#1
  1. No Profile Picture
    Senior Slacker
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jul 2003
    Location
    Houston, TX
    Posts
    30
    Rep Power
    12

    Opening up a linux box behind a router


    Hi there,

    I have a linux box behind a router at home and was thinking about opening up ports 80 (http) and 22 (SSH), so I could acces it from work. Are there any security issues in regaurds to opening these ports? Obviously someone could get in if they knew the password via SSH but if they don't know the password is their anything else I need to worry about?

    Thanks for any advice.....
    Cya,

    Jim
  2. #2
  3. Banned ;)
    Devshed Supreme Being (6500+ posts)

    Join Date
    Nov 2001
    Location
    Woodland Hills, Los Angeles County, California, USA
    Posts
    9,615
    Rep Power
    4247
    >> but if they don't know the password is their anything else I need to worry about?
    About the only other thing you need to worry about is ensuring that your apache installation has the latest security patches.
  4. #3
  5. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2002
    Location
    NC, USA
    Posts
    364
    Rep Power
    12
    Just like scorpion said, be sure that any services that you open up have the lastest security fixes and patches applied. Other than that, you should be alright. If all that machine is going to be doing is ssh and webhosting then it's a pretty good idea to setup iptables/ipchains to accept only that certain type of traffic just to be safe.
  6. #4
  7. Just another guy
    Devshed Frequenter (2500 - 2999 posts)

    Join Date
    Jun 2003
    Location
    Wisconsin
    Posts
    2,953
    Rep Power
    262
    Just a quick addition to be sure the suggestions by damon and Scorpions are clear: you need the latest security patches when you open up your machine, and you need to be sure to keep the latest updates on that machine. Just setting it up and forgetting is not enough. Just my .02.
  8. #5
  9. No Profile Picture
    Senior Slacker
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jul 2003
    Location
    Houston, TX
    Posts
    30
    Rep Power
    12

    Thanks all


    Thanks all,

    I have downloaded and installed the latest patches for everything and I have set the port for secure shell to something other than 22 (a little security through obscurity). I appreciate your time. It is really nice to access my computer from work as I have all my scripts and programs at home I can now use (no more re-inventing the wheel). I was happily suprised at the speed of the connection (I have a cable modem), it's like I'm sitting in front of the computer at home.

    Thanks Again!
    Cya,

    Jim
  10. #6
  11. Full Access
    Devshed Regular (2000 - 2499 posts)

    Join Date
    Jun 2000
    Location
    London, UK
    Posts
    2,019
    Rep Power
    17
    I have a linux box behind a router at home and was thinking about opening up ports 80 (http) and 22 (SSH), so I could acces it from work.
    You can also restrict access to those ports to the IP address/range of addresses your work uses. You can do this on the Linux box using iptables.
    Alex
    (http://www.alex-greg.com)
  12. #7
  13. No Profile Picture
    Senior Slacker
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jul 2003
    Location
    Houston, TX
    Posts
    30
    Rep Power
    12

    Even Better


    That sounds like a great idea. Can you tell me how or point me in the right direction (Maybe a link to some howto)

    Thanks......
    Cya,

    Jim
  14. #8
  15. Full Access
    Devshed Regular (2000 - 2499 posts)

    Join Date
    Jun 2000
    Location
    London, UK
    Posts
    2,019
    Rep Power
    17
    This should do it for you:
    Code:
    iptables -A INPUT -p tcp --dport 22 -s 10.0.0.0/8 -j ACCEPT
    iptables -A INPUT -p tcp --dport 80 -s 10.0.0.0/8 -j ACCEPT
    
    iptables -A INPUT -p tcp --dport 22 -s 555.555.555.555 -j ACCEPT
    iptables -A INPUT -p tcp --dport 80 -s 555.555.555.555  -j ACCEPT
     
    iptables -A INPUT -p tcp -j REJECT
    Replace 555.555.555.555 with your work IP address or network (e.g. to allow 555.555.* in, use: 555.555.0.0/16 for the -s argument.

    I'm also assuming that your network at home uses the 10.* addressing range - if not, you will need to adjust that accordingly.
    Alex
    (http://www.alex-greg.com)

IMN logo majestic logo threadwatch logo seochat tools logo