258 lines
12 KiB
HTML
258 lines
12 KiB
HTML
<!--startcut ==============================================-->
|
|
<!-- *** BEGIN HTML header *** -->
|
|
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
|
|
<HTML><HEAD>
|
|
<title>Building a Secure Gatway System LG #54</title>
|
|
</HEAD>
|
|
<BODY BGCOLOR="#FFFFFF" TEXT="#000000" LINK="#0000FF" VLINK="#0000AF"
|
|
ALINK="#FF0000">
|
|
<!-- *** END HTML header *** -->
|
|
|
|
<CENTER>
|
|
<A HREF="http://www.linuxgazette.com/">
|
|
<H1><IMG ALT="LINUX GAZETTE" SRC="../gx/lglogo.jpg"
|
|
WIDTH="600" HEIGHT="124" border="0"></H1></A>
|
|
|
|
<!-- *** BEGIN navbar *** -->
|
|
<IMG ALT="" SRC="../gx/navbar/left.jpg" WIDTH="14" HEIGHT="45" BORDER="0" ALIGN="bottom"><A HREF="sevenich.html"><IMG ALT="[ Prev ]" SRC="../gx/navbar/prev.jpg" WIDTH="16" HEIGHT="45" BORDER="0" ALIGN="bottom"></A><A HREF="index.html"><IMG ALT="[ Table of Contents ]" SRC="../gx/navbar/toc.jpg" WIDTH="220" HEIGHT="45" BORDER="0" ALIGN="bottom" ></A><A HREF="../index.html"><IMG ALT="[ Front Page ]" SRC="../gx/navbar/frontpage.jpg" WIDTH="137" HEIGHT="45" BORDER="0" ALIGN="bottom"></A><A HREF="http://www.linuxgazette.com/cgi-bin/talkback/all.py?site=LG&article=http://www.linuxgazette.com/issue54/stoddard.html"><IMG ALT="[ Talkback ]" SRC="../gx/navbar/talkback.jpg" WIDTH="121" HEIGHT="45" BORDER="0" ALIGN="bottom" ></A><A HREF="../faq/index.html"><IMG ALT="[ FAQ ]" SRC="./../gx/navbar/faq.jpg"WIDTH="62" HEIGHT="45" BORDER="0" ALIGN="bottom"></A><A HREF="lg_backpage54.html"><IMG ALT="[ Next ]" SRC="../gx/navbar/next.jpg" WIDTH="15" HEIGHT="45" BORDER="0" ALIGN="bottom" ></A><IMG ALT="" SRC="../gx/navbar/right.jpg" WIDTH="15" HEIGHT="45" ALIGN="bottom">
|
|
<!-- *** END navbar *** -->
|
|
<P>
|
|
</CENTER>
|
|
|
|
<!--endcut ============================================================-->
|
|
|
|
<H4 ALIGN="center">
|
|
"Linux Gazette...<I>making Linux just a little more fun!</I>"
|
|
</H4>
|
|
|
|
<P> <HR> <P>
|
|
<!--===================================================================-->
|
|
|
|
<center>
|
|
<H1><font color="maroon">Building a Secure Gatway System</font></H1>
|
|
<H4>By <a href="mailto:cstod@vvm.com">Chris Stoddard</a></H4>
|
|
</center>
|
|
<P> <HR> <P>
|
|
|
|
<!-- END header -->
|
|
|
|
|
|
|
|
|
|
<H2>Introduction</H2>
|
|
<P> In issue 51 of the Linux Gazette, the article titled
|
|
<A HREF="../issue51/nielsen.html">"Private
|
|
Networks and RoadRunner using IP masquerading"</A>, explains how to
|
|
setup a Linux based gateway with good security in mind. The
|
|
authors suggest starting with a clean install of Linux, which
|
|
is an excellent idea, as security starts with a secure install,
|
|
and that is what this article is about. When finished this will
|
|
be a very lean install, weighing in at about 130 MB plus swap,
|
|
there will be no X Windows, though I like to install Midnight
|
|
Commander for file management.
