Designing a Linux home network for security? (long, boring)

[zahc]

Identity theft seems to be all the rage nowadays.

I'm not smart with computers, but I need to learn. I would like to know the best practices for home network security. The problem is I just don’t know standard practice or what people usually do. I am concerned about the following:

--break-ins from the outside internet
--break-ins from someone logging onto my wifi
--a home invader stealing my data and identity
--government: there's a low chance I would ever be raided by the government, but I would like to have by bases covered and not leave things 'in plain site' that I intended to be private.

Should I consider other attack vectors or weaknesses?

I have the following hardware:

ATT 2Wire gateway/router thing. It's in a closet, and physically secured.

2 netbooks (His-n-Hers, currently connect via wireless, WPA2). We take these on the road and leave them lying around the house.

A new server--this is in a closet, and physically secured. I haven't hooked this up yet. The purpose is to serve large media files, and also to be a central store of important office and financial information, instead of having that information scattered across the netbooks.

A new home theater computer--this sits out by the TV, and is on 24/7. It is not physically secure. I haven't networked it yet.

A wife of average computer literacy.

Assuming I'm setting all this up from scratch,  what user accounts to set up on the server? One for me and one for her? Should I use different usernames and passwords for the laptops and the home theater PC compared to the server? What should I encrypt?

My musings:
The laptops:
I have this idea that it would be cool to host my important ~/office directory on the server, and access those files through SSH (ok for basic stuff, not for wife) or SSHfs (making it more transparently usable). I can have some kind of 'click on the icon and enter password to mount' system, and then I have to be careful not to leave the netbooks lying around powered-up and logged in. But as long as I set the laptop user accounts up with reasonably strong passwords, and set them to lock the screen, even if they aren't physically secure, nobody will be able to access the server files unless they know the password to the _server_ user account that has the ~/office directory. Is this correct? I don't know of any way to auto-mount the ~/office directory that would be secure for a laptop which may be stolen.

Server: It's locked in a closet. It has no wifi chip. I do not have full-disk encryption, and I didn't opt to encrypt my home directory when I installed Ubuntu. I guess I can create some kind of TrueCrypt directory and put all my sensitive documents in that. The only point of encrypting, the way I understand, is in case someone breaks in and steals my hard drive, right? I don't feel the need to encrypt my media directory anyway. If I want both me and my wife to access the same office documents directory, do I create user accounts on the server for both of us? One root account and 2 less privileged user accounts? Only one account with sudo that we both use?

Home Theater computer:
I want this to auto-login and stay on 24/7. The thing that concerns me is how to prevent someone using the HTPC to break into the server. I can create a 'nobody' user on this system and have it auto-login as 'nobody'. I need to auto-mount the media directory on the server, so I would use NFS. If I set up ~/media in the server's /etc/exports directory, mounted -ro for the HTPC's hostname, then this should be reasonably secure, and auto-mountable, right? If I want to log into the server from the HTPC to make changes, which I might want to do to reshuffle media or whatever, I can open a terminal from the 'nobody' account on the HTPC and login to the server  _as a user on the server_, correct? I will still need to know the password for that user account on the server, so nobody else will be able to to do this. Does this sound right?

[mtnbkr]

--break-ins from the outside internet:
Most decent FW/Routers will handle this for you.  Just be mindful of any holes you punch through your FW for inbound SSH and such.

--break-ins from someone logging onto my wifi
Use the max encryption/authentication your router supports.  Turn off SSID broadcast, use a strong password.  Maybe go as far as MAC filtering if you're really worried.  

--a home invader stealing my data and identity
Encrypt the important stuff (tax records, anything with a SS number, income figures, account numbers, etc.  Have good passwords on your devices.  Don't worry about it too much.  I had a netbook stolen from my home in early 2010.  It was powered up at the time, but they didn't take the power cord.  Nearly two years later, I refinanced my house.  No strangeness on the credit report and my credit was higher than it was just prior to the theft.  Most thieves are too stupid to find and use your data.

--government: there's a low chance I would ever be raided by the government, but I would like to have by bases covered and not leave things 'in plain site' that I intended to be private.
They probably already have the data you're likely to encrypt.  They have many more resources than you for breaking encryption and finding data.  Thieves are a more likely threat.  

If your wifi is reasonably secure and you haven't punched a bunch of holes in your FW, I wouldn't worry too much about LAN level security.  Just keep your AV and anti-malware up to date.  Any likely threat there is going to come from malware on the machines themselves that will just piggyback over permitted connections.  If you need a hole in your FW, make it specifically to a machine (maybe SSH to your server ONLY), even better if you put it on a nonstandard port (instead of tcp/22 for ssh, use tcp/23456) to throw off the port scanners.  I ran a web server on a nonstandard 4 digit port instead of port 80 (actually 80 on the server, but the FW portforwarded from the non-standard port to 80).  My logs never showed anything suspicious after that.  

