Security-wise, is it okay to have a file server and router in the same box?

rayman2k2

Supreme [H]ardness
Joined
Aug 6, 2002
Messages
8,070
I wanted to put a box together for when we get FiOS in two weeks, to function both as a router and as a file server.

But security-wise, is that an issue? Obviously, I'd stick a firewall on there, but would I see any downsides to having both in the same box?
 
Joined
Oct 28, 2004
Messages
722
Bind it to the internal ethernet interface and only the internal interface. I'm trying to think of a way that an attacker could use some sort of loopback to connect from the outside to the internal interface. I remember reading about that somewhere, but I can't remember where or what is generally vulnerable... I'm pretty sure just keeping it bound to internal adapter would be fine.
 

XOR != OR

[H]F Junkie
Joined
Jun 17, 2003
Messages
11,549
It's not ideal, but if you are careful about how people can access the box from the outside world, it shouldn't be a problem.

SSH is ok, but I'd put up some filtering so an IP address only has x chances to log in over the course of a 15 minute window. That'll keep the brute force attacks from having any success, which brings me to my next point; For any user that has ssh log in rights, make strong passwords ( and no root ssh logins ).
 

Sharaz Jek

Gawd
Joined
Jul 19, 2000
Messages
647
personally, i woudlnt, but... im old school. a router is a router, and a file server is a file server.
 

Stang Man

2[H]4U
Joined
Jan 19, 2002
Messages
2,532
Shadey216 said:
Also, changing the default SSH port works like a charm.

lol, no it doesn't. I would try and separate the two as much as possible. Your router gets pwned, your files do too
 

Shadey216

Limp Gawd
Joined
Dec 4, 2003
Messages
173
Stang Man said:
lol, no it doesn't. I would try and separate the two as much as possible. Your router gets pwned, your files do too

I'm just saying, changing the default SSH port makes finding an entrance way into your box just 1 step harder. I've changed the SSH default port on my box and it hasn't been spotted for about a year.
 
Joined
Oct 28, 2004
Messages
722
Shadey216 said:
I'm just saying, changing the default SSH port makes finding an entrance way into your box just 1 step harder. I've changed the SSH default port on my box and it hasn't been spotted for about a year.

Alternatively, he could just not use ssh if he doesn't explicitly require it. Keep everything bound on to the internal network, and then there shouldn't be any problems because nothing is open to the outside. You could also disable your normal keyboard login and explicitly require keyed logins.
 

XOR != OR

[H]F Junkie
Joined
Jun 17, 2003
Messages
11,549
Stang Man said:
lol, no it doesn't. I would try and separate the two as much as possible. Your router gets pwned, your files do too
Actually, it helps quite a bit; If the only port open to incoming is ssh, and it's on a non-standard port, then the bots will never find it to launch dictionary attacks against.

That said; I've run both my file server and router on the same box for 5+ years, never had an issue. I'm also very careful about the security risks I take.
 

Stang Man

2[H]4U
Joined
Jan 19, 2002
Messages
2,532
XOR != OR said:
Actually, it helps quite a bit; If the only port open to incoming is ssh, and it's on a non-standard port, then the bots will never find it to launch dictionary attacks against.

alright, if you're defending against bots, then fine.. I'll give you that. Though, you can easily mitigate SSH bot attacks by PermitRootLogin = no, and iptables rule sets
 

MorfiusX

2[H]4U
Joined
Feb 13, 2004
Messages
3,007
Changing the SSH port is security through obscurity. It will thwart the script kiddies, but will not stop a real hacker.

I run most of my services for my home network from one box that is also a firewall. I have launched my own series of attacks against it with out fail. That being said, if you are careful, then it shouldn't be a problem. But, make sure you go over everything with a fine tooth comb. Bind all the services to the internal interface. If it is Windows, remove all protocols except TCP/IP from the public interface. Use gpedit.msc to strengthen the security. Only run what you need. Keep up to date. You know, the usual stuff...
 

Fark_Maniac

2[H]4U
Joined
Feb 21, 2002
Messages
2,438
why not virtualize the server...then you will be separating the services provided by the single box. If the router gets compromised, the server is still a separate machine.
 

Bean Dip

Limp Gawd
Joined
Feb 28, 2004
Messages
211
rayman2k2, perhaps it would be helpful if you told us what OS or image you plan to use.

How important are the files you are sharing? If you are not concerned about someone else seeing them then you can get away with putting both on the same box.

