Setting Up A Secure
Server/Firewall
Step By Step Installation Guide
How do we start?
First of all let's go through the mechanics of starting a Linux installation using our operating system, SuSE Linux V7.1. As we haven't got a mouse connected I have shown how to move about the option selection mechanism in SuSE Linux with keystrokes. Of course, if you have a mouse attached, it is much easier.
From a clean unformatted hard disk - boot from CD-ROM, disk 1.
Using tab key, select English GB language.
Select mouse type or none (use tab and cursor keys for selection).
Accept default of UK keyboard and Europe/united kingdom timezone by pressing Enter.
Accept default of new installation - Enter.
Choose hard disk by selecting pressing ALT-1 (i.e. underscore 1 on screen) and Enter. If the disk has been used for another operating system, i.e. Windows, you will be given the choice of deleting or shrinking your Windows partition. Select delete with underscore-D and press Enter with Enter again to confirm the deletion. If you don't want to keep your Windows partition select entire hard disk and press enter.
Reading package database message comes up.
Press tab to software section and cursor keys to move. Space selects. Select 'minimal' installation.
Select 'detailed selection'.
Select single packages.
Tab to selection and highlight with cursor keys, Tab to 'apply' to select.
|
Section |
Packages |
|
Programs that don't need X - |
joe |
|
Documentation |
howtoenh, manpages |
|
Network - |
bind8, bindutil (is selected automatically), dhcp,diald, inetd, nkitserv, samba, sendmail, squid23,wvdial, ppp (automatically installs various other packages when you select the AUTO option) |
|
Security - |
SuSEfirewall, John, Scanlogd, Seccheck |
Why don't I use a standard installation. Well, for your server to be secure it should only run the absolute minimum number of services and programs and keep those up to date. If we install a whole plethora of programs it becomes very difficult and time consuming to keep them 'patched'. In my experience of real-world use of computers things that are difficult just don't tend to happen. A wish list is not the same thing as a plan.
OK to confirm. Next to confirm again.
Custom Lilo installation. Select 'Write Lilo to master boot record' option and Next.
Enter on next option to confirm installation of Lilo.
Enter a user name and password. Make it secure - don't use 'hello' or 'password', use a mnemonic. Enter confirms
Enter a root password - This one must be secure with a minimum of 8 characters mixing both upper and lower case letters (which are different under Unix/Linux) and numbers.
Enter to confirm setting. Tab to yes and Enter again.
Wait for installation.
Message telling you how to restore the old boot sector. Press Enter.
Booting system. Enter when finished.
Machine boots. Unfortunately, because we haven't selected the graphical user interface, Xwindows, machine doesn't appear to boot up correctly (at least it didn't on my test machine). No need to worry, just press ALT-F1 for non Xwindows screen. Press Enter or OK to continue. Put disk 2 in and press Enter.
Machine boots into multi-user mode. Log in as root with root password.
At the # prompt shutdown and reboot the machine with 'shutdown -r now' or press Ctrl-Alt-Del after taking CD2 out
After machine reboots log in as root with password and start up the SuSE set up program Version 2. Actually, SuSE has 2 set-up programs, yast or 'Yet Another Set-up Tool' and yast2. Yast2 provides a front-end to various hardware sensing programs that we can use to establish the operating systems support for our available hardware so type yast2 and press Enter.
Go to Network - network card configuration. Enter.
Tab to Launch and press Enter.
Program senses card (usually).Enter the IP address that we shall assign to the card that will be 192.168.1.1.
Alt-F to finish. Save settings, etc.
Tab back to list.
Tab to quit.
At this stage we should have a working network interface. At the # prompt we should be able to test this with the ifconfig command. Type:
ifconfig
and press Enter. The program ifconfig will, without any parameters, display the current available interfaces. You should be able to see your network card shown as 'eth0' together with information relating to the address and other information. I can't really go through a complete description of getting a network card working here so I will assume it is. If you are having a problem have a look at www.suse.com particularly the hardware database button on the left. If everything is OK then continue.
