| View previous topic :: View next topic |
| Author |
Message |
Chris-P
n00b
Joined: 30 Jan 2004
Posts: 62
Location: South West United Kingdom
|
 Posted: Thu Apr 15, 2004 10:38 pm Post subject: Gentoo box in an open DMZ... |
 |
|
Hi folks,
I'm wondering about the potential security implications regarding the following hypothetical set-up:
Say I have a basic console-only Gentoo box, running a game server. The install has no fancy features installed, but would run the XINETD daemon to allow me to Telnet in from another box on my LAN. I'll set XINETD to allow only a single instance of a Telnet session, and only from my other box's LAN IP. I know SSH would perhaps be a better choice of remote login here. The remote login would be limited to one LANside IP address.
The game server runs in a screen session - and at the times I am not logged into the server box it is logged out and waiting for a user login. The box has two users, root and a standard user - both using strong non-trivial passwords. The game server's screen session would run under the standard user account - not root. The box would contain no sensitive information - just a basic Gentoo and the game. The game and its main files set to read-only for the standard user - only its logfiles writeable under this account.
Now, say I place this box in my router's DMZ - el-cheapo router, so basically all ports wide-open to this box's IP, no firewall but the router drops WANside pings - what is the potential for a hacker to actually login to this box? Or what are other potential implications?
For this example let's say this box will never run any aditional software firewall.
Just curious as to how exposed this system would be to external abuse.  |
|
| Back to top |
|
 |
sak102010
Tux's lil' helper
Joined: 08 Jun 2003
Posts: 82
|
| Posted: Thu Apr 15, 2004 10:58 pm Post subject: |
|
|
I'd strongly suggest using SSH for your remote login. Telnet sends login and password information in plain text, which can be picked up via eaves dropping.
Since all the ports are going to be open on your el-cheapo router, why not just build in Netfilter into your Gentoo game box and close off everything but SSH and whatever ports the game server needs.
In my view, it never hurts to do whatever you can to add a little security to an otherwise publicly accessible machine.
_________________
Thanks,
Sak |
|
| Back to top |
|
|
Chris W
l33t
Joined: 25 Jun 2002
Posts: 972
Location: Brisbane, Australia
|
| Posted: Thu Apr 15, 2004 11:14 pm Post subject: |
|
|
If the only services running on the box are your game server and the xinetd then there's not too much to attack. However, the server is open to denial of service types of attack, so you should consider using Netfilter to implement rate limiting and logging. Another layer of defence is almost always better.
Using SSH with public keys will seriously reduce the risk of compromise because they'd have to spoof an address and guess a huge key that is never passed across the wire. If and when you su to root the password is protected, unlike the situation with telnet.
_________________
Cheers,
Chris W
"Common sense: The collection of prejudices acquired by age 18." -- Einstein |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
