Linux Home Server HOWTO - Open For Review

Christopher K. Johnson ckjohnson at gwi.net
Sat Jan 8 15:47:33 UTC 2005 

Miles Brennan wrote:

> I am still interested in feedback.
>
> Linux Home Server HOWTO: www.brennan.id.au

This is an excellent introductory document for beginners - balancing 
concepts with practical example.
I do have some feedback.

In the SSH section - I highly recommend disabling protocol 1, making the 
sshd_config line:
Protocol 2
In my deployments I use the AllowGroups restriction you indicated, but 
also disable password authentication and deploy keys as the 
authentication method.  But that is probably overkill for beginning 
users.  I recommend you create a more advanced topics document when this 
one is completed, and insert links to it for the key based 
authentication topic.  Other ideas for the more advanced tutorial would be:
- Package Management - creating and using a local repository mirror - 
useful for larger scale Linux deployments, or when your home network 
does not have broadband Internet, but your Linux laptop occasionaly does ;).
- Creating and using an nfs exported installation image for installs.
- Use of kickstart to automate installs.
- LDAP based authentication/authorization of users to httpd.
- Configuration of WebDAV folders in httpd (with SSL), as an alternative 
to FTP.
- Use of limit in iptables for some protection against attacks on 
permitted services, or against storms of denied packets rapidly 
generating log messages.

Back to the current document.
In the NFS section - an nfs3 configuration for which access can be 
restricted by firewall rules can be achieved easily.
Add /etc/sysconfig/nfs as follows
------------------ start of /etc/sysconfig/nfs --------------------------
# /etc/sysconfig/nfs
# Created 7-5-2004 by Christopher K. Johnson
# Based on earlier work by Chris Lowth,
# adjusted to use features supported by unmodified Fedora Core 2 init 
scripts.

# The following may be relevant in a virtual host environment
#STATD_HOSTNAME=

STATD_PORT=4000
STATD_OUTGOING_PORT=4004

LOCKD_TCPPORT=4001
LOCKD_UDPPORT=4001

MOUNTD_PORT=4002

#Also see /etc/services to set rpc.rquotad port to 4003
# rquotad        4003/tcp        # Fix a port for rpc.rquotad
# rquotad        4003/udp        # Fix a port for rpc.rquotad
------------------ end of /etc/sysconfig/nfs --------------------------

Then do make the additions to /etc/services (not commented out) as 
suggested by comments in the nfs file.
When portmap and nfs services are restarted they will use ports 
4000:4003 tcp/udp in addition to 111 and 2049, not random high ports.  
So iptables rules can be designed accordingly.  The following works as 
an insert in the typical system-config-security provided iptables:
# Permit NFS access sample
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 111 -j 
ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 111 -j 
ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 2049 
-j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 2049 
-j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 
4000:4003 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 
4000:4003 -j ACCEPT

You will need to adjust those rules consistent with your scripted 
iptables implementation.

By the way I believe in a stateful firewall the inquiries initiated by 
ntpd do not need firewall rules to permit their response.  It is only 
when broadcasts are listened for that a firewall hole is needed to 
listen for them.  So when using specific ntp servers and you have a rule 
such as your:
iptables -A FORWARD -i ppp0 -m state --state ESTABLISHED,RELATED -j ACCEPT
...then ntpd should work fine.  It appears that the insertion of 
iptables rules in the ntpd start script is no longer done in FC3.  If 
memory serves - those specifically targeted the RH-Firewall-1-INPUT 
table anyhow, and you are not using that table.

Lastly I would include a small section below Packet Forwarding within 
Firewall Concepts to introduce the use of sysctl.conf control of ecn and 
tcp window scaling since these can cause problems with some routers, 
firewalls, etc.  So knowing how to turn them off is useful.  Here is the 
snippet I add to sysctl.conf:
# Start CKJ additions for rubustness and security...
# Disable TCP ECN which some routers and servers cannot handle.
net.ipv4.tcp_ecn = 0

# Disable TCP window scaling which some routers and firewalls cannot handle.
net.ipv4.tcp_window_scaling = 0

# Disable response to broadcast icmp echo requests.
net.ipv4.icmp_echo_ignore_broadcasts = 1

# ...End CKJ additions for rubustness and security

Chris

More information about the fedora-list mailing list