Web Hosting through Linux and DSL

Web Hosting through Linux & DSL

Home
objectives
history

Hardware
overview
675 modem
firewall
hub/lan

Networking
interfaces
dhcp
forwarding
masquerading
dns
zippy

Security
source address verification
tcp wrappers
ipchains
675 Settings

Web Services
mail
web server
proxy services

Contact Us

Source Address Verification

A common trick in the hacking community is to impersonate a IP address (IP Spoofing) that a firewall or packet filter thinks is friendly. Consider our reference example that includes many computers on a LAN using addresses in the 10.x.x.x series. If we did not take steps to avoid IP spoofing, hackers could easily pretend to be a "friendly" computer by simply using one of my internal IP addresses.

Source address verification eliminates this problem by ensuring that packets using those addresses come from the proper interface. This is quite easy to configure and is a must for your firewall box.

Add the following lines to your /etc/rc.d/init.d/network script after the . /etc/sysconfig/network line.

# spoof protection on all current and future interfaces.
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then
echo -n "Setting up IP spoofing protection..."
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $f
done
echo "done."
else
echo PROBLEMS SETTING UP IP SPOOFING PROTECTION. BE WORRIED.
echo "CONTROL-D will exit from this shell and continue system startup."
echo
# Start a single user shell on the console
/sbin/sulogin $CONSOLE
fi

TCP Wrappers

One of the great features of Linux is the ability to control access to any of the inetd based services. This feature, known as tcp_wrappers, allows you to allow and/or deny specific services to specific hosts. I use this feature for all services that I don't block altogether via my packet filter. In my case that includes telnet and ftp.

Additionally, the wrappers feature allows you to invoke a series of shell commands in the event that access is denied.

TCP Wrappers are configured via the /etc/hosts.allow and /etc/hosts.deny files. Consider the following examples:

/etc/hosts.deny

ALL: ALL: \
spawn (/usr/sbin/safe_finger -l @%h | \
/bin/mail -s 'tcpd\: %c( %d )' \
miwo 5135551212@mobile.att.net ) & : \
deny

/etc/hosts.allow

ALL: .the-woods.org, LOCAL, .abc.com, .csc.com
in.fingerd: ALL

Make sure you allow the finger daemon or your booby trap in the deny file will get into a infinite email loop. I speak from experience!

Firewall Services

Linux provides kernel level packet filtering services. Packet filtering is commonly referred to as firewalling. In Linux, this is achieved via the ipchains command. The best approach to construct a secure network is to start by blocking all types of traffic on your external interface, then open up each port and/or protocol you need for your day to day operation.

The following commands will block all types of traffic on your external interface:

ipchains -i eth0 -deny ALL

The next example demonstrates how you would open up or enable a specific service (e.g. www):

/sbin/ipchains -A input -s 0.0.0.0/0.0.0.0 www -p tcp -j ACCEPT

I am currently working on rc.firewall script that I will include in the coming weeks.

Cisco 675 Settings

The only real change required here is to set your passwords for the basic and enable level prompts. Depending on your provider, the router/modem may or may not have things like FTP and Telnet configured, so you may need to enable these ports. My Cincinnati Bell solution came with FTP enabled and Telnet disabled.

The Cincinnati Bell Zoomtown configuration blocks the telnet port so that people can't go around logging into everyone's router and reeking havoc. An easy way to get around this is to change the port number for telnet in your /etc/services file. The better alternative is to use SSH to establish encrypted telnet and FTP sessions.

There are a few security related things you should do to your 675. Specifically, if you use Samba file/print sharing on the Linux host or have netbios protocol running across your network (and potentially out via the 675) you should disable those ports. As you might guess from looking at the following commands, you can filter any traffic you would like using the set filter command on the 675.

set filter 0 on deny all 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 port 137
set filter 1 on deny all 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 port 138
set filter 2 on deny all 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 port 139

top

ipchains How To
Explains how to use Linux's built in packet filter.

Linux Firewall Site
Utilities and information related to ipchains

Secure Shell SSH
Client/Serer applications for encrypted telnet and ftp

Cisco 675 Documentation
How to use the filters on the 675

ADSL Contamination
Various good topics on security related to DSL

Socks Firewall
Another firewall application using socks protocol
Title Goes Here