• Home
  • Help
  • Search
  • Login
  • Register
Pages: [1]
« previous next »
Author Topic: Hardening the Plug  (Read 1071 times)
Headworx
Newbie
*

Karma: 0
Posts: 19


View Profile
« on: October 25, 2009, 03:05:26 AM »
Hi All,

I am a Linux beginner, on a steep learning curve. I wanted to ask the community here to help me secure and harden my Sheeva Plug. It is currently running the Ubuntu included in the SheevaPlugInstaller (4GB MMC-based setup). My goal is to have the Plug as a static web server server for periodically changing content like weather graphs and web cam snapshots. The Plug server will be connected to the DMZ port on my firewall.

I think basically it should provide three services:

    * FTP uploads from LAN hosts (like the MeteoHub graphing server and IP Web cameras) - one password protected FTP account should be sufficient
    * SSH service / maintenance access from LAN hosts
    * HTTP access from the Internet to the objects (png and jpg files) uploaded by the LAN hosts

It would also be nice if the Plug could automatically keep itself updated with the latest patches (especially security) and report periodically its state, including state of connectivity and running services). This may sound like a job for the MONIT framework?

The planned steps are listed below. This is just a general plan, please contribute with links and replies to each point or add additional points.

   1. Turning off / uninstalling unnecessary services - packages (like Samba)
   2. Configuring SSH access (key - based authentication for PUTTY clients)
   3. Disabling non-SSH Telnet access
   4. Configuring the VSFTPD service
   5. Configuring the HTTP/Apache2 service
   6. Configuring the monitoring framework
   7. Additional hardening steps

Your input is highly appreciated.

Cheers,
Headworx
Logged
--
Cheers,
Headworx
http://tech.slupik.com

Reedy
Newbie
*

Karma: 0
Posts: 40


View Profile
« Reply #1 on: October 25, 2009, 04:35:59 AM »
FTP is unsecure, dont even bother with it

SFTP is much better, and as long as your using the default ssh server on ubunutu, its all there
Logged

DamonHD
Full Member
***

Karma: 4
Posts: 169


View Profile WWW
« Reply #2 on: October 25, 2009, 06:25:55 AM »
The Ubuntu as supplied does have any insecure services exposed, which is good, but check with netstat -a of course.

I've added some iptables stuff for an extra layer.

I would *not* do an unsupervised 'auto update' applications for security reasons; just do an apt-get update from time to time.  And basically Apache2 is pretty robust and if you stick to core modules there's probably not much bad left to be found in there...

Rgds

Damon

PS. My notes are under 'Software' here: http://www.earth.org.uk/note-on-SheevaPlug-setup.html
Logged

Headworx
Newbie
*

Karma: 0
Posts: 19


View Profile
« Reply #3 on: October 25, 2009, 09:18:00 AM »
Thanks for the answers so far...

Reedy, re "FTP is unsecure, dont even bother with it" - the Plug's environment is controlled by external firewall, so FTP is only open to local (LAN) clients. External clients are allowed only on http protocol, terminated by the http service. So I think there is not much insecurity introduced by ftp itself...

DamonHD, I find your notes interesting.... Smiley

Cheers,
headworx
Logged
--
Cheers,
Headworx
http://tech.slupik.com

Pages: [1]
Print
« previous next »
Jump to: