[gentoo-user] Hardening a laptop for travel

[gentoo-user] Hardening a laptop for travel

[Grant]

I have shorewall set up on my router but I haven't set up anything
security-wise for my laptop which normally sits behind the router.
What should I be setting up on the laptop in preparation for traveling
and connecting via a foreign network or even directly to the Internet?
 I don't run sshd on the laptop.  I would think shorewall, but am I
forgetting anything?

# rc-update -s
           alsasound | boot
            bootmisc | boot
             checkfs | boot
           checkroot | boot
               clock | boot
         consolefont | boot
                hald |      default
            hostname | boot
             keymaps | boot
               local |      default nonetwork
          localmount | boot
             metalog |      default
             modules | boot
            net.eth0 |      default
              net.lo | boot
            netmount |      default
          ntp-client |      default
                ntpd |      default
           rmnologin | boot
             urandom | boot
          vixie-cron |      default
                 xdm |      default
                 xfs |      default

- Grant
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Hardening a laptop for travel

[Andrey Falko]

[-- Attachment #1: Type: text/plain, Size: 1657 bytes --]

On Dec 8, 2007 8:35 AM, Grant <emailgrant@gmail.com> wrote:

> I have shorewall set up on my router but I haven't set up anything
> security-wise for my laptop which normally sits behind the router.
> What should I be setting up on the laptop in preparation for traveling
> and connecting via a foreign network or even directly to the Internet?
>  I don't run sshd on the laptop.  I would think shorewall, but am I
> forgetting anything?
>

At the very least I'd do the following with iptables:

iptables -P INPUT DROP
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

This will make sure that there are no incoming connects except those that
you
initiated.


>
> # rc-update -s
>           alsasound | boot
>            bootmisc | boot
>             checkfs | boot
>           checkroot | boot
>               clock | boot
>         consolefont | boot
>                hald |      default
>            hostname | boot
>             keymaps | boot
>               local |      default nonetwork
>          localmount | boot
>             metalog |      default
>             modules | boot
>             net.eth0 |      default
>              net.lo | boot
>            netmount |      default
>          ntp-client |      default
>                ntpd |      default
>           rmnologin | boot
>             urandom | boot
>          vixie-cron |      default
>                 xdm |      default
>                 xfs |      default
>
> - Grant
> --
> gentoo-user@gentoo.org mailing list
>
>

[-- Attachment #2: Type: text/html, Size: 3131 bytes --]

Re: [gentoo-user] Hardening a laptop for travel

[Mick]

[-- Attachment #1: Type: text/plain, Size: 931 bytes --]

On Saturday 08 December 2007, Andrey Falko wrote:
> On Dec 8, 2007 8:35 AM, Grant <emailgrant@gmail.com> wrote:
> > I have shorewall set up on my router but I haven't set up anything
> > security-wise for my laptop which normally sits behind the router.
> > What should I be setting up on the laptop in preparation for traveling
> > and connecting via a foreign network or even directly to the Internet?
> >  I don't run sshd on the laptop.  I would think shorewall, but am I
> > forgetting anything?
>
> At the very least I'd do the following with iptables:
>
> iptables -P INPUT DROP
> iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> iptables -A FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT

This line is only needed if you want to forward packets to another 
iface/device (i.e. when your laptop is acting as a router and the input 
interface is eth0).
-- 
Regards,
Mick

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-user] Hardening a laptop for travel

[Grant]

> > > I have shorewall set up on my router but I haven't set up anything
> > > security-wise for my laptop which normally sits behind the router.
> > > What should I be setting up on the laptop in preparation for traveling
> > > and connecting via a foreign network or even directly to the Internet?
> > >  I don't run sshd on the laptop.  I would think shorewall, but am I
> > > forgetting anything?
> >
> > At the very least I'd do the following with iptables:
> >
> > iptables -P INPUT DROP
> > iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> > iptables -A FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
>
> This line is only needed if you want to forward packets to another
> iface/device (i.e. when your laptop is acting as a router and the input
> interface is eth0).

