We help IT Professionals succeed at work.

Linux security

ycgtech
ycgtech used Ask the Experts™
on
Hi -
I do not have much experience in web security; this is probably a fairly basic question.

Here is my setup:

CentOS 6 running on Hyper-V.  The CentOS is on the same local subnet as the rest of my network.  I am using the server only for SimpleHelp (a remote support server).  I configured iptables to accept 80 and 443.  I also forwarded those ports on my router.  Everything is working.

My question is what security precautions/steps should I take to ensure network integrity?  Do I need to be concerned about the rest of my internal network?

Thanks,
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Commented:
You have a router that is exposed to the network and forwards port 80 and 443 to your internal server?  I presume the router is blocking all ports, except those above 1024 and the two forwarded ports.

How do your internal network machines access the network.  The biggest concern is what your other network machines bring onto the network, and the security of your http/s server on your centos box.

Things like trojans on your internal network need to be considered, as well as virus scanning.

Having your centos server on your internal subnet is not normally good practice.  Normally that would be sitting in a separate subnet designated as a DMZ zone with all traffic routed back through your router and with no traffic between the DMZ and your internal network being allowed.
Commented:
Hi,

I agree with sweetfa2, but regarding the question whether you need to be concerned about the rest of your network I would say no. The main concern is the CentOS who is answering on port 80 and 443.
Best practice would of course be to place it in a DMZ. Otherwise you could always restrict from what IP's you do remote access or install OpenVPN and access via a VPN session.

//zaZagor

Author

Commented:
@sweetfa2 and @zazagor
Thanks for the suggestions.  I have a dd-wrt router that is blocking all other traffic.  Using VPN, etc would not work - SimpleHelp is designed to allow for desktop support (i.e. from anywhere).
I am open to putting the CentOS on a different subnet; can you please explain more how that would work.

Thanks,

Commented:

Hi,

There are a lot of ways to do it. One is a router with three interfaces, internal, external and DMZ.
Another way is maybe to add a network adapter to your Hyper-V and implement it as DMZ.
//zazagor

Commented:
What you need is a router with three network interfaces or something approximating that.  Most standard routers only cope with two network interfaces properly so you would normally use another internal router.  

A setup I have uses one router that faces the internet, and is connected to the dmz subnet.  Also on the DMZ I have another router that controls access to my internal network.  Given that routers cost about $30-50 these days it is worth the investment to do it properly.  
Michael WorshamCloud/Infrastructure Solutions Architect
Commented:
If this server is Internet facing, I would also recommend installing fail2ban (http://www.fail2ban.org/) as well. This would help reduce the number of script kiddie attempts at trying to login repeatedly with dictionary and other brute force attacking scripts. If you are going to have Apache installed on the system, I also recommend setting up and configuring Mod Security as well:

http://www.cyberciti.biz/faq/rhel-fedora-centos-httpd-mod_security-configuration/