I used to run a Linux server at home hosting my family site and also running an SSH server.  I opened ports in my FW for SSH and http (latter running on nonstandard port).  I ran an IPtables ruleset on the server to block known attacks and excessive connections (more than 2 ssh session per minute and more than 100 http sessions per minute) to the servers (to prevent brute force attacks).  The logs never showed anything hinky.

Chris

[lee n. field]

All that, and don't give wifey the root password.

[Physics]

I don't know the actual utility of penetration testing distributions of linux, like Backtrack, but I've seen a friend crack his neighbors' wireless networks pretty fast.  Add to that the fact that he is at script kiddy level of hacker, so they seem usable.  You could at least test your own security that way.  I'm sure others who actually know something on the topic would have more to say on the matter. 

[mtnbkr]

I'd like to know the neighbor's wifi config as the default on many routers is wep with SSDI broadcast and no mac filtering.  That's practically unsecured IMO. 

Use the tools that exist on the router to their fullest and don't poke a bunch of interesting holes in your router on the public internet side and you'll be safe.  You'll always have Chinese hackers port scanning your router, trying every common logon known to man, but if you're secured, it won't matter.  Even with SSH (tcp/22) and HTTP(tcp/xxxx, not the default 80), I saw lots of random scan traffic.  The ones that noticed the open ports tried every known account, except the only one that had SSH access (no, really, I don't allow root/admin/administrator/apache/yomomma to login remotely). 

I don't know what your neighborhood looks like, but mine is a veritable jungle of Wifi access points.  From my house, I can see close to a dozen.  1-3 are open, the rest are locked down to various levels.  Mine is locked down and not broadcasting.  I would expect mine to be a low priority target because there's plenty of log hanging fruit around.

Personally, I would worry more about malware.  It doesn't matter how well encrypted your stuff is, or how secure your network is to external penetration, if you get the right malware (generally invited in by your own actions), it'll spew your data to a C&C system in Russia.  You need AV, HIPS, and common sense in order to stop them.

Chris

[lee n. field]

Bastille Linux is worth a look.  (It's been quite a while since I personally have used it, and I don't know how current it has been kept.)

Ditto tripwire.

[cordex]

Turn off SSID broadcast, use a strong password.

I've seen this advocated for years and used to do it myself, but I'm skeptical that it has any true value these days.

As you point out, the people running open networks are the real low hanging fruit.  The folks running WEP are the next targets, but if a hacker is cracking WEP keys they can just as easily sniff your SSID (or do both at the same time).  Worse, some operating systems configured to connect to a router with a hidden SSID will actually randomly broadcast connection attempts - including the SSID - wherever you are because they can't tell whether or not the WiFi network is nearby.  This can be disabled in some operating systems but it is still a potential concern.

[lee n. field]

Even with SSH (tcp/22) and HTTP(tcp/xxxx, not the default 80), I saw lots of random scan traffic.

Do any ISPs do anything funky with blocking SSH?

I ask because I have ssh set up on the web server at the school I support, so the webmistress can upload website updates using winscp.  It stopped working this summer.  When I got to looking at it, the symptoms were thus:  You could make connection once with ssh, but after than you could make no connection from that same source -- no web, no https, no RDP, nothing.  After a while the block would time out.  

The immediate ISP (a local competitor of ours recently absorbed into a national ISP borg) in the chain denied doing anything.

What fixed it was putting ssh on a custom port.

[mtnbkr]

I've seen this advocated for years and used to do it myself, but I'm skeptical that it has any true value these days.

As you point out, the people running open networks are the real low hanging fruit.  The folks running WEP are the next targets, but if a hacker is cracking WEP keys they can just as easily sniff your SSID (or do both at the same time).  Worse, some operating systems configured to connect to a router with a hidden SSID will actually randomly broadcast connection attempts - including the SSID - wherever you are because they can't tell whether or not the WiFi network is nearby.  This can be disabled in some operating systems but it is still a potential concern.

I still use it because it's easy to configure (uncheck a box), doesn't create any overhead, and just adds another layer. 

Do any ISPs do anything funky with blocking SSH?

I ask because I have ssh set up on the web server at the school I support, so the webmistress can upload website updates using winscp.  It stopped working this summer.  When I got to looking at it, the symptoms were thus:  You could make connection once with ssh, but after than you could make no connection from that same source -- no web, no https, no RDP, nothing.  After a while the block would time out. 

The immediate ISP (a local competitor of ours recently absorbed into a national ISP borg) in the chain denied doing anything.

What fixed it was putting ssh on a custom port.

SSH?  Dunno.  I've never had problems with it being blocked.

Verizon FIOS blocked 80, but not 22 (that's why I had to move my web server to a nonstandard port while running SSH normally).  Verizon DSL didn't block anything.

