Topic: SME Server 6.5 RC1 Security Question

[wwwolf3004]

I have successfully set up an http server with SME server 6.5 RC1. It works fine. The problem I am having is this. I have a D-Link router and I have it set up so the only thing that can be accessed on my server is port 80. The other computer I am running has a software firewall. Now with the SME Server I can't get it to work as a server and gateway but it works fine as just a server. And from what I understand there is no software firewall on the SME Server if I have it only as a server and not a server and gateway.

So will my D-Link router firewall be enough? I have all ports closed on my router except for port 80. If not how do I go about setting up a software firewall with my SME Server.

Keep in mind that I am new to setting up servers. I have done some reading but I never got around to it until now.

The computer that I am using as a server is a Pionex PII (350MhZ) 524 RAM. It only has one ethernet card installed now but I have a couple extra and can easily throw one on.


Thanks
Webwolf

[wwwolf3004]

Anyone? LOL

Webwolf

[guest22]

Correction: The title of this subject should be:

D-Link router security question!

Please think about the real 'issue'  _before_  posting untrue subjects.

guest

[wwwolf3004]

No. Look closely and read again. I am using a DLINK router but my concern is setting up a server and gateway with SME Server or some other firewall. What I want to know is that I cannot get the server gateway working so I am using SME as a server only and there is NO firewall with it. I mentioned the DLink router so people have an idea of what I DO have working with security. Maybe you should read slower rather then me changing the subject line, since the subject has to do with SME, firewalls and security. For the record I did mention I am using a Pionex, should I have also added that to the subject line??? Or maybe I was giving people and idea of additional hardware I am using.


Webwolf

[wwwolf3004]

You know what. Never mind. As far as linux communities go this one is on the low end. I will go back to Fedora or Mandrake and skip SME. People are more friendly there.


Webwolf

[thecat]

oh dear!

[arne]

Yes, your D-link firewall/router will propably be good enough whether you use Mandrake, RedHat or SME server.

Actually some refferences for firewall/gateway design claims basic rules like "never run a web server", never run a "frp server", etc on a firewall gateway. The SME server breake most of these "rules".

But, for a home server or small business use, the SME server or the D-link might give proarly and enough security.

Personally I have used the sme server as server only behind a netopia router for approx 3 years now, without a problem.

If you set up a Fedora, a Mandrake or a SME server behind the D-link firewall/router it might still be a good idea to apply a "local firewall" at the Linux server. Personally, I use that, but I have to admit that the reason for this might be more the fun of designing a firewall on the Linux box, rather than the real need for a "firewall behind the firewall". But, ofcource a "multilevel" security is a bether choice than the "single security level" but possibly still a overkill for a home server.

I think the greatest risk of getting hacked using a SME server or any other Linux distro is if you have nett access for ssh logon and weak passwords. Misconfigurered servers could be an other actual problem area.

I guess that the SME server set up as "server only" with or without another "local firewall" in most cases will be more secure than a Mandrake or a Fedora. The reason for this is that the basic configuration of the SME is a lot bether than you in most cases and in real life will be able to obtain doung a "manual configuration" of the Fedora or the Mandrake installation.

If I should recomend a installation with best possibly security I think a SME server behind the D-link router/firewall and with a aditional "local firewall" will be a goog choice.

I have also tried to use Fedora for periods, but the Fedora installations has produced a number of errors, mostly due to "not good enough configuation" whils the sme server installations have runned without a problem.

At the moment I'm using a sme "server only" server behind a Netopia router and one other connected directely to internet with an external ip. I'm using "local firewalls" on both of them. The first have runned approx 3 years without a problem and the other ca 6 months also without a problem. 3 moths of Fedora gave quite much more problems than 3 years operations of the sme server.

[arne]

And, the Mandrake .. I have tried that as well for a while a go, but fram my experiences with Mandrake or Mandriva I think about is as a workstation installation only. (But this might not be right or true anymore as I have not tried the newest revisions.)

[arne]

I wrote that "misconfigured servers" might be a problem, but of cource the PHP script configuration will be a major issue. For the Fedora there will be a number of "traps" during the "maual configuration". For the Sme server you will get a not so bad mix of security and functionality for free.

Just as I remember things after some hours of experiments ..

