July 12th, 2003, 01:58 PM
Opening up a linux box behind a router
I have a linux box behind a router at home and was thinking about opening up ports 80 (http) and 22 (SSH), so I could acces it from work. Are there any security issues in regaurds to opening these ports? Obviously someone could get in if they knew the password via SSH but if they don't know the password is their anything else I need to worry about?
Thanks for any advice.....
July 12th, 2003, 02:31 PM
>> but if they don't know the password is their anything else I need to worry about?
About the only other thing you need to worry about is ensuring that your apache installation has the latest security patches.
July 12th, 2003, 04:53 PM
Just like scorpion said, be sure that any services that you open up have the lastest security fixes and patches applied. Other than that, you should be alright. If all that machine is going to be doing is ssh and webhosting then it's a pretty good idea to setup iptables/ipchains to accept only that certain type of traffic just to be safe.
July 14th, 2003, 09:57 AM
Just a quick addition to be sure the suggestions by damon and Scorpions are clear: you need the latest security patches when you open up your machine, and you need to be sure to keep the latest updates on that machine. Just setting it up and forgetting is not enough. Just my .02.
July 14th, 2003, 10:23 AM
I have downloaded and installed the latest patches for everything and I have set the port for secure shell to something other than 22 (a little security through obscurity). I appreciate your time. It is really nice to access my computer from work as I have all my scripts and programs at home I can now use (no more re-inventing the wheel). I was happily suprised at the speed of the connection (I have a cable modem), it's like I'm sitting in front of the computer at home.
July 15th, 2003, 08:21 AM
You can also restrict access to those ports to the IP address/range of addresses your work uses. You can do this on the Linux box using iptables.
July 15th, 2003, 08:39 AM
That sounds like a great idea. Can you tell me how or point me in the right direction (Maybe a link to some howto)
July 15th, 2003, 08:58 AM
This should do it for you:
Replace 555.555.555.555 with your work IP address or network (e.g. to allow 555.555.* in, use: 555.555.0.0/16 for the -s argument.
iptables -A INPUT -p tcp --dport 22 -s 10.0.0.0/8 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -s 10.0.0.0/8 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -s 555.555.555.555 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -s 555.555.555.555 -j ACCEPT
iptables -A INPUT -p tcp -j REJECT
I'm also assuming that your network at home uses the 10.* addressing range - if not, you will need to adjust that accordingly.