Chris

[zahc]

I have SSID broadcast disabled, but haven't set up MAC filtering yet. I used to, but got lazy.

FW, I wouldn't worry too much about LAN level security.  Just keep your AV and anti-malware up to date.  Any likely threat there is going to come from malware on the machines themselves that will just piggyback over permitted connections.

I'm as much interested in theoretical security as practical security. Even if I don't need to take certain steps, what would I do if I was being hired to set up a network? That kind of thing. It's totally pointless to set up a strong password on my server, encrypt the home directory, and then set up my HTPC to auto-login and auto-mount said directory.

Do I need to have AV and anti-malware for linux? Note: I consider Windows malware; there is no Windows on my network.

Encrypt the important stuff (tax records, anything with a SS number, income figures, account numbers, etc.

Any recommendations for encrypting certain containers/folders?

[mtnbkr]

I'm as much interested in theoretical security as practical security. Even if I don't need to take certain steps, what would I do if I was being hired to set up a network? That kind of thing. It's totally pointless to set up a strong password on my server, encrypt the home directory, and then set up my HTPC to auto-login and auto-mount said directory.

Why would your HTPC need to auto-anything?  I don't have an HTPC, so I'm not familiar with what it does and why.  It sounds like it isn't your primary server and has a single purpose.  Lock it down, only grant it access to what it has to have and nothing else.  Don't make changes from HTPC to your server.  Set hosts.deny in your server to disallow remote logins from the HTPC.  The HTPC should be a client machine that can only mount the media drive.  Turn off any non-HTPC-related service, let up IPTables and configure hosts.deny (or hosts.allow depending on your strategy and needs) on both the HTCP and server to control what connections can be made. 

Most of the time, your security concerns are going to be related to your ingress/egress points (wifi and broadband connections for a home user).  Assuming you've punched no holes in your FW to allow remote access to your home network, your only concern is the wifi.  Lock it down as much as is practical and make sure your individual systems are set up well (no unnecessary services running, hosts.allow and iptables in use to control allowed traffic, crap filtering, and rate limiting, etc).  Use decently strong passwords. 

Do I need to have AV and anti-malware for linux? Note: I consider Windows malware; there is no Windows on my network.
Any recommendations for encrypting certain containers/folders?

I consider HIPS important for corporate networks, though not very practical for home use.  HIPS will protect attack vectors missed by network-level protections.  However, I don't think HIPS is available for home users (ie free or cheap, McAfee HIPS/EPO isn't exactly targeted to the home user market).  A quick search didn't turn up anything relevant for home use.  I'd focus on using the existing Linux toolsets.  Iptables is quite flexible and could control ingress and egress traffic from the systems effectively.  Set up a blacklist of known C&C sites and you could reduce possible data leakage (though that list would change often)

Truecrypt or GPG.  On Windows, I use Truecrypt or Winzip (can encrypt with 256bit AES).

By the way, if you want to prepare for being hired to set up a network, you might want to drop the "windows is malware" bit.  Like it or not, Windows represents the standard desktop pretty much anywhere.  If you think Windows is bad, you'll be horrified at what most companies run (Win XP, IE 8, no we can't upgrade or switch to Linux).  I work with some very large companies, companies who make products you have in your house.  They work very hard to secure and monitor their networks, but have the most horrific desktops (ie8!!!).  They mitigate the desktop threat with AV, HIPS, and good network and server level protections (and monitoring).  You'll need to understand the Windows-specific issues in order to build in protections throughout the network. 

Chris

[zahc]

Oh, I know that Windows is a factor. I work at a fortune 500 company which has a lot of windows legacy. I'm still using XP on my work laptop. I'm supposed to use IE7, but I use firefox even though IT go out of their way to insist that it's not supported. I also run Linux at work because I occasionally need to do real work. It's actually pretty surprising how well windows and unix play together nowadays, with samba and CUPS and whatnot. IT only recently, kicking and screaming, were dragged into allowing (not supporting) Linux desktops because we have business units that need to develop kernel drivers and ARM/Android stuff, so it's getting a bit better.

Why would your HTPC need to auto-anything?  I don't have an HTPC, so I'm not familiar with what it does and why.

It's basically a media-playing appliance for playing music and movies. I would like to be able to have it log itself in and auto-mount my media directory when it's turned on. Otherwise, I have to drag out a keyboard all the time. I can give up on logging into the server from the HTPC, if that's a security liability.

[mtnbkr]

I'm not well versed on mounting remote drives from Linux (have worked a lot with Samba to create shares for Win boxes though).  I suspect you can set up the box to mount the remote drive and nothing else, then set up security on the server to allow the htpc to only mount the drive, nothing else and have no access beyond that share (/shares/foo/ for example).

There appears to be some good info here on configuring NFS: http://nfs.sourceforge.net/nfs-howto/

It covers the basic config and security.

Chris