LDP
/
old-www
1
1
Fork 0
Code Issues Pull Requests Releases Wiki Activity
old-www/LDP/LG/issue54/stoddard.html

258 lines
12 KiB
HTML
Raw Permalink Blame History

<!--startcut ==============================================-->
<!-- *** BEGIN HTML header *** -->
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML><HEAD>
<title>Building a Secure Gatway System LG #54</title>
</HEAD>
<BODY BGCOLOR="#FFFFFF" TEXT="#000000" LINK="#0000FF" VLINK="#0000AF"
ALINK="#FF0000">
<!-- *** END HTML header *** -->
<CENTER>
<A HREF="http://www.linuxgazette.com/">
<H1><IMG ALT="LINUX GAZETTE" SRC="../gx/lglogo.jpg"
WIDTH="600" HEIGHT="124" border="0"></H1></A>
<!-- *** BEGIN navbar *** -->
<IMG ALT="" SRC="../gx/navbar/left.jpg" WIDTH="14" HEIGHT="45" BORDER="0" ALIGN="bottom"><A HREF="sevenich.html"><IMG ALT="[ Prev ]" SRC="../gx/navbar/prev.jpg" WIDTH="16" HEIGHT="45" BORDER="0" ALIGN="bottom"></A><A HREF="index.html"><IMG ALT="[ Table of Contents ]" SRC="../gx/navbar/toc.jpg" WIDTH="220" HEIGHT="45" BORDER="0" ALIGN="bottom" ></A><A HREF="../index.html"><IMG ALT="[ Front Page ]" SRC="../gx/navbar/frontpage.jpg" WIDTH="137" HEIGHT="45" BORDER="0" ALIGN="bottom"></A><A HREF="http://www.linuxgazette.com/cgi-bin/talkback/all.py?site=LG&article=http://www.linuxgazette.com/issue54/stoddard.html"><IMG ALT="[ Talkback ]" SRC="../gx/navbar/talkback.jpg" WIDTH="121" HEIGHT="45" BORDER="0" ALIGN="bottom" ></A><A HREF="../faq/index.html"><IMG ALT="[ FAQ ]" SRC="./../gx/navbar/faq.jpg"WIDTH="62" HEIGHT="45" BORDER="0" ALIGN="bottom"></A><A HREF="lg_backpage54.html"><IMG ALT="[ Next ]" SRC="../gx/navbar/next.jpg" WIDTH="15" HEIGHT="45" BORDER="0" ALIGN="bottom" ></A><IMG ALT="" SRC="../gx/navbar/right.jpg" WIDTH="15" HEIGHT="45" ALIGN="bottom">
<!-- *** END navbar *** -->
<P>
</CENTER>
<!--endcut ============================================================-->
<H4 ALIGN="center">
"Linux Gazette...<I>making Linux just a little more fun!</I>"
</H4>
<P> <HR> <P>
<!--===================================================================-->
<center>
<H1><font color="maroon">Building a Secure Gatway System</font></H1>
<H4>By <a href="mailto:cstod@vvm.com">Chris Stoddard</a></H4>
</center>
<P> <HR> <P>
<!-- END header -->
<H2>Introduction</H2>
<P> In issue 51 of the Linux Gazette, the article titled
<A HREF="../issue51/nielsen.html">"Private
Networks and RoadRunner using IP masquerading"</A>, explains how to
setup a Linux based gateway with good security in mind. The
authors suggest starting with a clean install of Linux, which
is an excellent idea, as security starts with a secure install,
and that is what this article is about. When finished this will
be a very lean install, weighing in at about 130 MB plus swap,
there will be no X Windows, though I like to install Midnight
Commander for file management.
<P> I'm going to make a couple of assumptions here, first, you
know how to install Linux and are familiar with its use. Second
I assume you are setting up a gateway computer permanently
attached to the internet be it by cable modem, DSL or whatever
and will not be used for anything else like a ftp, telnet or web
server.
<H2>What you will need</H2>
<P> My machine is an old Dell Optiplex 466/MXe, it is a 486 DX2 66,
with 16 MB of RAM, a 512 MB Hard Drive, a sound card and a
4X IDE CDROM. I acquired this one for $50 and upgraded it to a
486DX4 100, 40 MB of RAM, I removed the sound card and added 2
network cards, a SCSI card and installed a 320 MB SCSI hard
drive, all of which I had in spare parts. The minimum system
you will need, is a 486 (any flavor), 16 MB of RAM, 200 MB
hard drive, two network cards and either a CDROM or the ability
to do a network install. You will also need a copy of RedHat
Linux 6.x. Although any distribution will work just fine, I
will only cover RedHat. The system will only need a monitor
during the install, after that it can run headless and can
be administered remotely using Openssh.
<P> Before you begin, go to
<A HREF="ftp://ftp.redhat.com">ftp://ftp.redhat.com</A>, download and
copy to floppy disks, the following;
<UL>
<LI> e2fsprogs-1.17-1.i386.rpm
<LI> initscripts-4.63-1.i386.rpm
<LI> lynx-2.8.2-3.i386.rpm
<LI> pam-0.68-8.i386.rpm
</UL>
<P> If you are using RedHat 6.2, the previous files are unnecessary.
Go to
<A HREF="ftp://thermo.stat.ncsu.edu/pub/openssh-usa">ftp://thermo.stat.ncsu.edu/pub/openssh-usa</A>
and again, download and copy to disk;
<UL>
<LI> openssh-1.2.3-1us.i386.rpm
<LI> openssh-clients-1.2.3-1us.i386.rpm
<LI> openssh-server-1.2.3-1us.i386.rpm
<LI> openssl-0.9.5a-1us.i386.rpm
</UL>
<H2>Installing and configuring Linux</H2>
<P> I will only be covering the items which deviate from the
default settings.
<OL>
<LI> Choose a custom install. When Disk Druid comes up, make
the following partitions.
<PRE>
<STRONG>Partition Minimum size % of total Mine</STRONG>
/ 40 MB 10% 75 MB
/boot 5 MB 5 MB 5 MB
/home 100 MB 25% 200 MB
/tmp 40 MB 10% 75 MB
/usr 220 MB 45% 320 MB <SUP>1</SUP>
/var 40 MB 10% 75 MB
swap 64 MB 2X RAM 80 MB <SUP>2</SUP>
</PRE>
<P> <SUP>1</SUP> For simplicity I used the entire SCSI drive
<P> <SUP>2</SUP> In reality you could make the swap partition size
equal to your RAM size
or even smaller. I suggest larger in case you
want to setup a web or ftp site later.
<P> This chart shows roughly how to divide up your Hard Drive,
The minimums are just that, if your hard Drive is larger then
512 MB, then use the percentages after the swap and /boot sizes
have been taken out. If your drive is smaller than 512 MB,
then just make a swap partition and a root partition. By
doing this, if an intruder does get in, he will not be able
to fill up your hard drive by writing large files to either
the /tmp or the /home directories. It also lets you do some
Interesting things in /etc/fstab, like set nosuid and nodev
on /tmp and /home. Some people will ask why I dedicate such
a large chunk of drive space to the /home partition, when in
theory, this system won't have many, if any real users. The
answer is, room for transferring files to and from remote
locations, like sharing MP3's or work files. <P>
<LI> When selecting the components to install, only choose
Networked Workstation, Network Management Workstation,
Utilities and Select Individual Packages. If you are using
RedHat 6.2 and did not download the updated RPM's, select
Lynx, so it is installed.
<P> Deselect the following packages:
git, finger, ftp, fwhois, ncftp, rsh, rsync, talk, telnet
ghostscript, ghostscript-fonts, mpage, rhs-printfilters
arpwatch, bind-utils, knfsd-clients, procinfo, rdate, rdist,
screen, ucd-snmp-utils, chkfontpath, yp-tools, XFree86-xfs,
lpr, pidentd, portmap, routed, rusers, rwho, tftp, ucd-snmp,
ypbind, XFree86-libs, libpng, XFree86-75dpi-fonts, urw-fonts
<P>
<LI> After the system reboot, log in as root and type in the
following command line, to clean out the packages the install
program doesn't let you deselect.
<PRE>
rpm -e --nodeps pump mt-st eject bc mailcap apmd
kernel-pcmcia-cs getty_ps setconsole setserial raidtools
rmt sendmail
</PRE>
<P> You may also want to consider removing Linuxconf, kudzu,
kbdconfig, authconfig, timeconfig, mouseconfig, ntsysv and
setuptool, depending on your skill level. All of the above
packages are either security risks, such as rsh or not needed
like XFree86 fonts.<P>
<LI> Copy all the rpm's you downloaded from RedHat to a
couple of floppies, take it to the newly installed machine and
mount the floppy drive with mount -t msdos /dev/fd0 /mnt/floppy
then install the files by typing rpm -Uvh /mnt/floppy/*.rpm <P>
<LI> Copy all the Openssh files to a floppy disk and again
take it to the newly installed system and mount the floppy
disk by typing mount -t msdos /dev/fd0 /mnt/floppy and type
rpm -ivh /mnt/floppy/open* . Change into the /etc/ssh
directory and open sshd.config and look for"PermitRootLogin
yes" and change it to no. This will cause the system to deny
access to anyone trying to log onto the system as root from
a remote system. If you need to logon as root remotely,
logon as a normal user, then use the su command to get
root access.