Alright I guess I'll just set up shorewall on the laptop with a config
similar to the router's.  Maybe I'll set up shorewall on the other
system in my local network while I'm at it.

- Grant
-- 
gentoo-user@gentoo.org mailing list

[gentoo-user] Re: Hardening a laptop for travel

[reader]

Grant <emailgrant@gmail.com> writes:

>> > iptables -P INPUT DROP
>> > iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
>> > iptables -A FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
>>
>> This line is only needed if you want to forward packets to another
>> iface/device (i.e. when your laptop is acting as a router and the input
>> interface is eth0).
>
> Alright I guess I'll just set up shorewall on the laptop with a config
> similar to the router's.  Maybe I'll set up shorewall on the other
> system in my local network while I'm at it.

Wait... I'm pretty sure there are a few lines of IPTABLES code that
will do what you want.

I remember using something with IPTABLES that made any connections
from internet only happen in response to requests from your localhost.
I don't remember the lines now but someone might post it.

Wouldn't the above and not running any unnecessary services be pretty
good protection for what your after?

I've hooked up to many networks while traveling without anything at
all (Except not running any unnecessary services) with windows based
laptop and never had a bit of trouble.  So I'd expect a linux based
host to do even better.

-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Hardening a laptop for travel

[William Kenworthy]

On Mon, 2007-12-10 at 08:50 -0800, Grant wrote:

> 
> Alright I guess I'll just set up shorewall on the laptop with a config
> similar to the router's.  Maybe I'll set up shorewall on the other
> system in my local network while I'm at it.
> 
> - Grant

shorewall is good - but overkill on a single machine.  Have a look at
the net-misc/monmotha script.  Comprehensive, easy to understand and
works well.

I am a believer in letting experts do the snarly stuff - and shorewall
and monmotha get a lot of feedback so they are well sorted.  When you
look at the code and why they are doing particular rules, the simple
ones like people have suggested only offer basic protection, and
possibly poor functionality.

BillK



-- 
William Kenworthy <billk@iinet.net.au>
Home in Perth!
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Hardening a laptop for travel

[Grant]

> > Alright I guess I'll just set up shorewall on the laptop with a config
> > similar to the router's.  Maybe I'll set up shorewall on the other
> > system in my local network while I'm at it.
> >
> > - Grant
>
> shorewall is good - but overkill on a single machine.  Have a look at
> the net-misc/monmotha script.  Comprehensive, easy to understand and
> works well.
>
> I am a believer in letting experts do the snarly stuff - and shorewall
> and monmotha get a lot of feedback so they are well sorted.  When you
> look at the code and why they are doing particular rules, the simple
> ones like people have suggested only offer basic protection, and
> possibly poor functionality.
>
> BillK

I don't know, now that I've set up shorewall on my router it seems
like a simple matter to set it up on another machine.  I should only
need to edit a few config files with very light additions.

- Grant
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Hardening a laptop for travel

[William Kenworthy]

> 
> I don't know, now that I've set up shorewall on my router it seems
> like a simple matter to set it up on another machine.  I should only
> need to edit a few config files with very light additions.
> 
> - Grant

Understand - to be honest I have moved to shorewall on almost all my
machines for uniformity, even though its rather more complex than
needed.

BillK

-- 
William Kenworthy <billk@iinet.net.au>
Home in Perth!
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Hardening a laptop for travel

[Grant]

> > I don't know, now that I've set up shorewall on my router it seems
> > like a simple matter to set it up on another machine.  I should only
> > need to edit a few config files with very light additions.
> >
> > - Grant
>
> Understand - to be honest I have moved to shorewall on almost all my
> machines for uniformity, even though its rather more complex than
> needed.
>
>
> BillK

Yeah I'm into uniformity.  I'm trying to get my media system, laptop,
router, and remote server on the same OS, kernel, profile, etc.