Type yast.
System administration - Enter.
User administration - Enter.
Add users following the on-screen prompts - secure passwords.
F4 creates the user and their home directory.
When you've finished F10 leaves screen.
Back to menu and go to 'network configuration'.
Configure a PPP network - Enter.
Autodetect modem. If the output looks OK then configure the current profile.
Use the following settings in accordance with the requirement for our Internet service provider, Demon Internet.
Phone number - 2121666
Area
Code - 0845
Account name - smithco
Password - H3gLsD9n
Switch off - auto DNS with TAB, i.e. remove asterisk.
Expert menu - select with Enter.
Down to static IP address. Enter. Set to our ISP provided IP address that we have agreed to show here as www.www.www.www but will actually be something like 207.46.197.100 or something in the same format.
Set idle timeout to 60 seconds so that the connection to our ISP using the modem will timeout after 60 seconds of inactivity
Tab to exit, Enter
Configure DNS with yast because no DNS
Set DNS servers IP addresses to 127.0.0.1 158.152.1.43 158.152.1.58 Of course the last 2 you will probably recognise as Demon's name servers, i.e. the computers that Demon has set up to provide the URL to IP addresses translation lookup. The first is the IP address of the 'loopback' interface on the server.
Save and exit
Domain list to it.com smithco.demon.co.uk
Go to the second virtual screen by pressing ALT-F2.Login as root - password
Type
nslookup www.bbc.co.uk
But don't press Enter yet. Instead go back to the first screen by pressing ALT-F1 and go down to run wvdial to test. Press Enter and wait until it says:-
connected OK Press CTRL-C to disconnect
Back to screen 2 with ALT-F2 and press Enter. It should say something like,
Can't find server name for
127.0.0.1. No response
Server: cache-2.ns.demon.net
Addresses:
158.152.1.43
Non-authoratitative
answer:
Name: www.bbc.co.uk
Address: 212.58.224.36
The reason the 127.0.0.1 name server isn't running is we haven't started it yet. It has to be started in the start up configuration file by setting the START_NAMED variable to 'yes'. We will do this in a minute.
Back to ALT-F1, do CTRL-C now to disconnect - we haven't got a firewall running yet so don't take too long about it.Exit saves configuration
If we didn't set the IP address of the network card before we can check it now.
Back to network configuration - network base configuration
Go to eth0 entry and, if the eth0 entry has 'Auto-IP' set for IP address un-select it.
F6. IP address - set to 192.168.1.1
Netmask leave as 255.255.255.0
Set default gateway set to www.www.www.www This is how we set the default route for packets that aren't destined for our local area network. F10 saves
Esc to main menu and quit
Type 'shutdown -r now' at
the # prompt to shutdown and restart the server
Login as root and run
ifconfig
You should now (hopefully) see 3 interfaces; loopback, shown as just 'lo', eth0 and ppp0 together with various parameters for each of them. Assuming you have got 3 interfaces listed you can continue. Otherwise review the steps up to this point. If you haven't got at least the eth0 and ppp0 interfaces listed there isn't any point in continuing any further for the simple reason that all the services are based on these 2 interfaces.
If everything is OK run yast again and go back to System administration - Configure network services.
Change hostname to itserver
Change domain to it.com
Start inetd - yes
Start portmap - no
News from-address - smithco.demon.co.uk
Nameserver - already done but should say 127.0.0.1 158.152.1.43 158.152.1.58
Security settings - general information on security settings
Updatedb launched as nobody
File permissions - secure
Path of user root contains directory - no
Enable telnet for root - NO
Interpret ctrl-alt-del - ignore
Do checks for passwords - yes
Continue
Go to 'general configuration of login.defs'
You can leave everything except minimum days between 2 changes in password which maybe increase to 1-2 days, also 'seconds between incorrect login attempts' which maybe increase to 10-15 seconds. Back to previous menu.
Timezone - set appropriately for your local area, I choose Europe/London - although I'm actually in Wales.
Then go down to the 'Change configuration file'. This is a long list of start-up and other parameters which, initially, are in alphabetical order but, if you add and delete software it can become confused in that the new software options are added on the end. No particular problem but you need to bear it in mind when/if you add software. The configuration options may not be there. Something else you may notice is that some of the options we have already set are repeated here as well.
Firewall set-up using yast
Before we start, lets review what we are trying to achieve here.
Obviously we want people on our local area network to be allowed to connect without hindrance to the services we wish to offer them but not, necessarily, to all services as this may allow them, (or someone who hacks into their machine), to mount an attack on the server itself. We don't want people outside to be able to connect at all or, at least, only in a very limited way. Fortunately there is only one reason anyone outside should be able to connect onto our server and that is to handle email and even that should be allowed only from our ISP's mail servers.
Computers offer their services using TCP/IP via ports, as stated. These ports are set up in several files but mainly /etc/services and /etc/inetd.conf. Let's take the outgoing mail server as an example. Look at the /etc/services file by pressing ALT-F2, login as root and type:-
joe /etc/services
You can see it has an entry:-
smtp 25/tcp mail # Simple Mail Transfer
The format is:-
Service name Port number/Protocol Alias # Comment
Clearly the service is called 'smtp', it can be connected to on port number 25 and uses the 'tcp' protocol. It can also be called mail, if we prefer. This file sets up the service names, port numbers and connection methods, (protocols). The other file mentioned, /etc/inetd.conf, establishes further details about the available services including, (and this is an important point), WHETHER THEY CAN BE CONNECTED TO. Inetd is a daemon program that runs continuously and, when it gets a connection, finds the program to service the request. Let's have a look at the entry for the smtp service. Type Ctrl-x to quit looking at the /etc/services file and type:-
joe /etc/inetd.conf
Have a look at the smtp entry. It is:-
#smtp stream tcp nowait root /usr/sbin/sendmail sendmail -bs
The format here is:-
|
Service |
Socket |
Protocol |
Wait |
User |
Server |
Server |
|
Name |
Type |
|
/Nowait |
.Group |
Program |
Arguments |
The service name is smtp so that it connects to the port we set in the /etc/services file, port 25. The 'stream' entry just denotes the socket type and can be ignored for the moment. The protocol is the communication method and says, 'this service will expect a reliable connection at both ends'. The wait/nowait setting further defines the connection type - we can ignore it for these purposes. The user is the user who is running the service - this allows for services that don't need to run as the root user to perform their task. The smtp service (in this configuration anyway), runs as root to perform it's work. The actual program that is run by this service is called sendmail and is located in the /usr/bin directory. It takes the arguments (settings) of '-bs' which means that it runs as a stand-alone daemon in this configuration.
So, if we uncomment this entry by removing the # at the beginning of the line if one exists and restart the computer then the server will continuously run the sendmail daemon to watch for TCP connections on port 25 and, if it gets one, will run the sendmail program for the user who is connecting so that he can send mail to someone assuming, as mentioned, we have configured the sendmail program correctly.
NB. Actually we don't need to restart the computer - we just need to restart the inetd daemon program. This can be done by issuing the command /etc/init.d/inetd restart. Note we can start almost all of the available services this way.
Are all services offered in this way? Unfortunately not. Other services may be offered without going via the inetd daemon program. Such an example is Samba which is the TCP/IP networking program supported by Windows, Macs, and almost every computer currently available. It offers Netbios over the TCP/IP protocol.
So how do we implement our firewall as a 'choke-point' to stop or severely restrict connections through our server. Clearly one of the first things we should do is to go through our /etc/inetd.conf file and comment out any entries we have no intention of offering by putting a hash # in front of them. Well, I say go through, it is more accurate to say place a hash in front of ALL the entries just leaving 2 uncommented because there's only 2 services in it that we do want to offer. One is smtp for outgoing mail and the other is pop3 for incoming mail. All the other services are started explicitly when the operating system boots up.
Many of the other services, however, can be protected by the TCP Wrapper program created by Wietse Venema. Wrappers are a mechanism whereby an attempted connection to a Linux port, (or socket), is first of all handled by a small program that then forwards the request to the actual program required. In this way the program is said to 'wrap' the request in the wrapper. This allows for the addition of certain facilities such as logging connections and controlling who is allowed to access a service. Any of the entries that have the entry /usr/sbin/tcpd in are programs that use the TCP wrapper. For example, in /etc/inetd.conf there is an entry:-
# ftp stream tcp nowait root /usr/sbin/tcpd wu.ftpd -a
This is the ftp server program which is wrapped, meaning, in the default configuration:-
All connections/disconnections will be logged to /var/log/messages.
2. Any computer listed in /etc/hosts.allow will be allowed access. If it can't be found then,
3. Any computer listed in /etc/hosts.deny will be denied access, otherwise the connection is allowed.
So how to we use this mechanism to protect any services we wish to offer? It's simply a question of placing an entry in the /etc/hosts.allow file for those few selected services. For instance, to give access to anyone on your local area network to your server with the telnet program, (a type of network logon), you could place an entry in your /etc/hosts.allow file like this:-
in.telnetd: 192.168.1.
The format is SERVICE: CONNECTION ALLOWED FROM (as an IP address)
Meaning any IP address beginning with 192.168.1. followed by any number up to the 255 will be allowed to connect to our telnet daemon, (which is named in.telnetd). If you recall, our ISP's will drop any IP packets that are destined for a number beginning 192.168. so this should mean that any incoming packets can only come from our own network.
Let me stress again - I suggest you don't offer any services other than those you absolutely need so this shouldn't be necessary. I have provided this information to give a pointer to those who wish to experiment further for their own edification. Of course, if you did allow this type of connection, you would have to allow the IP packets to be received at the server through our firewall - see below for details.
I also suggest you place an entry in the /etc/hosts.deny file:-
ALL: ALL
Meaning deny any incoming connection for any service protected by the TCP wrapper program, i.e. the ones with tcpd in the sixth field in /etc/inetd.conf
To state the obvious, programmes that don't have tcpd in the sixth field of /etc/inetd.conf will be unaffected by any changes.
For the rest of you I will assume you have just left the following entries uncommented in the /etc/inetd.conf file:-
smtp stream tcp nowait root /usr/sbin/sendmail sendmail -bs
and
pop3 stream tcp nowait root internal
Don't forget the ctrl-x to save and exit when finished editing.
OK. Let's go through the entries one at a time. If you haven't already got it running start up yast and go to 'System administration - Change configuration file'. Go down to the entries that start FW_
FW_dev_int = eth0
This sets up the device that connects to the local area network. These connections are, generally, going to be allowed but with restrictions.
FW_dev_world = ppp0
This is the device connected to the outside world. Of course, if we were using an ISDN connection, for example, it would be different - ippp0. Connections to this device will be severely restricted.
FW_forward_ip = no
Do we want packets sent from our local area network to be sent to the internet. Generally not - we want to control which packets are sent and by whom.
FW_trusted_nets = 194.247.212.0/24
Which computers, or very small selection of computers, do we wish to allow to connect to our server for limited purposes. The first entry above is the small range of computers our ISP has set aside to send/receive email on. The address format is different from that already seen and basically says, 'anything beginning with 194.217.212 with 'dot anything' at the end'. It is limited to 255 computers which might seem a lot but is probably much smaller and, in any event, they are all controlled by our ISP who, hopefully, knows what he is doing with regard to security.
FW_services_trusted_tcp = smtp
Which services on our server do we want the small range of computers set above to be able to connect to. The Simple Mail Transfer Protocol (smtp) service is the one that allows for outgoing post. Well, it's outgoing post for our ISP but, obviously it's incoming for us so we have to allow our ISP's mail servers to connect onto it.
