unrequired apps & services?

[doni49]

Hi all!

I've got my RasPi configured for SAMBA, SSH & OpenVPN.

I'm looking to add some type of web server, DB (MySQL or maybe SQLite) & PHP.

I started out with 2012-12-16-wheezy-raspian.zip and updated the software:

Code: Select all

sudo apt-get update && sudo apt-get upgrade

Now that I've got it mostly up and running, I'd like to remove those apps/service that aren't needed. But as complete and utter noob, I have no idea what I can safely remove.

I'd appreciate your advice.

TIA!

[sprinkmeier]

I recommend against un-installing stuff until you're past the Noob phase.
If something goes wrong and you ask for help the less standard your install is the more difficult it will be to remotely debug and help.

If you really want to remove something get rid of nano and install vim (just kidding!)

[doni49]

Thanks. That sounds like decent advice. The main reasons that I was looking to remove them:

• I'm worried about how much room is being taken. Any idea how to find out how much room is left?
• I've been concerned about services running and potentially opening up security holes.

[sprinkmeier]

df --hum / lets you see how much diskspace is used.
If you prefer a GUI,

Code: Select all

sudo apt-get install baobab
baobab

At around $1/G for a decent SD card it's probably not worth it trying to save a few MB here and there...

Don't make the Pi accessible from the internet and 90% of your security worries are solved.
If you do, then the pi/raspberry account is the single biggest security problem.

Create a new user with a decent password and keep your pi patched.

[doni49]

Thanks for the info. The space used is 25% of that available so it's really not an issue.

As far as keeping it off the net, the whole purpose of this RasPi is to serve as a NAS server running Samba and OpenVPN server.

I've setup IPTables to disable all ports except those specifically allowed. Hopefully it's all good.

[doni49]

Also.....

Related question: I'm in the process of adding a web server but it's only for my use. How can I setup an iptables rule to allow port 80 but ONLY from within my internal network (10.2.1.0/24) or my VPN network (10.8.0.0/24).

[sprinkmeier]

Is samba available directory or only through the VPN?
Keeping samba behind OpenVPN will decrease your attack-surface considerably.

look at the --in-interface and --source parameters for iptables on how to control access base on interface and source address.

[doni49]

I've read about how to do that. But I've been unable to figure out how to determine if it originated in/outside the network.

But something just dawned on me. My RasPi is connected via ethernet to a DLink WRT54GS2 router. If the router is set to forward UDP port 1194 (used by OpenVPN) to the RasPi and nothing else, no traffic should be able to get to it other than from my internal network or VPN.

RIGHT? If that's the case then it's more of a moot point.

[rpdom]

Also.....

Related question: I'm in the process of adding a web server but it's only for my use. How can I setup an iptables rule to allow port 80 but ONLY from within my internal network (10.2.1.0/24) or my VPN network (10.8.0.0/24).

If you are using Apache2 webserver, you can set allow/deny permissions for your web site in the config files.

I run Apache on an ancient laptop that is connected to the internet. It has several small websites on. One of them is visible to external users, the rest are for internal only.

I enforce the latter with a file called /etc/apache2/conf.d/local.conf which contains

Code: Select all

# Default site permissions
<Files *>
	Order deny,allow
	Deny from all
	Allow from 192.168.42.0/24
</Files>

Then for the site that is visible to external users I have a file in /etc/apache2/sites-available/sitename which includes

Code: Select all

<Files *>
	Order Allow,Deny
	Allow from all
</Files>

This file is linked /etc/apache/sites-enabled with the "a2ensite sitename" command. It has worked happily like this for years. The log files do show a few attempts a day to access the ip address with random urls, but they all get rejected.

[sprinkmeier]

I've read about how to do that. But I've been unable to figure out how to determine if it originated in/outside the network.

Code: Select all

# allow local net
iptables --append INPUT --source 10.2.1.0/24 --jump ACCEPT
# allow VPN
iptables --append INPUT --source 10.8.0.0/24 --jump ACCEPT
# allow OpenVPN
iptables --append INPUT --proto udp --destination-port 1194 --jump ACCEPT
# allow replies to outgoing traffic
iptables --append INPUT --match state --state ESTABLISHED,RELATED --jump ACCEPT
#deny by default
iptables --policy INPUT DROP

Check out iptables-save and iptables-restore

But something just dawned on me. My RasPi is connected via ethernet to a DLink WRT54GS2 router. If the router is set to forward UDP port 1194 (used by OpenVPN) to the RasPi and nothing else, no traffic should be able to get to it other than from my internal network or VPN.

RIGHT? If that's the case then it's more of a moot point.

In theory, yes.
In practice it's called "defence in depth":
https://en.wikipedia.org/wiki/Defense_i ... mputing%29
It's better when 2 things have to go wrong (mis-configured router and mis-configured firewall) before the bad-guys can access your computer rather than one (replying only on router or firewall).