235 lines
4.4 KiB
HTML
235 lines
4.4 KiB
HTML
<HTML
|
|
><HEAD
|
|
><TITLE
|
|
>Security - keeping people out</TITLE
|
|
><META
|
|
NAME="GENERATOR"
|
|
CONTENT="Modular DocBook HTML Stylesheet Version 1.76b+
|
|
"><LINK
|
|
REL="HOME"
|
|
TITLE="VPN HOWTO"
|
|
HREF="index.html"><LINK
|
|
REL="UP"
|
|
TITLE="Server"
|
|
HREF="c224.html"><LINK
|
|
REL="PREVIOUS"
|
|
TITLE="Server"
|
|
HREF="c224.html"><LINK
|
|
REL="NEXT"
|
|
TITLE="User Access - letting people in"
|
|
HREF="x245.html"></HEAD
|
|
><BODY
|
|
CLASS="sect1"
|
|
BGCOLOR="#FFFFFF"
|
|
TEXT="#000000"
|
|
LINK="#0000FF"
|
|
VLINK="#840084"
|
|
ALINK="#0000FF"
|
|
><DIV
|
|
CLASS="NAVHEADER"
|
|
><TABLE
|
|
SUMMARY="Header navigation table"
|
|
WIDTH="100%"
|
|
BORDER="0"
|
|
CELLPADDING="0"
|
|
CELLSPACING="0"
|
|
><TR
|
|
><TH
|
|
COLSPAN="3"
|
|
ALIGN="center"
|
|
>VPN HOWTO</TH
|
|
></TR
|
|
><TR
|
|
><TD
|
|
WIDTH="10%"
|
|
ALIGN="left"
|
|
VALIGN="bottom"
|
|
><A
|
|
HREF="c224.html"
|
|
ACCESSKEY="P"
|
|
>Prev</A
|
|
></TD
|
|
><TD
|
|
WIDTH="80%"
|
|
ALIGN="center"
|
|
VALIGN="bottom"
|
|
>Chapter 3. Server</TD
|
|
><TD
|
|
WIDTH="10%"
|
|
ALIGN="right"
|
|
VALIGN="bottom"
|
|
><A
|
|
HREF="x245.html"
|
|
ACCESSKEY="N"
|
|
>Next</A
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
><HR
|
|
ALIGN="LEFT"
|
|
WIDTH="100%"></DIV
|
|
><DIV
|
|
CLASS="sect1"
|
|
><H1
|
|
CLASS="sect1"
|
|
><A
|
|
NAME="AEN227">3.1. Security - keeping people out</H1
|
|
><P
|
|
> Security is very important for a VPN. That's why you're building one in
|
|
the first place, isn't it? You need to keep a few things in mind while
|
|
setting up your server.
|
|
</P
|
|
><DIV
|
|
CLASS="sect2"
|
|
><H2
|
|
CLASS="sect2"
|
|
><A
|
|
NAME="AEN230">3.1.1. Trim your daemons</H2
|
|
><P
|
|
> Since this server is going to be on both sides of your firewall, and set
|
|
up to forward traffic into your network, it's a good idea to secure the
|
|
box as well as you possibly can. You can read up more on Linux security
|
|
in the <A
|
|
HREF="/HOWTO/Security-HOWTO.html"
|
|
TARGET="_top"
|
|
>Linux Security HOWTO</A
|
|
>.
|
|
In this case I killed everything but sshd and a Roxen Web
|
|
server. I use the web server to download a couple of files (my scripts,
|
|
etc) for setting up new machines to access the VPN. I don't use an FTP
|
|
server since it's harder to configure one to be secure than it is to
|
|
just make a few files available with a web server. Plus, I only need to
|
|
be able to download files. If you really want to run different servers
|
|
on your gateway, you might want to think about restricting access to them
|
|
to only those machines on your private network.
|
|
</P
|
|
></DIV
|
|
><DIV
|
|
CLASS="sect2"
|
|
><H2
|
|
CLASS="sect2"
|
|
><A
|
|
NAME="AEN234">3.1.2. Don't allow passwords</H2
|
|
><P
|
|
> Yes, it sounds kind of silly, but it got your attention, didn't it? No,
|
|
you don't use passwords, you disable them completely. All
|
|
authentication on this machine should be done via ssh's public key
|
|
authentication system. This way, only those with keys can get in, and
|
|
it's pretty much impossible to remember a binary key that's 530
|
|
characters long.
|
|
</P
|
|
><P
|
|
> So how do you do that? It requires editing the <TT
|
|
CLASS="filename"
|
|
>/etc/passwd</TT
|
|
> file. The
|
|
second field contains either the password hash, or alternatively 'x'
|
|
telling the authentication system to look in the <TT
|
|
CLASS="filename"
|
|
>/etc/shadow</TT
|
|
> file. What
|
|
you do is change that field to read <SPAN
|
|
CLASS="QUOTE"
|
|
>"*"</SPAN
|
|
> instead. This tells the
|
|
authentication system that there is no password, and that none should be
|
|
allowed.
|
|
</P
|
|
><P
|
|
><A
|
|
NAME="passwd"
|
|
></A
|
|
>Here's how a typical /etc/passwd file looks:</P
|
|
><TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><FONT
|
|
COLOR="#000000"
|
|
><PRE
|
|
CLASS="screen"
|
|
> ...
|
|
nobody:x:65534:100:nobody:/dev/null:
|
|
mwilson:x:1000:100:Matthew Wilson,,,:/home/mwilson:/bin/bash
|
|
joe:*:504:101:Joe Mode (home),,,:/home/vpn-users:/usr/sbin/pppd
|
|
bill:*:504:101:Bill Smith (home),,,:/home/vpn-users:/usr/sbin/pppd
|
|
frank:*:504:101:Frank Jones (home),,,:/home/vpn-users:/usr/sbin/pppd
|
|
...
|
|
</PRE
|
|
></FONT
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
><P
|
|
> Note that I've done more than just editing the second field. I'll
|
|
explain the other fields later on.
|
|
</P
|
|
></DIV
|
|
></DIV
|
|
><DIV
|
|
CLASS="NAVFOOTER"
|
|
><HR
|
|
ALIGN="LEFT"
|
|
WIDTH="100%"><TABLE
|
|
SUMMARY="Footer navigation table"
|
|
WIDTH="100%"
|
|
BORDER="0"
|
|
CELLPADDING="0"
|
|
CELLSPACING="0"
|
|
><TR
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="left"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="c224.html"
|
|
ACCESSKEY="P"
|
|
>Prev</A
|
|
></TD
|
|
><TD
|
|
WIDTH="34%"
|
|
ALIGN="center"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="index.html"
|
|
ACCESSKEY="H"
|
|
>Home</A
|
|
></TD
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="right"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="x245.html"
|
|
ACCESSKEY="N"
|
|
>Next</A
|
|
></TD
|
|
></TR
|
|
><TR
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="left"
|
|
VALIGN="top"
|
|
>Server</TD
|
|
><TD
|
|
WIDTH="34%"
|
|
ALIGN="center"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="c224.html"
|
|
ACCESSKEY="U"
|
|
>Up</A
|
|
></TD
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="right"
|
|
VALIGN="top"
|
|
>User Access - letting people in</TD
|
|
></TR
|
|
></TABLE
|
|
></DIV
|
|
></BODY
|
|
></HTML
|
|
> |