FW_SERVICES_INTERNAL_TCP="smtp pop3 domain 67 68 137 138 139 3128"
FW_SERVICES_INTERNAL_UDP="53"
These settings establish which ports on the server the machines on the local area network will be allowed to connect to. Note we can use either the port number or name from /etc/services. The TCP connections are:-
|
smtp |
- |
Outgoing mail |
|
pop3 |
- |
Incoming mail |
|
domain |
- |
Name service |
|
67 and 68 |
- |
DHCP services |
|
137, 138 & 139 |
- |
Samba network services |
|
3128 |
- |
Squid caching/proxy web browsing |
The only UDP connections needed are for port 53 for DNS.
FW_ALLOW_INCOMING_HIGHPORTS_TCP="no"
FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes"
Highports are those port numbers above the well known services (WKS) ports, i.e. higher than 1024. You have to allow incoming highports for UDP to allow responses from your name servers but you don't need incoming highport connections for TCP non-passive FTP which isn't a good idea anyway.
FW_service_dhcpd = yes
This option, and the following two, are options that need special handling by our firewall as otherwise they won't work. The SuSE firewalling script, SuSEfirewall, which we are editing the set-up file for here, is intelligent enough to make sure these services are only offered on the internal interface, i.e. the one attached to our local area network. This option allows people connected to our internal interface to send queries and receive answers about the Dynamic Host Configuration Protocol, the set-up of which is covered later.
FW_service_dns = yes
Same as above but with name services.
FW_service_samba = yes
And again but with Samba windows file and printer sharing and local area browse list generation.
That has set up the firewall section of our configuration but we haven't started the firewall up yet. That is done later. Next we will set up the email service parameters.
Go down to the entries starting 'SENDMAIL_' .
SENDMAIL_args = -bd -q30m -om
SENDMAIL_dialups = yes
SENDMAIL_expensive =
yes
SENDMAIL_localhost = localhost
smithco.demon.co.uk
SENDMAIL_nocanonify = yes
SENDMAIL_nodns =
yes
SENDMAIL_smarthost = smtp:post.demon.co.uk
SENDMAIL_type =
yes
We also need to set the option
smtp = yes
to start up the smtp daemon, the program on our server that runs and handles requests to send outgoing email.
ppd_dod_start = yes
To start the Dial-on-demand service. This is the program that will automatically dial up your ISP when the computer needs to connect to the Internet. Also set
start_named = yes
To start the name server daemon. Now the server can answer queries relating to URL/IP address translation. Note that this set up of DNS operates as a caching/forwarding server - I will not be covering zone transfers and other DNS matters here. In any event this configuration works fine. Can also be started/stopped, etc, by entering as root /etc/init.d/named start or /etc/init.d/named stop
start_fw = yes
Self explanatory. Starts the firewall when your computer starts up. Can also be started/stopped, etc. by entering as root SuSEfirewall start or SuSEfirewall stop
start_dhcpd = We will set this to yes but first press ALT-F2 to go to your second screen. Login as root and, at the # prompt type the following:-
mv /etc/dhcpd.conf /etc/dhcpd.conf.old - Enter
This renames the dhcp configuration file dhcpd.conf in the /etc directory to a backup filename - dhcpd.conf.old
Now type
joe /etc/dhcpd.conf -
Enter
Press Ctrl-h to bring up help
Now type the following:-
option
netbios-name-servers 192.168.1.1;
default-lease-time
600;
max-lease-time 7200;
option subnet-mask 255.255.255.0;
option domain-name "it.com";
option routers
192.168.1.1;
option broadcast-address 192.168.1.255;
subnet
192.168.1.0 netmask 255.255.255.0 {
range 192.168.1.20
192.168.1.30;
}
This sets up 10 available addresses, (increase the range by entering a higher number as the second entry in range, i.e. 192.168.1.20 192.168.1.40 makes 20 addresses available), and sets netbios name server and router services to be made available from the server.
