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 
4000:4003 -j ACCEPT

You will need to adjust those rules consistent with your scripted 
iptables implementation.

By the way I believe in a stateful firewall the inquiries initiated by 
ntpd do not need firewall rules to permit their response.  It is only 
when broadcasts are listened for that a firewall hole is needed to 
listen for them.  So when using specific ntp servers and you have a rule

such as your:
iptables -A FORWARD -i ppp0 -m state --state ESTABLISHED,RELATED -j
ACCEPT ...then ntpd should work fine.  It appears that the insertion of 
iptables rules in the ntpd start script is no longer done in FC3.  If 
memory serves - those specifically targeted the RH-Firewall-1-INPUT 
table anyhow, and you are not using that table.

Lastly I would include a small section below Packet Forwarding within 
Firewall Concepts to introduce the use of sysctl.conf control of ecn and

tcp window scaling since these can cause problems with some routers, 
firewalls, etc.  So knowing how to turn them off is useful.  Here is the

snippet I add to sysctl.conf:
# Start CKJ additions for rubustness and security...
# Disable TCP ECN which some routers and servers cannot handle.
net.ipv4.tcp_ecn = 0

# Disable TCP window scaling which some routers and firewalls cannot
handle. net.ipv4.tcp_window_scaling = 0

# Disable response to broadcast icmp echo requests.
net.ipv4.icmp_echo_ignore_broadcasts = 1

# ...End CKJ additions for rubustness and security

Chris

-- 
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux