Fullscreen HTML5Med Res (??MB)HTML4

Using Linux To Share An Internet Connection; Pt.3 In Pt.2, we showed you how to configure your Linux box to function as an Internet gateway with demand dialling and a firewall. This month, we show you how to tweak the settings so that you can log on as a user (rather than as root). We also describe logging and show you how to make it really easy to drive. By GREG SWAIN So far, you’ve done all the work on your Linux box while logged on as root. This is necessary in order to access certain files and to perform other administrative tasks. However, even with a firewall, it’s a really bad idea to be connected to the Internet while logged on as root. If someone cracks your firewall, they can not only take over your machine but can also read any sensitive files, such as your pap-secrets file which contains your username and password. Similarly, logging on as root enables anyone who has easy access to the machine to pry on sensitive information. At the very least, you want your Internet password to be Tip 1: Mounting Devices In Linux Unlike Windows, Linux doesn't use drive letters. Instead, external disk drives and other resources (such as network shares) are “mounted” by attaching them to the file system. If you don’t do this, the files won’t be visible. The point at which the device is attached is referred to as the “mount point”. For example, on most systems, floppy disk drives and CD-ROM drives are attached to the /mnt folder (automatically set up during installation), so that they become /mnt/floppy and /mnt/cdrom. To mount a CD-ROM or floppy disk in KDE or Gnome, insert the disk, then right-click its icon on the desktop and choose “mount” from the drop-down list. Alternatively, left-clicking the icon mounts the device and opens the file manager to display the files. Similarly, a device should always be unmounted before the disk is removed; ie, right-click the device icon on the desktop and choose “unmount” from the menu. You can also mount and unmount devices from the terminal prompt. Type man mount for more details. 64  Silicon Chip kept secret, to prevent someone else from running up a big bill at your expense. In short, connecting to the Internet while logged in as root is like playing “Russian Roulette”. Your machine could end up being “owned” by someone else – perhaps from another country. Running pppd as a user The way around this is to log onto your Linux box as a user (you did write down your user account name and password when you installed Linux, didn’t you?). This allows you to keep sensitive setup files hidden. It also prevents you or anyone else from accidentally altering or deleting critical system files, which could wreck your Linux setup. That’s one of the advantages of Linux. Because it’s de­ signed as a multi-user system, you can restrict the privileges that any one user has while granting special privileges to cer­tain users or groups. By default, only root has access to the entire system and we need to make a few changes in order to run pppd as a user. What we’re going to do now is change the permissions of certain files to allow this and to increase security. We do that using the chmod (change mode) and chown (change ownership) com­ mands. We won’t get sidetracked explaining file permissions here; just remember that Linux can set different permissions for the same file – one set for the file’s owner, another set for members of a group and another set for everyone else (others). Because pppd requires root privileges to run, we are now going to change its permissions so that it can be executed by both “root” and members of the “pppusers” group. This is done as follows (you will need to be logged on as root): www.siliconchip.com.au Aaaaarggghh! It Doesn’t <at>#$%^&* Connect The /var/log/messages file is your starting point if you have problems getting your modem to connect. Here are a few trou­bleshooting clues: (1) Modem Drops Connection: if the modem dials in but disconnects before the log-in procedure is complete, try increasing the second timeout value in /etc/ppp/ chat-script. A value of 40 seconds should be sufficient in most cases but you may have to increase this to 60 seconds or more. If the modem drops the connection immediately, check the telephone number. Also, check your scripts for typing errors, particularly /etc/ppp/options and /etc/ppp/chat-script. It only takes one error to crash and burn. (2) LCP Timeout Errors: if the modem fails to complete the connec­tion and you see “LCP: timeout sending Config Requests” in the log, add the following line to /etc/ppp/ options: lcp-max-configure 30 This increases the number of lcp requests from the default value of 10 and may be necessary if the server at the ISP’s end is a bit slow to respond. In fact, you might like to add this line by default, to avoid any possible problems. For a really slow server, you may have to use an even higher value. Alternatively, try adding the line asyncmap chown root:pppusers /usr/sbin/pppd chmod 4750 /usr/sbin/pppd Note: Linuxconf users should do this from within Linuxconf, otherwise it will cancel these changes the next time you run it. To do this, launch Linuxconf and go to Control -> Control files and systems -> Configure file permission and ownership. The first line changes the ownership (chown) of pppd so that it now belongs to the pppusers group. The second line chang­es the permissions and gives pppd a set user identification (SUID) number – it’s the “4” that sets the SUID bit. The “7” makes pppd readable, writable and executable by the file’s owner (in this case, root), while the “5” makes pppd readable and executable by the group. The final digit (0) makes pppd inaccessible to everyone else; ie, they can neither read, write or execute the file. You can check that the correct permissions have been set by entering the command: ls -l /usr/sbin/pppd You should get this response: -rwsr-x— 1 root pppusers www.siliconchip.com.au 0xa0000 to the /etc/ppp/options file. (3) IP-Compress Errors In Log: if you see ip-compress errors in the log when a connection is made, add the following lines to the bottom of /etc/modules.conf (this mainly applies to Caldera usrs): alias ppp-compress-21 bsd_comp alias ppp-compress-24 ppp_deflate alias ppp-compress-26 ppp_defl (4) Port Speed Is Too High: don’t set the port speed too high in the /etc/ppp/options file. If you do, you may find that your modem doesn’t connect reliably or may drop the connection for no apparent reason. Use 115200 for 56Kb modems and 38400 for 33.3Kb modems. (5) Modem Doesn’t Respond Correctly: if the modem fails to respond, dials on every second