LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Sponsored link

Vyatta – Linux & Open Source Alternative to Cisco – Advanced Routing, Firewall, VPN, QoS..
Free Download ->

Recent Features

LWN.net Weekly Edition for November 20, 2008

MinGW and why Linux users should care

LWN.net Weekly Edition for November 13, 2008

NLUUG/ELCE: Embedded devices and free software

The sad story of the em28xx driver

Printable page
Weekly edition Kernel Security Distributions Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ

NAT is not a Security Feature

NAT is not a Security Feature

Posted Aug 22, 2005 14:47 UTC (Mon) by AnswerGuy (subscriber, #1256)
In reply to: I avoided the worm too by etymxris
Parent article: The worm that didn't turn up (Guardian)

Many worms work just fine through a NAT or proxy (as some of them can
exploit bugs in the clients behind the firewall).

A Linux box is not inherently any more secure behind a NAT (network address translation) router than it was on a publicly routable address if you simply limit the open (listening) ports and the range of source addresses which are allowed to access specific services.

Yes there are many people who have had their Linux box "rooted." Often they haven't detected the compromise for a long time. However, I can say from long experience, that Linux has made significant improvements over the last few years. After the days of Ramen, Adore and Lion we've found that Linux worms and remotely exploitable arbitrary code and root vulnerabilities are getting to be far less common and somewhat more difficult to exploit.

As the mainstream distributions integrate more kernel hardening features (like SELinux, much as I detest its complexity; and systrace, the grsecurity patches, etc) then things should continue to improve.

Convincing the major distributors to further encourage better security with better defaults, guided installation and configuration dialogs, and some additional packages should also help.

All major distributions should ship with chkrootkit and/or rkhunter and bastille. They should default to installing and configuring them (or at least recommending them and requiring a user/admin to specifically reject them)

ssh continues to be one of the scariest vectors for possible vulnerabilities. It's ubiquitous and privileged. It would be vastly better for ssh to be more locked down by distributors' in their default configurations. I routinely configure sshd to limit the allowed source addresses (both using its own TCP wrappers entries in /etc/hosts.allow and using appropriate iptables rules). I also require that all connections have pre-shared host keys and that all users have keys (no passwords allowed). I sometimes set up specific gateways systems where I loosen these restrictions a bit; but the tighter configuration is the default.

Recently I've been seriously considering using a port-knocking configuration on systems that need to have a more open ssh daemon. This would allow any authorized user, from anywhere, just using a password --- but only after they sent the right combination of blind connection requests.

The idea of all these measures is to limit the visibility to port scanning and brute force while still permitting remote administration.

JimD

(Log in to post comments)

Copyright © 2008, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds