> OK, so far, we're running exclusively as root user.
>
> Usually, we consider the larger number of users, the less secure a given
> system becomes.
>
Dedicated users created in order to follow a "least privilege" policy
are usually more secure than running everything as the superuser (like
windows 98 does it). But for the number of shell accounts this holds
true.
> Using ssh to remotely access the firewall and without telnet and ftp
> allowed, the firewall appears to be moderately secure.
>
> However, it bothers us that we can use Putty to connect from any machine
> anywhere, as long as we know the root password! Somehow, we thought
> that ssh would be more difficult ;<
>
You can restrict the address-range using the ListenAddress directive in
you /etc/ssh/sshd_config (to for example an single IP). Also you can
disable password authentication and switch to RSA keys as the only
method allowed. (you have to copy your public key to the authorized_keys
file inside /root/.ssh/ - see howtos for details)
If you are paranoid (and you probably want to if you ask the question in
the first place) you generate a huge Key choose a long passphrase and
store it on a linux/OpenBSD PC (you can't trust windows not to "cache"
your passphrase and send it to bill gates including your private key
>;-) which you have exclusive access to.
In general this should make your firewall as secure as the private key
is. (assuming that RSA is secure with sufficient key size, but if RSA is
broken your firewall will be a minor problem, I guess).
> Now that we have ``su'' working, it occurs to us that it might be
> prudent -- and, considerably more secure? -- to dis-allow ssh root login
> and create a couple mortal users, only a couple of whom know root
> password.
It might be an option to add a mortal user and allow ssh-access
exclusively to this person via RSA authentication who then additionally
needs to know the root-pwd for su.
However adding several mortal users, doesn't seem to do any good, since
this just makes it easier to get hold of one private RSA key/one
password, which will be sufficient to gain unauthorized access (leaving
only the root password ahead of complete control).
> How secure is our firewall?
I would estimate that using a physically write-protected boot floppy and
no software that you don't need (there's no place for it anyhow) is a
good strategy for minimizing any risks.
Additionally, keeping up to date with all security related updates to
the software actually installed is probably part of homework that nobody
can afford to go without, if concerned about security at all.
Of course it would be nice to have regular code audits happen on all the
software involved, but this would mean that developers would have to
spend lot's of time dedicated to this task (it might be feasible to do
however, since there is not so much software to worry about - compared
to a full blown hard-disk based desktop system that is). I am relatively
new to LRP and all it's spin offs, so I don't know if this has been
happening.
What actually worries me most, is that somebody might break in at night,
take out the floppy, modifies it as he pleases and reboots the router.
Turning around the floppy drive helps, but most people know how to use a
screw driver. But as soon as someone is able to get physical access to
your computers, your in a lot of mess anyhow.
Has somebody thought about something like creating checksums of you
floppy and checking it regularly? Of course an attacker might modify the
floppy and make it still send the old checksum, or even better:
duplicate the floppy, modify the copy and reboot from it and replace
with the original. Who knows how long it would take
anyone to notice the difference?
Just some thoughts.
Fabian
--
Fabian Linzberger - [EMAIL PROTECTED] - (0699/1)9568768
Fighting for Socialism: www.worldsocialist-cwi.org - www.slp.at
Do yourself a favor - use and support Debian/GNU Linux
_______________________________________________
Leaf-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-user
