Security is very important for a VPN. That's why you're building one in
the first place, isn't it? You need to keep a few things in mind while
setting up your server.
Since this server is going to be on both sides of your firewall, and set
up to forward traffic into your network, it's a good idea to secure the
box as well as you possibly can. You can read up more on Linux security
in the Linux Security HOWTO.
In this case I killed everything but sshd and a Roxen Web
server. I use the web server to download a couple of files (my scripts,
etc) for setting up new machines to access the VPN. I don't use an FTP
server since it's harder to configure one to be secure than it is to
just make a few files available with a web server. Plus, I only need to
be able to download files. If you really want to run different servers
on your gateway, you might want to think about restricting access to them
to only those machines on your private network.
Yes, it sounds kind of silly, but it got your attention, didn't it? No,
you don't use passwords, you disable them completely. All
authentication on this machine should be done via ssh's public key
authentication system. This way, only those with keys can get in, and
it's pretty much impossible to remember a binary key that's 530
characters long.
So how do you do that? It requires editing the /etc/passwd file. The
second field contains either the password hash, or alternatively 'x'
telling the authentication system to look in the /etc/shadow file. What
you do is change that field to read "*" instead. This tells the
authentication system that there is no password, and that none should be
allowed.
Here's how a typical /etc/passwd file looks:
...
nobody:x:65534:100:nobody:/dev/null:
mwilson:x:1000:100:Matthew Wilson,,,:/home/mwilson:/bin/bash
joe:*:504:101:Joe Mode (home),,,:/home/vpn-users:/usr/sbin/pppd
bill:*:504:101:Bill Smith (home),,,:/home/vpn-users:/usr/sbin/pppd
frank:*:504:101:Frank Jones (home),,,:/home/vpn-users:/usr/sbin/pppd
...
|
Note that I've done more than just editing the second field. I'll
explain the other fields later on.
|
|