Cracking an Average SoHo

[wiskic10_4]

Hey AO - I'd like to know:

What is the likelihood of compromising a SOHO with the following:

Linksys WRT54GL wireless router - WPA2 Personal wireless security, forwarding ports 80 and 22 to the Slack Server.

Slackware 13.0 web/file server - Samba, SSH and Apache w PHP. IPTables setup to allow no more than 3 failed SSH login attempts before blocking attempts for 10min. No forms, fileshare available via .htaccess login and password (all strong passwords).

Windows XP Home Ed Desktop - fully patched, updated, no exploitable services running
2 Windows XP " " Laptops - " " " " " " "
Windows 7 64 Ultimate Desktop - " " " " " " "

Mind you, when I say "likelihood of compromising," I mean from the outside, assuming everything inside the network stays the same. And, I'm really much more concerned about a remote attack - not somebody sniffing the wireless...

Any thoughts?

[instronics]

Good morning

For the slackware box, i would maybe recommend some additional security settings for the system.

1 - A nice idea would be to limit the login names to names you specifically allow. Definately disable direct root login via ssh. Its better to 'su' to root if needed.

or

2 - (and this is what i prefer), disable login with passwords in general, and use keys to login. No passwords needed.

Also:

Change the default sshd PORT it listens on to some weird unused highport. Make sure you make the adjustments on the firewall/router/modem to forward to the new port if needed. Also (only if possible if you work with static ips) set which IPs are allowed to connect to the sshd.

Then set only 1 user on your system to be able to 'su' to root, by adding this user to the wheel account and disable 'su'ing to root from non wheel accounts.

You also mention that you have a login for the web server using .htaccess and you allow port 80. Where is port 443 for SSL? Make sure that when you enter your login info that you are on an encrypted connection. Enable mod_ssl for your apache. Maybe even setup a VPN if possible?

Now about your win boxes. You mention that you are only scared from outside sourced attacks? Note that a much larger quantity of dangers come from the inside, not from the outside. Maybe with your firewall also setup some rules for outgoing ports/targets? Letting anything pass the firewall outgoing is not such a good idea.

Then you say that you are not worried about wireless sniffing? You could play with some settings there too though, NEVER presume you are safe. Stay alert. Lock the wifi to your MAC addresses of your boxes that need wifi behind the lan. Disable the DHCP on the modem/router and set for all your boxes static IPs. Make sure your LAN addresses are not the defualt: 192.168.0.1 but rather something like 192.168.23.53-how many connections needed. The wpa2 HAS beed cracked...... Its not easy yet, but its not 100% either!!!

Basicly in the end, i could go on and on and on but those mentioned ideas above are a nice step to a better security. Depending on how important/private/critical the data is that you want to protect on the fileserver, we could discuss deeper security, like some form of IDS, maybe also a rootkit detection application, maybe also a general DMZ solution etc etc etc....

Cheers

[nihil]

Against a serious attacker the only system that will survive is one that is switched off?

Apart from instronics's suggestions, I would say that your system was pretty secure against casual attackers. They pretty soon get bored and go somewhere else.

Your real weakness is likely to be the laptops if they are taken away from the workplace, and particularly if they are going to be used over public access points.

Now about your win boxes. You mention that you are only scared from outside sourced attacks? Note that a much larger quantity of dangers come from the inside, not from the outside.

Exactly! ...........and a laptop is something that is compromised on the outside then brought inside.

Make sure that the boot sequence is HDD, network, and put a strong admin password on all machines. Provided your kit is reasonably modern, that should secure it reasonably.

I know that SOHO environments are difficult, but there is still no substitute for safe computing practices

For the laptops I would look at whole drive encryption and a HDD access password. That is in case they get stolen.

[wiskic10_4]

Thanks guys. Yeah, I thought it was pretty secure for just general outside attacking. No doubt, if someone wants to get in bad enough, they will get in somehow (even if they have to kick down the house door and just take the computers).

There's nothing really sensitive on my network - they may be able to get some of my bank acct info, but meh - it's not like I have any money anyway.

The reason I don't worry about the lappys is because they never leave the house, and seldom leave the carrying bag. But I'll keep it in mind if I ever have the urge to do some web surfing at Burger King...

I was just curious about the security of the router - it seems like, since the model is so common, someone would have found a way to compromise them by now - but I guess it's a simple machine, and therefore, not much there to exploit - idk... just always seems like there's someone out there that knows something I don't.

Anyway, I check my logs pretty regularly, and it looks like the only kind of breaching anyone has even attempted is brute-forcing the ssh - which kicks them out after 3 attempts (and probably wouldn't work anyway, bc I doubt any of my usernames/passwds are in any dictionary file anywhere).

The Spec said he'd (she'd? I always thought the Spec was a dude, but I clicked on a link the other day of The Specialist's "character" and it was a joker with t!ts and a gun, so idk what to think anymore?) just ask for the .htaccess and upload his (her?) own scripts - well, they have to request .htaccess through email to me, and then it only allows them to download, not upload... so idk how that would work. I keep htaccess accounts seperate from ssh/sftp accounts... maybe The_Spec knows something I don't though - I asked him (her?) to pen test my server, but got no reply, so I guess I'm not good enough...

Anyway, thanks for the replies guys. I'll check in later.

[The-Spec]

and then it only allows them to download, not upload... so idk how that would work. I keep htaccess accounts seperate from ssh/sftp accounts... maybe The_Spec knows something I don't though

Yeah, ok.

I'd say the likelihood is pretty slim.