Some security through obscurity
by upnort from LinuxQuestions.org on (#GS55)
I am tinkering with some security through obscurity.
I use static IP addresses for all of my computers. I have an HP LaserJet 4200 with a network card. All devices are assigned an IP address below 192.168.1.100. All computers run a Linux based OS and run iptables.
In my WRT54GL router running DD-WRT I created two wireless subnets, one using the same subnet 192.168.1.x as my wired network and the other subnet for guests on 192.168.3.x. The guest subnet is open to visitors while the other wireless subnet requires a pass phrase, which guests are never given. Wireless guests cannot see my normal network subnet. War driving is not a concern because I live on rural property and the road is about 500 feet from the house.
Although I use static IP addresses for wired connections, I configured the router DHCP server to assign addresses starting from 192.168.1.129 with a maximum of 50 users. I use this when I test distros.
I configured both samba and nfs to allow connections only from 192.168.1/25. That is, only from IP addresses 192.168.1.0 through 128. I configured /etc/hosts.allow similarly with ALL: 192.168.1.0/255.255.255.128. Computers receiving an IP address from my router DHCP server should not be able to connect to my samba or nfs shares.
I am not a Windows user, so I bought a refurb Windows 7 box for some interoperability testing. As far as I can tell using the Map Network Drive feature, the Windows 7 system can't see my samba or nfs network shares.
While running network tools such as nmap would expose the computers in my network, if guests try to connect to my wired network through the Map Network Drive feature, have I "hidden" my network from them?
From my Windows 7 box, adding a new printer reveals my network attached laser printer, so my obscurity is not complete by any means. Just stops the usual noobs and non technical users. I never looked into whether the printer can be configured similar to samba and nfs, but I don't mind if guests want to use the printer.
Thus far all of the folks who visit me use the guest wireless connection, but I thought this would be an interesting exercise in case any guest decided to become "curious." Not looking for spy movie security, but I appreciate comments or suggestions.
Thanks. :)
I use static IP addresses for all of my computers. I have an HP LaserJet 4200 with a network card. All devices are assigned an IP address below 192.168.1.100. All computers run a Linux based OS and run iptables.
In my WRT54GL router running DD-WRT I created two wireless subnets, one using the same subnet 192.168.1.x as my wired network and the other subnet for guests on 192.168.3.x. The guest subnet is open to visitors while the other wireless subnet requires a pass phrase, which guests are never given. Wireless guests cannot see my normal network subnet. War driving is not a concern because I live on rural property and the road is about 500 feet from the house.
Although I use static IP addresses for wired connections, I configured the router DHCP server to assign addresses starting from 192.168.1.129 with a maximum of 50 users. I use this when I test distros.
I configured both samba and nfs to allow connections only from 192.168.1/25. That is, only from IP addresses 192.168.1.0 through 128. I configured /etc/hosts.allow similarly with ALL: 192.168.1.0/255.255.255.128. Computers receiving an IP address from my router DHCP server should not be able to connect to my samba or nfs shares.
I am not a Windows user, so I bought a refurb Windows 7 box for some interoperability testing. As far as I can tell using the Map Network Drive feature, the Windows 7 system can't see my samba or nfs network shares.
While running network tools such as nmap would expose the computers in my network, if guests try to connect to my wired network through the Map Network Drive feature, have I "hidden" my network from them?
From my Windows 7 box, adding a new printer reveals my network attached laser printer, so my obscurity is not complete by any means. Just stops the usual noobs and non technical users. I never looked into whether the printer can be configured similar to samba and nfs, but I don't mind if guests want to use the printer.
Thus far all of the folks who visit me use the guest wireless connection, but I thought this would be an interesting exercise in case any guest decided to become "curious." Not looking for spy movie security, but I appreciate comments or suggestions.
Thanks. :)