But if you are concerned... well you know the answer.

Why not get a $50 router and then use the box for file sharing?
 

movax

2[H]4U
Joined
Aug 12, 2005
Messages
3,676
Stang Man said:
...PermitRootLogin = no, and iptables rule sets
Simple, quick, and fast. A very easy way to protect your *nix box in addition to the many other things you can do to secure SSH. (Change port, setup allowed IPs (if possible), etc).
 

Malk-a-mite

[H]ard|Gawd
Joined
Feb 16, 2002
Messages
2,023
movax said:
many other things you can do to secure SSH. (Change port, setup allowed IPs (if possible), etc).

As long as the topic has wandered this way:
http://denyhosts.sourceforge.net/

As to the file server/ router issue.

Just install Clarkconnect, it does both things, you can set up to SSH into the box, you have a web interface, you can install and much or as little as you want on the machine.
http://www.clarkconnect.com/
 

Sharaz Jek

Gawd
Joined
Jul 19, 2000
Messages
647
Fark_Maniac said:
why not virtualize the server...then you will be separating the services provided by the single box. If the router gets compromised, the server is still a separate machine.

still equally pointless. if the server is on the router, and the router should be compromised, then once they are in, what to stop them from:

killall YourFavoriteVirtualMachineDaemon

the denial of service attack would be just as simple if the file servers was virtualized on the router. or hell, deleted the virtual machine files themselves!
 
Joined
Oct 28, 2004
Messages
722
Sharaz Jek said:
still equally pointless. if the server is on the router, and the router should be compromised, then once they are in, what to stop them from:

killall YourFavoriteVirtualMachineDaemon

the denial of service attack would be just as simple if the file servers was virtualized on the router. or hell, deleted the virtual machine files themselves!

Theoretically I suppose if you ran something with really good separation you could "make" that work. But then again, you'd probably already be running a more secure/well configured system so what the heck is the point? If the person is so concerned about security, install something that has an excellent set of security features/track record such as OpenBSD or any Linux Distro with strict SELinux support, stack smashing, and possibly even pax/grsec. SELinux would be especially appropriate here for separation of tasks, though it can be a huge pain in the ass to setup and administrate.
 

Sharaz Jek

Gawd
Joined
Jul 19, 2000
Messages
647
i know, is that its a hell of a lot simpler to just pick up an old p3 500 box with 128 ram, and build a dedicated firewall.

the features you get with a dedicated firewall box, significantly outweigh the satisfaction of configuring, or risks of deploying them mixed on a file server.
 

scoob8000

2[H]4U
Joined
May 4, 2002
Messages
2,829
Sharaz Jek said:
personally, i woudlnt, but... im old school. a router is a router, and a file server is a file server.


+1

Many times I've been tempted to setup Samba on my Smoothwall but told myself no..

I have a file server running 24/7 but just want to cut down on electricity usage.. Often I've considered one of those "NAS" devices.. Basically an external drive enclosure with network support.
 

rayman2k2

Supreme [H]ardness
Joined
Aug 6, 2002
Messages
8,070
Sorry it took me a while to respond back



Anywho, I plan on using a linux distro of sorts, but not sure which one.


I don't need to access the files from the outside world, its mainly media that I need for my HTPC, etc.

Secondly, I currently have a Linksys router, but from what I understand, it can only handle 10mbps down? :confused: We are about to get FiOS, specifically the 15mbps down package, secondly, I've been tempted to make a dedicated firewall/router since I heard about them ;)
 

swatbat

[H]F Junkie
Joined
Apr 25, 2001
Messages
12,967
For the most part a second box would be better for the router but with you being a home user I don't see it as a big deal. Personaly I would still try to pickup a low end p4 or xp system to use as a router. I say p4 or xp system because if you play around with ip cop or one of the other linux distros you'll prob want to enable some of the cool stuff in it like the scanners and they take some cpu power(and ram).
 

rayman2k2

Supreme [H]ardness
Joined
Aug 6, 2002
Messages
8,070
swatbat said:
For the most part a second box would be better for the router but with you being a home user I don't see it as a big deal. Personaly I would still try to pickup a low end p4 or xp system to use as a router. I say p4 or xp system because if you play around with ip cop or one of the other linux distros you'll prob want to enable some of the cool stuff in it like the scanners and they take some cpu power(and ram).


