Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Gentoo User (http://www.linux-archive.org/gentoo-user/)
-   -   Hardening a laptop for travel (http://www.linux-archive.org/gentoo-user/15190-hardening-laptop-travel.html)

Grant 12-08-2007 12:35 PM

Hardening a laptop for travel
 
I have shorewall set up on my router but I haven't set up anything
security-wise for my laptop which normally sits behind the router.
What should I be setting up on the laptop in preparation for traveling
and connecting via a foreign network or even directly to the Internet?
I don't run sshd on the laptop. I would think shorewall, but am I
forgetting anything?

# rc-update -s
alsasound | boot
bootmisc | boot
checkfs | boot
checkroot | boot
clock | boot
consolefont | boot
hald | default
hostname | boot
keymaps | boot
local | default nonetwork
localmount | boot
metalog | default
modules | boot
net.eth0 | default
net.lo | boot
netmount | default
ntp-client | default
ntpd | default
rmnologin | boot
urandom | boot
vixie-cron | default
xdm | default
xfs | default

- Grant
--
gentoo-user@gentoo.org mailing list

"Andrey Falko" 12-08-2007 05:41 PM

Hardening a laptop for travel
 
On Dec 8, 2007 8:35 AM, Grant <emailgrant@gmail.com> wrote:


I have shorewall set up on my router but I haven't set up anything
security-wise for my laptop which normally sits behind the router.
What should I be setting up on the laptop in preparation for traveling
and connecting via a foreign network or even directly to the Internet?

*I don't run sshd on the laptop. *I would think shorewall, but am I
forgetting anything?

At the very least I'd do the following with iptables:

iptables -P INPUT DROP
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

iptables -A FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

This will make sure that there are no incoming connects except those that you

initiated.
*

# rc-update -s
* * * * * alsasound | boot
* * * * * *bootmisc | boot
* * * * * * checkfs | boot
* * * * * checkroot | boot
* * * * * * * clock | boot
* * * * consolefont | boot
* * * * * * * *hald | * * *default

* * * * * *hostname | boot
* * * * * * keymaps | boot
* * * * * * * local | * * *default nonetwork
* * * * *localmount | boot
* * * * * * metalog | * * *default
* * * * * * modules | boot
* * * * * *
net.eth0 | * * *default
* * * * * * *net.lo | boot
* * * * * *netmount | * * *default
* * * * *ntp-client | * * *default
* * * * * * * *ntpd | * * *default
* * * * * rmnologin | boot
* * * * * * urandom | boot

* * * * *vixie-cron | * * *default
* * * * * * * * xdm | * * *default
* * * * * * * * xfs | * * *default

- Grant
--

gentoo-user@gentoo.org
mailing list

Mick 12-10-2007 11:56 AM

Hardening a laptop for travel
 
On Saturday 08 December 2007, Andrey Falko wrote:
> On Dec 8, 2007 8:35 AM, Grant <emailgrant@gmail.com> wrote:
> > I have shorewall set up on my router but I haven't set up anything
> > security-wise for my laptop which normally sits behind the router.
> > What should I be setting up on the laptop in preparation for traveling
> > and connecting via a foreign network or even directly to the Internet?
> > I don't run sshd on the laptop. I would think shorewall, but am I
> > forgetting anything?
>
> At the very least I'd do the following with iptables:
>
> iptables -P INPUT DROP
> iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> iptables -A FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT

This line is only needed if you want to forward packets to another
iface/device (i.e. when your laptop is acting as a router and the input
interface is eth0).
--
Regards,
Mick

Grant 12-10-2007 03:50 PM

Hardening a laptop for travel
 
> > > I have shorewall set up on my router but I haven't set up anything
> > > security-wise for my laptop which normally sits behind the router.
> > > What should I be setting up on the laptop in preparation for traveling
> > > and connecting via a foreign network or even directly to the Internet?
> > > I don't run sshd on the laptop. I would think shorewall, but am I
> > > forgetting anything?
> >
> > At the very least I'd do the following with iptables:
> >
> > iptables -P INPUT DROP
> > iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> > iptables -A FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
>
> This line is only needed if you want to forward packets to another
> iface/device (i.e. when your laptop is acting as a router and the input
> interface is eth0).

Alright I guess I'll just set up shorewall on the laptop with a config
similar to the router's. Maybe I'll set up shorewall on the other
system in my local network while I'm at it.

- Grant
--
gentoo-user@gentoo.org mailing list

12-10-2007 05:03 PM

Hardening a laptop for travel
 
Grant <emailgrant@gmail.com> writes:

>> > iptables -P INPUT DROP
>> > iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
>> > iptables -A FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
>>
>> This line is only needed if you want to forward packets to another
>> iface/device (i.e. when your laptop is acting as a router and the input
>> interface is eth0).
>
> Alright I guess I'll just set up shorewall on the laptop with a config
> similar to the router's. Maybe I'll set up shorewall on the other
> system in my local network while I'm at it.

Wait... I'm pretty sure there are a few lines of IPTABLES code that
will do what you want.

I remember using something with IPTABLES that made any connections
from internet only happen in response to requests from your localhost.
I don't remember the lines now but someone might post it.

Wouldn't the above and not running any unnecessary services be pretty
good protection for what your after?