- Grant
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Re: Hardening a laptop for travel

[Mick]

[-- Attachment #1: Type: text/plain, Size: 2767 bytes --]

On Monday 10 December 2007, reader@newsguy.com wrote:
> Grant <emailgrant@gmail.com> writes:
> >> > iptables -P INPUT DROP
> >> > iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> >> > iptables -A FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j
> >> > ACCEPT
> >>
> >> This line is only needed if you want to forward packets to another
> >> iface/device (i.e. when your laptop is acting as a router and the input
> >> interface is eth0).
> >
> > Alright I guess I'll just set up shorewall on the laptop with a config
> > similar to the router's.  Maybe I'll set up shorewall on the other
> > system in my local network while I'm at it.
>
> Wait... I'm pretty sure there are a few lines of IPTABLES code that
> will do what you want.
>
> I remember using something with IPTABLES that made any connections
> from internet only happen in response to requests from your localhost.
> I don't remember the lines now but someone might post it.

The lines already posted will do just that.  If you want to additionally stop 
any intruder spoofing a localhost address on your NIC and getting in you 
could add:

iptables -A INPUT -i !eth0* -j ACCEPT

  * adjust for your iface

> Wouldn't the above and not running any unnecessary services be pretty
> good protection for what your after?

Given that systems like e.g. Ubuntu server do not even have a firewall running 
would make you think so.  The fact that while on the road you only stay 
connected for short periods of time would improve your chances too.  However, 
every time you start an internet connection to a server you have open ports 
at random which could be discovered and exploited.  It only takes a few 
seconds over broadband with a well crafted script.

> I've hooked up to many networks while traveling without anything at
> all (Except not running any unnecessary services) with windows based
> laptop and never had a bit of trouble.  So I'd expect a linux based
> host to do even better.

MS Windows XP runs a firewall as a default.  Many programs open holes through 
it as soon as you install them allowing incoming connections.  Assuming you 
are running as a plain user with a strong passwd, you have closed all holes 
in the firewall and do not point & click at all sort of malware links and 
payloads you should be good.

Similar principles apply to Linux desktop machines except that once you set up 
your firewall no installed program other than a trojan will readily go and 
change it.  Some distros which are trying to be 'user friendly' will however 
modify the firewall to allow newly installed services to get through, albeit 
will ask you about it first (I am thinking of OpenSuSE here).
-- 
Regards,
Mick

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

[gentoo-user] Re: Hardening a laptop for travel

[reader]

Harry wrote:

>> Wait... I'm pretty sure there are a few lines of IPTABLES code that
>> will do what you want.
>>
>> I remember using something with IPTABLES that made any connections
>> from internet only happen in response to requests from your localhost.
>> I don't remember the lines now but someone might post it.

Mick replied:

> The lines already posted will do just that.  If you want to additionally stop 
> any intruder spoofing a localhost address on your NIC and getting in you 
> could add:
>
>  iptables -A INPUT -i !eth0* -j ACCEPT

OOPs... I took your earlier comment (below) to be applied to what was posted
but I see now you were only referencing a single line:
  iptables -A FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT

Andry F. wrote:

>>> iptables -P INPUT DROP
>>> iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
>>> iptables -A FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
>>> iptables -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

Mick replied:

>>> iptables -P INPUT DROP
>>> iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
>>> iptables -A FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT

>> This line is only needed if you want to forward packets to another 
>> iface/device (i.e. when your laptop is acting as a router and the input 
>> interface is eth0).
 
[...]

Thanks for the <snipped> other pointers

-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Hardening a laptop for travel

[Grant]

> > I don't know, now that I've set up shorewall on my router it seems
> > like a simple matter to set it up on another machine.  I should only
> > need to edit a few config files with very light additions.
> >
> > - Grant
>
> Understand - to be honest I have moved to shorewall on almost all my
> machines for uniformity, even though its rather more complex than
> needed.
>
>
> BillK

How does this /etc/shorewall/rules look for my router?

DNS/ACCEPT      $FW             net
Ping/REJECT     net     $FW
DNAT            net     loc:192.168.0.3 tcp     50000
DNAT            net     loc:192.168.0.3 udp     50000
ACCEPT          $FW     loc     icmp
ACCEPT          $FW     net     icmp

Does this reject ssh requests from the net zone or do I need to
specify that?  It looks like maybe there is another set of basic
ACCEPT/REJECT configs that this is modifying.  Does anyone know which
file that might reside in?  If this looks good I'll set up something
similar on the laptop.

- Grant
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Hardening a laptop for travel

[Grant]

> > > I don't know, now that I've set up shorewall on my router it seems
> > > like a simple matter to set it up on another machine.  I should only
> > > need to edit a few config files with very light additions.
> > >
> > > - Grant
> >
> > Understand - to be honest I have moved to shorewall on almost all my
> > machines for uniformity, even though its rather more complex than
> > needed.
> >
> >
> > BillK
>
> How does this /etc/shorewall/rules look for my router?
>
> DNS/ACCEPT      $FW             net
> Ping/REJECT     net     $FW
> DNAT            net     loc:192.168.0.3 tcp     50000
> DNAT            net     loc:192.168.0.3 udp     50000
> ACCEPT          $FW     loc     icmp
> ACCEPT          $FW     net     icmp
>
> Does this reject ssh requests from the net zone or do I need to
> specify that?  It looks like maybe there is another set of basic
> ACCEPT/REJECT configs that this is modifying.  Does anyone know which
> file that might reside in?  If this looks good I'll set up something
> similar on the laptop.
>
> - Grant

I was looking for the /etc/shorewall/policy file.  Something weird
though.  I have this in my policy file:

net             $FW             DROP
net             loc             DROP
net             all             DROP

And yet I'm able to ssh from a machine on the local network to the
router via the external IP address.  Does the router still know I'm
coming from the inside and thus allow it or is something wrong here?

- Grant
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Re: Hardening a laptop for travel

[Dan Farrell]

On Tue, 11 Dec 2007 08:22:45 +0000
Mick <michaelkintzios@gmail.com> wrote:

> Given that systems like e.g. Ubuntu server do not even have a
> firewall running would make you think so.  The fact that while on the
> road you only stay connected for short periods of time would improve
> your chances too.  However, every time you start an internet
> connection to a server you have open ports at random which could be
> discovered and exploited.  It only takes a few seconds over broadband
> with a well crafted script.

This is true; however, the actual "exploitability" of something like
this seems pretty low to me.  The biggest problem that I see here is
MITM/Spoofing probably, and it's a problem that firewalls only help
treat, but certainly don't cure completely.  
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Hardening a laptop for travel

[Dan Farrell]

On Mon, 10 Dec 2007 15:58:02 -0800
Grant <emailgrant@gmail.com> wrote:

> I don't know, now that I've set up shorewall on my router it seems
> like a simple matter to set it up on another machine.  I should only
> need to edit a few config files with very light additions.
> 
> - Grant

Either way you go, I wouldn't think it would take very long for you to
get a firewall up and running.  I personally use iptables manually
because I think it's easier than using shorewall to automatically
congfigure it.  But more abstraction _should_ make it easier, although
things don't always work out like that.  
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Hardening a laptop for travel

[William Kenworthy]

On Thu, 2007-12-13 at 13:09 -0600, Dan Farrell wrote:
> On Sat, 8 Dec 2007 13:41:06 -0500

> 
> I don't run iptables on my laptops.  Instead, I choose to run only a
> few secure services and then proceed to not worry about it.  
> 
hmmm - another target.

Firewalls can be viewed as a waste of time on a perfect system - but
what system is ever perfect?

Can you guarantee that no services that are untrustworthy will EVER run
on the machine - think accidental installs?  A couple of years back we
(local lug) had an incidence of a windows virus listening on a network
port of a linux machine - apparently something to do with running an
infected application under wine.  Its what you dont know that will bite
you.

Can you guarantee that there is never a bug in your software that might
leave you exposed?

Can you guarantee that you have have NEVER mis-configured a service or
application?

Thought not ...

Think layered defences
BillK


-- 
gentoo-user@gentoo.org mailing list