Trying to lock down my box

[bfelger]

I've only lately become aware of the need for tighter security on my gentoo box after both my roommates' XP boxes on our VPN got hacked.

The first thing I did was close off all external ports on the router except 22, which gets routed to my box (I need external SSH access). I set up sshd to require both pubkey and password authentication, and made it so ping requests get tossed.

So, it looks like my box is airtight for attackers coming in from outside. However, I do not trust the security of the other boxes on the VPN, nor do I trust the router itself (I hear Linksys is easy to hack). If they gain access to any of these, they'll see that I have open ports for X11, samba, cups, and possibly CVS.

How can I close off all external ports on the gentoo box itself except port 22? How do I allow access to an open Samba port, but only for specific IP's on on the VPN? Is there something else I'm missing?

[rmalolepszy]

You can create samba access lists within samba.

You can also use IPTables, or another form of firewall to restrict access to/from ports and to/from hosts.
_________________
Cheers,
Ryan

[grimm26]

tcp_wrappers is your friend. man hosts_access and hosts_options to learn how to set up your /etc/hosts.allow and /etc/hosts.deny. That will at least help with locking down sshd better.

For samba, you would NEVER want anything beyond your own LAN to access that IMHO. Make sure in your /etc/smb.conf you have something like:

[bfelger]

You're right, I have no intention of sharing outside the LAN. I only want my roommates to access certain folders on my box from Windows XP.

Incidentaly, I do, in fact, want to run a CVS server with external access. What I want though, is for it to be tunneled through SSH, so only people with my SSH key have access to it. I was thinking the same thing for X11.

Thanks for the tips.