|
|
|
|
<P> I'm going to make a couple of assumptions here, first, you
|
|
know how to install Linux and are familiar with its use. Second
|
|
I assume you are setting up a gateway computer permanently
|
|
attached to the internet be it by cable modem, DSL or whatever
|
|
and will not be used for anything else like a ftp, telnet or web
|
|
server.
|
|
|
|
<H2>What you will need</H2>
|
|
<P> My machine is an old Dell Optiplex 466/MXe, it is a 486 DX2 66,
|
|
with 16 MB of RAM, a 512 MB Hard Drive, a sound card and a
|
|
4X IDE CDROM. I acquired this one for $50 and upgraded it to a
|
|
486DX4 100, 40 MB of RAM, I removed the sound card and added 2
|
|
network cards, a SCSI card and installed a 320 MB SCSI hard
|
|
drive, all of which I had in spare parts. The minimum system
|
|
you will need, is a 486 (any flavor), 16 MB of RAM, 200 MB
|
|
hard drive, two network cards and either a CDROM or the ability
|
|
to do a network install. You will also need a copy of RedHat
|
|
Linux 6.x. Although any distribution will work just fine, I
|
|
will only cover RedHat. The system will only need a monitor
|
|
during the install, after that it can run headless and can
|
|
be administered remotely using Openssh.
|
|
|
|
<P> Before you begin, go to
|
|
<A HREF="ftp://ftp.redhat.com">ftp://ftp.redhat.com</A>, download and
|
|
copy to floppy disks, the following;
|
|
|
|
<UL>
|
|
<LI> e2fsprogs-1.17-1.i386.rpm
|
|
<LI> initscripts-4.63-1.i386.rpm
|
|
<LI> lynx-2.8.2-3.i386.rpm
|
|
<LI> pam-0.68-8.i386.rpm
|
|
</UL>
|
|
|
|
<P> If you are using RedHat 6.2, the previous files are unnecessary.
|
|
Go to
|
|
<A HREF="ftp://thermo.stat.ncsu.edu/pub/openssh-usa">ftp://thermo.stat.ncsu.edu/pub/openssh-usa</A>
|
|
and again, download and copy to disk;
|
|
|
|
<UL>
|
|
<LI> openssh-1.2.3-1us.i386.rpm
|
|
<LI> openssh-clients-1.2.3-1us.i386.rpm
|
|
<LI> openssh-server-1.2.3-1us.i386.rpm
|
|
<LI> openssl-0.9.5a-1us.i386.rpm
|
|
</UL>
|
|
|
|
<H2>Installing and configuring Linux</H2>
|
|
<P> I will only be covering the items which deviate from the
|
|
default settings.
|
|
|
|
<OL>
|
|
<LI> Choose a custom install. When Disk Druid comes up, make
|
|
the following partitions.
|
|
|
|
<PRE>
|
|
<STRONG>Partition Minimum size % of total Mine</STRONG>
|
|
/ 40 MB 10% 75 MB
|
|
/boot 5 MB 5 MB 5 MB
|
|
/home 100 MB 25% 200 MB
|
|
/tmp 40 MB 10% 75 MB
|
|
/usr 220 MB 45% 320 MB <SUP>1</SUP>
|
|
/var 40 MB 10% 75 MB
|
|
swap 64 MB 2X RAM 80 MB <SUP>2</SUP>
|
|
</PRE>
|
|
|
|
<P> <SUP>1</SUP> For simplicity I used the entire SCSI drive
|
|
|
|
<P> <SUP>2</SUP> In reality you could make the swap partition size
|
|
equal to your RAM size
|
|
or even smaller. I suggest larger in case you
|
|
want to setup a web or ftp site later.