Best reg Arne.

[wwwolf3004]

Thanks. As long as SME security is not that big of an issue while I use my router firewall then that gives me time to look into things and get more familiar with running a server and using SME (including a working SME firewall.)

"
arne:
I think the greatest risk of getting hacked using a SME server or any other Linux distro is if you have nett access for ssh logon and weak passwords. Misconfigurered servers could be an other actual problem area. "

This I wondered about also. That is why I only access the server on a local network. For now the only thing that can be accessed from the internet is http port 80 on the server. Though I do want to look into and learn more about https.

I have tried some other servers and becuase I am new I had a somewhat of a hard time setting it up. SME Server has made the installation easy so now I can focus on learning other parts of running a server.

After that I have an older HP Pavilion 6635 (533MhZ maxed out at 256 RAM) computer I want to use as well. I may install PC-BSD or Suse 9.3 Pro, but I am not sure yet, lol.

Thanks again.

webwolf

[dmac]

It only has one ethernet card installed now but I have a couple extra and can easily throw one on

Server and Gateway mode is only usable with two NIC's.  If you want to experiment with Server-Gateway mode, add the second NIC, configure it to be the extenal connection and connect to your DLink router.  Connect your internal NIC to a switch and configure your workstations to look to the SME as the gateway.

Alternately, you could put the SME on the Incomming Internet connection instead of the DLink.  This is the configuration I use and have not had a problem with the SME server being comprimised for over 2 years.

[wwwolf3004]

Thanks dmac. A little later tonight I am going to throw the other ethernet card on and try a couple of ideas you gave me.


Webwolf

[arne]

I have also tried the double nat solution with first a firewall/router and then the sme server as a new gateway/firewall/router after that. It worked for me to, but to make things a litle bit more easy for the workstations, In the long run, I prefered to let the workstation work trough one gateway only.

Of course a double firewall router will give some extra security and double controll of which services that will be available from the internet. I also tried the double nat solution with some other Linux distro (Centos 4.0) using a ip-telephone behind the second Linux router and even that worked fine.

If you don't want to write your own firewall script, but if you want a "server only" still with a seconf firewall bariere I think this soultion can be possible:

1. Insert the second network adapter.
2. Install a sme gateway installation.
3. The card that is normally used as the internet connection is connected to the lan segment behind the d-link router.
4. The card that should normally be used for the lan connection is used for a temporary connection and configuration purposes only.

In this way all internet clients will see a double firewall while accessing the server and all lan trafic will have to pass trough a firewall tha is designed to be a interntet firewall. This will leave "ordinary internet services" avaliable from lan, like ftp and web server, while tradisional lan services will be locked out (Like samba file sharing.)

This will give "the server double controll and security" and the ease of letting the workstation accessing the internet via one gateway only.

I have not tried that last variant myself (using the two cards on a "semi server only") as I allways design the Linux firewalls myself (because of the joy of it and not the security) but I would expect it to work. The firewalls I am using have only one network card, but I think or guess that the parallell and same functionality can be obtained by intstalling a sme configured as a gateway on the lan. (So the card that normally should be connected to internet is connected to the same network segment as the lan work stations.)

Just some ideas ..

Best reg Arne.

[arne]

By the way of cource - the more server functions that is available nad visible from internet, the more changes is it to get hacked.

The other way - the more server functions that is hidden behind a first firewall bariere, the less are the chanches to get hacked.

Each one of a service or server function that is vissible and accessible from internet will be a risk in its own.

If port 80 is the only port left open, the I believe that the last security risk with some significance is the php script execution.

On the other hand the configuration for the php script execution will be a lot safer on a sme server than it will "normally" be at some other Linux distro where you have done the configuration for the php script execution by yourself.

Unless they have removed it since the 6.0.1 distro the sme server among other have a php chroot environment as a security function that I think most Linux distros does not have. (And because of this some php applications with file uploads etc, could have some difficulties to run on the sme server.)

Just some of my personal and private ideas and opinions ..

Best reg Arne.

[wwwolf3004]

This is cool. I have all these ideas and options. What to do, what to do    Thanks everyone for the info and suggestions. Please keep them coming, lol. I will post my website, which is on my server , when I get things just a bit better, though they appear to be safe now.


Webwolf