I should also add I'm somewhat short on space...but i'll see what I can do...

however, general consensus says its okay?
 

XOR != OR

[H]F Junkie
Joined
Jun 17, 2003
Messages
11,549
rayman2k2 said:
I should also add I'm somewhat short on space...but i'll see what I can do...

however, general consensus says its okay?
Ok with some reservations; Don't let root login, change the ssh port and only let a few tries per half an hour from a single IP ( my favorite ).

You should be set.
 

mps

Limp Gawd
Joined
Apr 3, 2004
Messages
167
Sharaz Jek said:
personally, i woudlnt, but... im old school. a router is a router, and a file server is a file server.

Agreed. If someone gets into your router, they would immediately have access to your data. Having a separate box as a server gives you another layer of security. Also, putting file/print/routing functions on one system creates a single point of failure. That one box goes down and you lose access to everything -- files, Internet access, etc.

BAD IDEA!!
 

mps

Limp Gawd
Joined
Apr 3, 2004
Messages
167
swatbat said:
Personaly I would still try to pickup a low end p4 or xp system to use as a router. I say p4 or xp system because if you play around with ip cop or one of the other linux distros you'll prob want to enable some of the cool stuff in it like the scanners and they take some cpu power(and ram).

An entry-level P4 or AMD XP system for a Linux router (even with enabled functions like captive portal, transparent proxy, and reporting) is like killing a fly with a sledgehammer. A midrange P3 with 256mb RAM will be more than enough power.

Granted, if you can get a system like that inexpensively, it will be fine, but if you know where to look, you can get a midrange P3 system for next to nothing these days.
 

swatbat

[H]F Junkie
Joined
Apr 25, 2001
Messages
12,967
mps said:
An entry-level P4 or AMD XP system for a Linux router (even with enabled functions like captive portal, transparent proxy, and reporting) is like killing a fly with a sledgehammer. A midrange P3 with 256mb RAM will be more than enough power.

Granted, if you can get a system like that inexpensively, it will be fine, but if you know where to look, you can get a midrange P3 system for next to nothing these days.

Once you get into some of the advance shit with the proxy setup with a lot of options and have stuff like spam and virus scanning running you need more. I was killing one running 256 ram. Had to bump it to 512. Also a highend p3 could handle it prob with the ram but I would rather recomend a little overkill. Once you start playing with the extra features you will want the extra power.
 

tgrimley

Limp Gawd
Joined
May 1, 2006
Messages
311
mps said:
Granted, if you can get a system like that inexpensively, it will be fine, but if you know where to look, you can get a midrange P3 system for next to nothing these days.

Where should I look?
 

mps

Limp Gawd
Joined
Apr 3, 2004
Messages
167
It is difficult to answer that question as I do not know where you are located. I'm sure your options will be different than mine. In my neck of the woods along the PA/NJ border, there are at least 3 different companies I have encountered that dispose of off-lease computer equipment. I have done business with two of them before. Most recently, I picked up a SFF Compaq P3 1GHz computer for under $50.

There is an organization called Marketpro that holds weekend-long computer sales about once every 6-8 weeks in different places around Philadelphia. Most of what is available at these sales is new systems and parts, but there are always a few vendors offering discount used systems. These are generally late-generation P3 to mid-generation P4 computers in the $25-$100 price range depending on the features and condition of the equipment.

Other places: Companies (typically) dispose of old PC equipment in two ways -- either by donating to charity for a tax write-off, or by having equipment sales to employees. Check with friends and relatives to see if their employers ever offer old PC's for sale. Up until a few months ago, the computer my wife used at home was a retired computer from a former employer. It was an HP early generation P4 that she bought for $75.

Government entities typically will have equipment auctions several times a year. Police organizations will auction off seized equipment too. Check the classified ads in your newspaper for used PC equipment. Check thrift stores or places like the Salvation Army stores.

Finally, if you work in the computer/networking business (as I do) you will probably run into quite a lot of used equipment. Clients occasionally ask me to dispose of old equipment. My employer has a relationship with a recycling firm, and they help us dispose of broken PC/network equipment so it does not end up in a landfill. If I have an older PC that is being retired, and it is not broken & still has life in it, I will find a home for it somewhere.
 

Farva

Extremely [H]
Joined
Feb 3, 2004
Messages
36,880
For a more secure network you need a firewall/external router, dmz (where you store your server), internet router, and then rest of the network.
 
Top