I've hooked up to many networks while traveling without anything at
all (Except not running any unnecessary services) with windows based
laptop and never had a bit of trouble. So I'd expect a linux based
host to do even better.

--
gentoo-user@gentoo.org mailing list

William Kenworthy 12-10-2007 09:23 PM

Hardening a laptop for travel
 
On Mon, 2007-12-10 at 08:50 -0800, Grant wrote:

>
> Alright I guess I'll just set up shorewall on the laptop with a config
> similar to the router's. Maybe I'll set up shorewall on the other
> system in my local network while I'm at it.
>
> - Grant

shorewall is good - but overkill on a single machine. Have a look at
the net-misc/monmotha script. Comprehensive, easy to understand and
works well.

I am a believer in letting experts do the snarly stuff - and shorewall
and monmotha get a lot of feedback so they are well sorted. When you
look at the code and why they are doing particular rules, the simple
ones like people have suggested only offer basic protection, and
possibly poor functionality.

BillK



--
William Kenworthy <billk@iinet.net.au>
Home in Perth!
--
gentoo-user@gentoo.org mailing list

Grant 12-10-2007 10:58 PM

Hardening a laptop for travel
 
> > Alright I guess I'll just set up shorewall on the laptop with a config
> > similar to the router's. Maybe I'll set up shorewall on the other
> > system in my local network while I'm at it.
> >
> > - Grant
>
> shorewall is good - but overkill on a single machine. Have a look at
> the net-misc/monmotha script. Comprehensive, easy to understand and
> works well.
>
> I am a believer in letting experts do the snarly stuff - and shorewall
> and monmotha get a lot of feedback so they are well sorted. When you
> look at the code and why they are doing particular rules, the simple
> ones like people have suggested only offer basic protection, and
> possibly poor functionality.
>
> BillK

I don't know, now that I've set up shorewall on my router it seems
like a simple matter to set it up on another machine. I should only
need to edit a few config files with very light additions.

- Grant
--
gentoo-user@gentoo.org mailing list

William Kenworthy 12-10-2007 11:50 PM

Hardening a laptop for travel
 
>
> I don't know, now that I've set up shorewall on my router it seems
> like a simple matter to set it up on another machine. I should only
> need to edit a few config files with very light additions.
>
> - Grant

Understand - to be honest I have moved to shorewall on almost all my
machines for uniformity, even though its rather more complex than
needed.

BillK

--
William Kenworthy <billk@iinet.net.au>
Home in Perth!
--
gentoo-user@gentoo.org mailing list

Grant 12-10-2007 11:57 PM

Hardening a laptop for travel
 
> > I don't know, now that I've set up shorewall on my router it seems
> > like a simple matter to set it up on another machine. I should only
> > need to edit a few config files with very light additions.
> >
> > - Grant
>
> Understand - to be honest I have moved to shorewall on almost all my
> machines for uniformity, even though its rather more complex than
> needed.
>
>
> BillK

Yeah I'm into uniformity. I'm trying to get my media system, laptop,
router, and remote server on the same OS, kernel, profile, etc.

- Grant
--
gentoo-user@gentoo.org mailing list

Mick 12-11-2007 07:22 AM

Hardening a laptop for travel
 
On Monday 10 December 2007, reader@newsguy.com wrote:
> Grant <emailgrant@gmail.com> writes:
> >> > iptables -P INPUT DROP
> >> > iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> >> > iptables -A FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j
> >> > ACCEPT
> >>
> >> This line is only needed if you want to forward packets to another
> >> iface/device (i.e. when your laptop is acting as a router and the input
> >> interface is eth0).
> >
> > Alright I guess I'll just set up shorewall on the laptop with a config
> > similar to the router's. Maybe I'll set up shorewall on the other
> > system in my local network while I'm at it.
>
> Wait... I'm pretty sure there are a few lines of IPTABLES code that
> will do what you want.
>
> I remember using something with IPTABLES that made any connections
> from internet only happen in response to requests from your localhost.
> I don't remember the lines now but someone might post it.

The lines already posted will do just that. If you want to additionally stop
any intruder spoofing a localhost address on your NIC and getting in you
could add:

iptables -A INPUT -i !eth0* -j ACCEPT

* adjust for your iface

> Wouldn't the above and not running any unnecessary services be pretty
> good protection for what your after?

Given that systems like e.g. Ubuntu server do not even have a firewall running
would make you think so. The fact that while on the road you only stay
connected for short periods of time would improve your chances too. However,
every time you start an internet connection to a server you have open ports
at random which could be discovered and exploited. It only takes a few
seconds over broadband with a well crafted script.

> I've hooked up to many networks while traveling without anything at
> all (Except not running any unnecessary services) with windows based
> laptop and never had a bit of trouble. So I'd expect a linux based
> host to do even better.

MS Windows XP runs a firewall as a default. Many programs open holes through
it as soon as you install them allowing incoming connections. Assuming you
are running as a plain user with a strong passwd, you have closed all holes
in the firewall and do not point & click at all sort of malware links and
payloads you should be good.

Similar principles apply to Linux desktop machines except that once you set up
your firewall no installed program other than a trojan will readily go and
change it. Some distros which are trying to be 'user friendly' will however
modify the firewall to allow newly installed services to get through, albeit
will ask you about it first (I am thinking of OpenSuSE here).
--
Regards,
Mick


All times are GMT. The time now is 01:22 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.