|
|
|
|
<P> This chart shows roughly how to divide up your Hard Drive,
|
|
The minimums are just that, if your hard Drive is larger then
|
|
512 MB, then use the percentages after the swap and /boot sizes
|
|
have been taken out. If your drive is smaller than 512 MB,
|
|
then just make a swap partition and a root partition. By
|
|
doing this, if an intruder does get in, he will not be able
|
|
to fill up your hard drive by writing large files to either
|
|
the /tmp or the /home directories. It also lets you do some
|
|
Interesting things in /etc/fstab, like set nosuid and nodev
|
|
on /tmp and /home. Some people will ask why I dedicate such
|
|
a large chunk of drive space to the /home partition, when in
|
|
theory, this system won't have many, if any real users. The
|
|
answer is, room for transferring files to and from remote
|
|
locations, like sharing MP3's or work files. <P>
|
|
|
|
<LI> When selecting the components to install, only choose
|
|
Networked Workstation, Network Management Workstation,
|
|
Utilities and Select Individual Packages. If you are using
|
|
RedHat 6.2 and did not download the updated RPM's, select
|
|
Lynx, so it is installed.
|
|
|
|
<P> Deselect the following packages:
|
|
git, finger, ftp, fwhois, ncftp, rsh, rsync, talk, telnet
|
|
ghostscript, ghostscript-fonts, mpage, rhs-printfilters
|
|
arpwatch, bind-utils, knfsd-clients, procinfo, rdate, rdist,
|
|
screen, ucd-snmp-utils, chkfontpath, yp-tools, XFree86-xfs,
|
|
lpr, pidentd, portmap, routed, rusers, rwho, tftp, ucd-snmp,
|
|
ypbind, XFree86-libs, libpng, XFree86-75dpi-fonts, urw-fonts
|
|
<P>
|
|
|
|
<LI> After the system reboot, log in as root and type in the
|
|
following command line, to clean out the packages the install
|
|
program doesn't let you deselect.
|
|
|
|
<PRE>
|
|
rpm -e --nodeps pump mt-st eject bc mailcap apmd
|
|
kernel-pcmcia-cs getty_ps setconsole setserial raidtools
|
|
rmt sendmail
|
|
</PRE>
|
|
|
|
<P> You may also want to consider removing Linuxconf, kudzu,
|
|
kbdconfig, authconfig, timeconfig, mouseconfig, ntsysv and
|
|
setuptool, depending on your skill level. All of the above
|
|
packages are either security risks, such as rsh or not needed
|
|
like XFree86 fonts.<P>
|
|
|
|
<LI> Copy all the rpm's you downloaded from RedHat to a
|
|
couple of floppies, take it to the newly installed machine and
|
|
mount the floppy drive with mount -t msdos /dev/fd0 /mnt/floppy
|
|
then install the files by typing rpm -Uvh /mnt/floppy/*.rpm <P>
|
|
|
|
<LI> Copy all the Openssh files to a floppy disk and again
|
|
take it to the newly installed system and mount the floppy
|
|
disk by typing mount -t msdos /dev/fd0 /mnt/floppy and type
|
|
rpm -ivh /mnt/floppy/open* . Change into the /etc/ssh
|
|
directory and open sshd.config and look for"PermitRootLogin
|
|
yes" and change it to no. This will cause the system to deny
|
|
access to anyone trying to log onto the system as root from
|
|
a remote system. If you need to logon as root remotely,
|
|
logon as a normal user, then use the su command to get
|
|
root access.
|
|
</OL>
|
|
|
|
<H2>Final Notes</H2>
|
|
<P> I am not going to go into detail about setting up a good
|
|
firewall, "Private Networks and RoadRunner using IP Masquerading"
|
|
does an excellent job of that, however I have a couple of suggestions.
|
|
|
|
<P> I believe for security purposes DNS services should not be
|
|
placed on the firewall system, either each client should be setup
|
|
individually to use your internet service provider for DNS or a
|
|
different machine on the network should be configured to act as
|
|
a DNS server. Futher, I feel no inetd services from should be
|
|
run on the firewall machine either, the only port which should be
|
|
open is port 22, the ssh port. I as a rule will delete the
|
|
inetd.conf file and replace it with an empty one, using
|
|
"touch /etc/inetd.conf".
|
|
|
|
<P> If you have more than two or three users on the system, you may
|
|
want to consider using Squid, which is a web proxy/caching program.
|
|
This speeds things up by keeping copies of often visited web sites
|
|
on the local machine. It can also be used to block web sites, which can
|
|
be useful if there are under age users in the house. If you decide
|
|
to use Squid, I recommend at least 1 GB hard drive, 32 MB of RAM and
|
|
a 486DX2/66 processor. Squid can be installed off the RedHat CD.