</OL>
<H2>Final Notes</H2>
<P> I am not going to go into detail about setting up a good
firewall, "Private Networks and RoadRunner using IP Masquerading"
does an excellent job of that, however I have a couple of suggestions.
<P> I believe for security purposes DNS services should not be
placed on the firewall system, either each client should be setup
individually to use your internet service provider for DNS or a
different machine on the network should be configured to act as
a DNS server. Futher, I feel no inetd services from should be
run on the firewall machine either, the only port which should be
open is port 22, the ssh port. I as a rule will delete the
inetd.conf file and replace it with an empty one, using
"touch /etc/inetd.conf".
<P> If you have more than two or three users on the system, you may
want to consider using Squid, which is a web proxy/caching program.
This speeds things up by keeping copies of often visited web sites
on the local machine. It can also be used to block web sites, which can
be useful if there are under age users in the house. If you decide
to use Squid, I recommend at least 1 GB hard drive, 32 MB of RAM and
a 486DX2/66 processor. Squid can be installed off the RedHat CD.
Alternately, you can install Junkbuster, which is also a proxy
program, it does not cache web sites and therefore will not require a
larger hard drive, more RAM or a faster processor, what it does is
blocks ad banners, which depending on the sites you visit will speed
things up and keep these companies from gathering information about you.
Junkbuster can be downloaded from
<A HREF="http://www.waldherr.org/junkbuster">http://www.waldherr.org/junkbuster</A>.
<P> For easy firewall construction, you should download either
<A HREF="http://seawall.sourceforge.net">Seawall</A> or
<A HREF="http://www.pointman.org">pmfirewall</A>,
these are ipchains based firewall programs designed for simplicity, I have
tried both and they work as promised and will save you the trouble of learning
ipchains. Seawall is harder to setup, but has more configuration options,
pmfirewall is easier to setup, but has less options.
<H2>Finished</H2>
<P> Now go back to "Private Networks and RoadRunner using IP Masquerading"
and finish configuring the gateway. Please remember this is not the
end all and be all of Linux security, this simply give you a solid
starting point. For a masters tutorial on Linux security download, see
<A HREF="http://pages.infinit.net/lotus1/opendocs/book.htm">
http://pages.infinit.net/lotus1/opendocs/book.htm</A>.
This document is massive at 475 pages, but the first two chapters alone
are worth the read.
<!-- *** BEGIN copyright *** -->
<P> <hr> <!-- P -->
<H5 ALIGN=center>
Copyright &copy; 2000, Chris Stoddard<BR>
Published in Issue 54 of <i>Linux Gazette</i>, June 2000</H5>
<!-- *** END copyright *** -->
<!--startcut ==========================================================-->
<HR><P>
<CENTER>
<!-- *** BEGIN navbar *** -->
<IMG ALT="" SRC="../gx/navbar/left.jpg" WIDTH="14" HEIGHT="45" BORDER="0" ALIGN="bottom"><A HREF="sevenich.html"><IMG ALT="[ Prev ]" SRC="../gx/navbar/prev.jpg" WIDTH="16" HEIGHT="45" BORDER="0" ALIGN="bottom"></A><A HREF="index.html"><IMG ALT="[ Table of Contents ]" SRC="../gx/navbar/toc.jpg" WIDTH="220" HEIGHT="45" BORDER="0" ALIGN="bottom" ></A><A HREF="../index.html"><IMG ALT="[ Front Page ]" SRC="../gx/navbar/frontpage.jpg" WIDTH="137" HEIGHT="45" BORDER="0" ALIGN="bottom"></A><A HREF="http://www.linuxgazette.com/cgi-bin/talkback/all.py?site=LG&article=http://www.linuxgazette.com/issue54/stoddard.html"><IMG ALT="[ Talkback ]" SRC="../gx/navbar/talkback.jpg" WIDTH="121" HEIGHT="45" BORDER="0" ALIGN="bottom" ></A><A HREF="../faq/index.html"><IMG ALT="[ FAQ ]" SRC="./../gx/navbar/faq.jpg"WIDTH="62" HEIGHT="45" BORDER="0" ALIGN="bottom"></A><A HREF="lg_backpage54.html"><IMG ALT="[ Next ]" SRC="../gx/navbar/next.jpg" WIDTH="15" HEIGHT="45" BORDER="0" ALIGN="bottom" ></A><IMG ALT="" SRC="../gx/navbar/right.jpg" WIDTH="15" HEIGHT="45" ALIGN="bottom">
<!-- *** END navbar *** -->
</CENTER>
</BODY></HTML>
<!--endcut ============================================================-->
Reference in New Issue View Git Blame Copy Permalink