Arch secure "out-of-the-box"?

ftornell · 2010-09-29 11:52:59

Hi!

I'm going to install a new "Family" server at home where my wife can access her documents and pictures placed on the server. On the same time I would like to access the server from my work using ssh.

I'm runnig Archlinux on my laptop and on my desktop; my wife uses ubuntu on her laptop.

Some friends told me that Debian is one of the most stable linux servers out there. But in the end I guess it's how things are configured and what type of services you have running.

I can install / configure the basic things needed for Arch to run on my laptop, done it a thousand times but when it comes to security I have no idea how to protect the server.
If I place family photos and documents on the server I do want them to stay there!

So, the question is if I should go for my beloved Archlinux or is there any cons that should make me go for Debian or anything else?
If I need to do tons of things in Arch to make it secure if I go for a basic "SMB/CIFS" share feature and SSH server I might miss a few steps that make it insecure!

Thank you!

demian · 2010-09-29 12:43:45

Hi,

i think the "stable" primarily refers to the stability of debian's packages - not its security. As far as security goes, it comes down to what software you use, if you keep it up to date and how you configure it. there's really not much difference between linux distributions except that with archlinux you have easy access to the current versions of software.

IMHO, most people make too much fuss about home security - all you need are good passwords.
Especially with SSH you have many options to make your server as secure as possible. Assuming you have a router, just make sure port forwarding is only done for the SSH service. Keep everything else (e.g. the samba server) within your LAN. Use a key and password for SSH and sshfs for remote file access.
Don't make user accounts without passwords and whenever you use passwords, make em strong ones. It also can't hurt to use a non-standard port for SSH.
Keep logs and look through them from time to time.

IF you're gonna be target of an "attack" it's most likely just a port-scan, looking for open ports like ftp/ssh and common username/password combinations. There's really not much potential harm there.

If you use WLAN or directly connect to the Internet it'll be more difficult to secure your pcs. Do you?

Last edited by demian (2010-09-29 12:58:37)

timm · 2010-09-29 12:48:12

And, IMHO, you should disable root logins in SSH. Check out this thread as well: https://bbs.archlinux.org/viewtopic.php?id=105620

ftornell · 2010-09-29 13:18:54

Hi guys, Thx for the imput.
So If I use complex passwords and disable root login from SSH I would be pretty safe.

Every PC and Server are connected using WLAN or Cable (NAT) behind a D-Link Router.

What logs would a portscan or login attempts appear in?

demian · 2010-09-29 14:15:05

To detect and log a port scan you'd need a software firewall like iptables (included in the kernel). Your router keeps logs too though and you can probably have it send to you via E-Mail. I don't think this is necessary at all though especially since you have only one port for SSH open. It's sufficient to look for authentication attempts in /var/log/auth.log.

You should prolly read up on how to secure your WLAN though.

Last edited by demian (2010-09-29 14:21:51)

Ashren · 2010-09-29 14:18:03

Security steps to take concerning ssh

First of all use a high numbered port which you define in /etc/ssh/sshd_config.

You should enter only the IP range from where you wish to connect from in /etc/hosts.allow i.e:

#
# /etc/hosts.allow
#
sshd: 192.168.0.
sshd: 136.56.67.
# End of file

Edit your /etc/security/access.conf to only allow root access from a local network:

+ : root : 192.168.0.0/24
- : ALL EXCEPT bob: ALL

Where bob is your user.

The following is only for the adventurous:
To test you can try adding "sshd: ALL: ALL" in hosts.allow, use port 22 and then see how many break-in attempts there are within 30 minutes. Use a proper password of course.

Then enable the above settings and observe how quiet your /var/log/messages becomes.

ftornell · 2010-09-29 14:28:48

Sweet, ill give it a try!

aksdb · 2010-09-29 20:58:28

Regarding WLAN Security: I would advise to install a RADIUS Server somewhere inside your LAN (or maybe directly on your WLAN Router) and setup WPA-EAP. That allows even username/password authentication for the WLAN access and is as secure as it can get (public key encryption, switching keys every few minutes, etc.).

ftornell · 2010-09-30 06:33:27

Had about 300 login attempts during the night...if they breake in i will show in auth.log right? if they haven't remove it!

fijam · 2010-10-03 08:34:00

As ssh brute-force attacks are a commonplace these days, it's a good idea to rely on key authentication only with some sort of filtering script (BlockHosts, Fail2Ban, Denyhosts, I personally prefer Sshguard + IPtables).

Basically, what you want to change in sshd_config is:

Protocol 2
PermitRootLogin no
PasswordAuthentication no
PermitEmptyPasswords no
ChallengeResponseAuthentication no
RSAAuthentication yes
PubkeyAuthentication yes

And don't forget to move your pubkey to authorized keys on the server first, or you can lock yourself out. And always keep you keys password-protected.

Last edited by fijam (2010-10-03 08:34:45)

.:B:. · 2010-10-03 08:48:44

Key authentication is definitely the safer option, albeit less portable.

ftornell wrote:

Hi guys, Thx for the imput.
So If I use complex passwords and disable root login from SSH I would be pretty safe.
Every PC and Server are connected using WLAN or Cable (NAT) behind a D-Link Router.
What logs would a portscan or login attempts appear in?

/var/log/auth.log

shows you the login attempts - but you already seem to know. As far as security goes, I would make the iptables rules on the server pretty liberal; just make sure your router is well configured and isn't too lenient.

A simple fix to get rid of all the bots out there is to run ssh on a non-standard port. That weeds out 99,9% of those scans.

fijam · 2010-10-03 09:10:27

.:B:. wrote:

Fijam: I think you mean it's not that safe to rely on password authentication, key authentication being the safer option .

Although English is my second language I have no idea how my post implied otherwise. To clarify, encrypted keys > password authentication

.:B:. · 2010-10-03 09:34:54

All on my side, I totally misread your statement. My apologies .

Arch Linux

#1 2010-09-29 11:52:59

Arch secure "out-of-the-box"?

#2 2010-09-29 12:43:45

Re: Arch secure "out-of-the-box"?

#3 2010-09-29 12:48:12

Re: Arch secure "out-of-the-box"?

#4 2010-09-29 13:18:54

Re: Arch secure "out-of-the-box"?

#5 2010-09-29 14:15:05

Re: Arch secure "out-of-the-box"?

#6 2010-09-29 14:18:03

Re: Arch secure "out-of-the-box"?

#7 2010-09-29 14:28:48

Re: Arch secure "out-of-the-box"?

#8 2010-09-29 20:58:28

Re: Arch secure "out-of-the-box"?

#9 2010-09-30 06:33:27

Re: Arch secure "out-of-the-box"?

#10 2010-10-03 08:34:00

Re: Arch secure "out-of-the-box"?

#11 2010-10-03 08:48:44

Re: Arch secure "out-of-the-box"?

#12 2010-10-03 09:10:27

Re: Arch secure "out-of-the-box"?

#13 2010-10-03 09:34:54

Re: Arch secure "out-of-the-box"?

Board footer