|
|
Alternately, you can install Junkbuster, which is also a proxy
|
|
program, it does not cache web sites and therefore will not require a
|
|
larger hard drive, more RAM or a faster processor, what it does is
|
|
blocks ad banners, which depending on the sites you visit will speed
|
|
things up and keep these companies from gathering information about you.
|
|
Junkbuster can be downloaded from
|
|
<A HREF="http://www.waldherr.org/junkbuster">http://www.waldherr.org/junkbuster</A>.
|
|
|
|
<P> For easy firewall construction, you should download either
|
|
<A HREF="http://seawall.sourceforge.net">Seawall</A> or
|
|
<A HREF="http://www.pointman.org">pmfirewall</A>,
|
|
these are ipchains based firewall programs designed for simplicity, I have
|
|
tried both and they work as promised and will save you the trouble of learning
|
|
ipchains. Seawall is harder to setup, but has more configuration options,
|
|
pmfirewall is easier to setup, but has less options.
|
|
|
|
|
|
<H2>Finished</H2>
|
|
<P> Now go back to "Private Networks and RoadRunner using IP Masquerading"
|
|
and finish configuring the gateway. Please remember this is not the
|
|
end all and be all of Linux security, this simply give you a solid
|
|
starting point. For a masters tutorial on Linux security download, see
|
|
<A HREF="http://pages.infinit.net/lotus1/opendocs/book.htm">
|
|
http://pages.infinit.net/lotus1/opendocs/book.htm</A>.
|
|
|
|
This document is massive at 475 pages, but the first two chapters alone
|
|
are worth the read.
|
|
|
|
|
|
|
|
|
|
<!-- *** BEGIN copyright *** -->
|
|
<P> <hr> <!-- P -->
|
|
<H5 ALIGN=center>
|
|
|
|
Copyright © 2000, Chris Stoddard<BR>
|
|
Published in Issue 54 of <i>Linux Gazette</i>, June 2000</H5>
|
|
<!-- *** END copyright *** -->
|
|
|
|
<!--startcut ==========================================================-->
|
|
<HR><P>
|
|
<CENTER>
|
|
<!-- *** BEGIN navbar *** -->
|
|
<IMG ALT="" SRC="../gx/navbar/left.jpg" WIDTH="14" HEIGHT="45" BORDER="0" ALIGN="bottom"><A HREF="sevenich.html"><IMG ALT="[ Prev ]" SRC="../gx/navbar/prev.jpg" WIDTH="16" HEIGHT="45" BORDER="0" ALIGN="bottom"></A><A HREF="index.html"><IMG ALT="[ Table of Contents ]" SRC="../gx/navbar/toc.jpg" WIDTH="220" HEIGHT="45" BORDER="0" ALIGN="bottom" ></A><A HREF="../index.html"><IMG ALT="[ Front Page ]" SRC="../gx/navbar/frontpage.jpg" WIDTH="137" HEIGHT="45" BORDER="0" ALIGN="bottom"></A><A HREF="http://www.linuxgazette.com/cgi-bin/talkback/all.py?site=LG&article=http://www.linuxgazette.com/issue54/stoddard.html"><IMG ALT="[ Talkback ]" SRC="../gx/navbar/talkback.jpg" WIDTH="121" HEIGHT="45" BORDER="0" ALIGN="bottom" ></A><A HREF="../faq/index.html"><IMG ALT="[ FAQ ]" SRC="./../gx/navbar/faq.jpg"WIDTH="62" HEIGHT="45" BORDER="0" ALIGN="bottom"></A><A HREF="lg_backpage54.html"><IMG ALT="[ Next ]" SRC="../gx/navbar/next.jpg" WIDTH="15" HEIGHT="45" BORDER="0" ALIGN="bottom" ></A><IMG ALT="" SRC="../gx/navbar/right.jpg" WIDTH="15" HEIGHT="45" ALIGN="bottom">
|
|
<!-- *** END navbar *** -->
|
|
</CENTER>
|
|
</BODY></HTML>
|
|
<!--endcut ============================================================-->
|