Now press ctrl-x which saves and exits the joe word processor program
Now press ALT-F1 to go back to screen 1
start_dhcp = yes
Can also be started/stopped by entering /etc/init.d/dhcp start or /etc/init.d/dhcp stop
start_smb = will be yes but, again
ALT F2 to screen 2
There is really no need to rename the Samba configuration file, we can just edit the original but you might want to copy it first for a backup version. If so just type
cp /etc/smb.conf /etc/smb.conf.old
Now enter
joe /etc/smb.conf
Ctrl - h to
switch on the help system, if you want, and make the following
modifications:-
workgroup = workgroup
OS level = 30
homes comment change to Homes instead of the German Heimatver, blah, blah,
uncomment encrypt passwords = yes, i.e. remove ;
uncomment interfaces = 192.168.1.1/255.255.255.0;
uncomment wins support = yes and comment out wins support = no
don't forget to remove the odd ' at the beginning and end of the text here
You can also add into the globals section at the top, (assuming there aren't entries already there), the following - make sure they're on a line by themselves, in the same way as the other entries are:-
local master = yes
domain
master = yes
You can also add entries in this file for other network shares. They will appear as available network disks when the server is browsed in the 'Network Neighbourhood' browser in Windows. Note the directories to be shared must, of course, exist on the system before they can be shared. Those directories must have the appropriate permissions for the users who are going to access them Create a share with a command line like:-
mkdir /usr/documents
chown dave.users /usr/documents
chmod 0770 /usr/test
These commands will create a /usr/documents directory and then make it owned by the user dave, (who must already exist on the system), and accessible to be read and written to by people in the 'user' group, (the default user group name).
Have a look at the online documentation in your SuSE distribution and www.samba.org for details of this excellent package. There are several books about Samba. However, note that, in addition to having been added as system users by yast, users also have to be added as Samba users using smbpasswd when logged in as root. This is because the system users are stored in the /etc/passwd file whereas samba users are stored in the /etc/smbpasswd file. Note, also, that a user could have one password for Samba access and another for system access, i.e. for email use.
ctrl - x saves and exits
ALT F1. Now set
start_smb = yes
start_squid = will be yes but, again
ALT F2
Again, we will back up the file first and then make entries.
cp /etc/squid.conf
/etc/squid.conf.old
joe /etc/squid.conf
You will need to find the correct place in the squid configuration file that is very large being about 76Kb. As usual the commented lines beginning # don't do anything. Go to the section which defines the access control lists. The line we want to go to is about line 1180. You will see a list of entries beginning 'ACL blah, blah' . After the 'ACL localhost' add another line by moving to the end and pressing enter and type in:-
acl users src 192.168.1.0/255.255.255.0
Then move down to immediately before the entry http_access deny all and enter before it on a line by itself without a comment mark, #.
http_access allow users
ctrl-x to save and exit, as usual.
Back to screen 1 with ALT-F1 and set
Start_squid = yes
exit from system configuration with F10 to save and exit - Press continue
Then go to 'network
configuration' - 'configure sendmail'
Select 'host with temporary
network connection' and press enter
Continue and quit to the # prompt.
NB. When I first installed SuSE 7.1 like this and re-started, my firewall set-up wasn't allowing responses from the name-servers I had told it about, i.e. 158.152.1.43 and 158.152.1.58
In other words it was asking for the information and refusing the response providing it. The name server software, BIND, was then asking for the information it needed direct from the root name servers which provide the DNS information for the whole internet. The information was still being provided but in a very inefficient way. The way round this is to edit the name server set-up file as below.
joe /etc/named.conf
Look for the bit detailing the list of forwarders to ask, i.e. the servers to ask first if we don't already know the answer. It says:-
#forwarders {
#xxx.xxx.x.x;
xxx.xxx.x.x ;
#};
and change the xxx.xxx.x.x entries to 158.152.1.43 and 158.152.1.58 followed by the semi-colon as shown. It doesn't matter whether they're on the same line or on separate lines. CTRL-K x to quit and save as usual. The next time the server starts it should allow UDP replies from those name servers as well as the root ones.
Hardware And Required Information < Previous - Next > - Testing The Installation
© Copyright Andrew Bennett 2006