# Security question concerning home server

## Spent

I currently have a headless Gentoo file/print server running these services:

NFS

Samba

Cups

sshd

I would also like to use the server as a router, but I'm not sure if my server would still be secure having the router and server being the same box.  Right now the only contact the server has to the outside world is from portage, I'm sharing portage over NFS for my desktop.  I currently have a cheap Cisco router, but I would like to consolidate and have less things running up my electric bill.  Plus I'm drawn by the "coolness" factor of building a linux router and from the control having one would give me.  Building a separate box just for a router seems overkill though and defeats my desire to save electricity.

----------

## Hu

The security issue depends on whether you plan to offer service to the outside world.  If you configure the router to drop all connection attempts and unsolicited UDP from the Internet, then no one can contact those services, so it is as secure as though they were not running.  Test your configuration from outside after it is prepared.

----------

## Jaglover

I've been running a home router/server for ages. If you leave ports open you'll see all kind of attacks. For instance, I run a mail server for local mail, to collect all email alerts my boxes send to me. I had port 110 open to the world. One day I noticed my connection is kind of slow. Closer inspection revealed there were so many attacks on port 110 they actually slowed down my net connection. Of course, Linux/Unix boxes can face outside world without hiding behind hardware firewalls (unlike some tiny-softy stuff), you just have to administer them responsibly.

----------

## faemin

...Last edited by faemin on Sun Dec 02, 2012 9:41 pm; edited 2 times in total

----------

## elmar283

I have made my gentoobox made a router and that computer is open to the world. 

I have an iptables firewal. I followed the guide on http://www.gentoo.org/doc/en/home-router-howto.xml.

There are other guides like:

- http://www.gentoo-wiki.info/HOWTO_Iptables_and_stateful_firewalls

- http://www.gentoo.org/doc/en/articles/linux-24-stateful-fw-design.xml

- http://wiki.gentoo.org/wiki/Iptables

- and google.com can be your friend.

----------

## Spent

I was going to use the Gentoo home router guide to set up the router.  I did some searching for an answer to my question, the Archwiki router guide specifically says not to run nfs or samba on the router.  I thought it would be okay since I have them configured to only be accessible from IP's in my lan.  I didn't know if whoever wrote their wiki was being overly paranoid or if I would be committing a "security faux pas" by combining the router and server, so I thought I would ask.

----------

## elmar283

I agree with you. As long as you disable the wan card for samba and nfs it should be ok.

I did block them on my iptables rules and in the samba config file. I don not us NFS.

----------

## Jaglover

NFSv4 is secure, can be used over internet. I've always had NFS in my router, to host portage for all boxes.

----------

## gabrielg

I used to run Gentoo as my router and home server some time ago without problems, I saw attacks and the like, but you'll always get those, nobody could make a successful one anyway. I had several services for the outside world, all HTTP(S), and of course SSH open. I got tired of seeing people trying to access by brute force on SSH so then I hid it behind 443 with a multiplexer (so, 443 would be HTTPS and SSH), no more attempts afterwards.

The only thing I'll say is that the iptables configuration got quite long. I know there are tools out there to manage it better but eventually I installed OpenBSD and kept Gentoo inside the LAN (you end up with two servers, but then again, I haven't got pets so I have to entertain myself with something  :Smile:  ).

In summary, it's perfectly safe so long as you manage it responsibly and keep it up to date. Gentoo is very good security-wise. Of course, this doesn't apply to zero days, but those are hard to find anyway. As an anecdote, when the local permission escalation bug came along a few years go (the one that allowed a local user to become root because of some vsplice bug) I successfully tested it in RH Linuxes (32 and 64 bits), Debian (of course) but not Gentoo. So, there you go.

----------

## Jaglover

I didn't mention it, but my routers have always been running FreeBSD. Once I rebooted it and for some script error the firewall didn't load. I didn't notice it until someone started using my MPD ... it was without firewall for six months, under attacks, yet nobody managed to get in. Gotta love BSD.

----------

## faemin

...Last edited by faemin on Sun Dec 02, 2012 9:48 pm; edited 1 time in total

----------

## cach0rr0

-there is no *functional* reason not to have these services running on this server/router. If the outside world cannot connect to them, where there are located is completely and totally 100% irrefutably irrelevant. If they cannot be connected to from the outside world, they are not an external attack vector - period. The only reasons not to run these services on an edge router are those of principle and dogma, not function. Can't connect? Can't exploit. 

-there is absolutely zero you can do with a dedicated commercial firewall that you cannot do with netfilter, short of vendor-specific proprietary routing protocols. For a home environment, doing so is overkill. For most environments, doing so is overkill.

----------