attempt only or often fails to hang up, you need to include some initialisation strings in the /etc/ppp/chat-script file. Take a look at the revised chat-script file shown in the accompanying panel – it will probably be all you need or you can include you own initialisation string. (6) Modem Doesn’t Respond: if there’s no activity from the modem at all, check to ensure that you’ve specified the correct serial port. You can do that using the “modemtool” utility, as described last month in Pt.2. This indicates that only “root” and members of the “pppus­ers” group can execute pppd. Having done this, you need to edit /etc/group and add your user name to the “pppusers” group. So if your user name (or login name) is “greg”, the line would read: ppppusers:x:44:greg What this does is make greg a member of the pppusers group, which means that greg can now log on and run pppd. By the way, the user name here refers to the user name chosen for logging onto your Linux box; not the “username” used for logging onto the Internet. Don’t confuse the two. You now have to run the command: newgrp pppusers from your user account for the change to take effect. Of course, you could also reboot but hang on ... this is Linux – you really don’t have to do that. Permissions cleanup We now need to change the permissions of some files to improve security. Basically, this involves restricting access to them so that they cannot be altered, executed or even read by unauthorised users. August 2001  65 First, let’s look at the /etc/ppp/chat-script file. By default, this is readable by everyone and that’s not good if this file includes your username and password details. To restrict access, we need to change the ownership and permissions for this file as follows: chown root:pppusers /etc/ppp/chat-script chmod 640 /etc/ppp/chat-script This changes the ownership of this file so that it now belongs to the pppusers group. As a result, only “root” and members of the pppusers group have read access to /etc/ppp/chat-script and only “root” can edit it. The next three files – /etc/ppp/options, /etc/ppp/ pap-secrets and /etc/chap-secrets – can be locked down as follows: chmod 600 /etc/ppp/options chmod 600 /etc/ppp/pap-secrets chmod 600 /etc/ppp/pap-secrets This makes them readable and writable by “root” but denies access to everyone else. Note that we don’t have to provide read access for any of these files to members of the pppusers group. That’s because they are read when we run /usr/sbin/pppd and this always runs with root privileges. Now, complete the permissions clean-up as follows: chmod 700 /sbin/ipchains chmod 700 /etc/rc.d/rc.local chmod 644 /etc/resolv.conf The first two lines make ipchains and rc.local readable, writable and executable by root and deny any access to all other users. The third line makes resolv.conf readable and writable from “root” and readable by everyone else (security is not really an issue with this file, so we can silchip<at>penguin: /home/silchip relax the access rules). It’s time to test this – reboot, log on as user, open a terminal window and type: /usr/sbin/pppd It should all work exactly as before, when you were logged on as root. You can test this by triggering a dial out from one of your Windows boxes. The only thing that probably won’t work is issuing killall pppd as a user (to manually disconnect from the ISP). This does­n’t matter if you always plan to let the connection time out when traffic ceases. However, if you do wish to manually disconnect, you’ll need the “PPP Kill SUID Wrapper” – see panel. By the way, if there are multiple user accounts on the machine, only those users who are members of the pppusers group will be able to run pppd (ie, they must have their names added to the pppusers group in /etc/group). This means that a Linux box is great for restricting Internet access – you might want to stop your children from accessing the Internet without your permis­ sion, for example. Just keep the appropriate user name and password details secret and you’ve got it all locked up. Logging the connection By default, pppd logs messages in /var/log/messages, so check this file first if you strike problems. Fig.19(a) shows the logs recorded when a successful dial-out connection is made. Note how the local and remote IP addresses are changed. Fig.19(b) shows the log from an unsuc­cessful connection attempt. This was made with the phone line disconnected and results in the message: “Failed (NO DIALTONE)”. Look at the error logs carefully if you can’t make a con­nection. They will often indicate exactly where the problem lies. As well as debugging, logging is also useful for indicating any unauthorised connection attempts to your Linux box via the Internet. Port scans, Telnet requests and other access requests are all logged, so it’s easy to check that the firewall is doing its job. Each time something is filtered out, /var/log/messages will show that an incoming packet has been denied and will list the IP address that it came from. silchip<at>penguin: /home/silchip Fig.19a (left): you can watch the session logs go by in a terminal window. This screen grab shows the logs recorded for a successful connection attempt using the revised /etc/ppp/chat-script file described in this article. Fig.19b (right) shows the log for an unsuccessful connection attempt (the attempt was made with the phone line disconnected). 66  Silicon Chip www.siliconchip.com.au Hanging Up – Fixing The Killall Problem Hanging up while logged on as root involves issuing the command killall pppd. This shuts pppd down and drops the DTR line to the modem, forcing it to hang-up. Unfortunately, this command may not work for you if you are logged in as a user. One way around this is to log on as root and then run the killall pppd command but that’s a bit of a hassle. An easier method is to use the “PPP Kill SUID Wrapper” (fancy name, ain’t it?) written by W. G. Unruh from the Universi­ty of British Columbia, Vancouver, Canada. This “wrapper” runs the killall pppd command but does so without giving the user root privileges. Basically, this file consists of about 20 lines written in the C programming language. You’ll find it at: http://axion.physics.ubc.ca/ppp-kill-wrapper.html First, you have to save the code to a file called pppoff.c, as instructed. You then have to compile the code but don’t sweat this – Linux comes with a built-in C-compliler (gcc). All you have to do is log on as root, open a terminal window and change to the folder where you saved the file. This can also be useful for tracking down any problems with your firewall – eg, if it’s blocking something that it should let in. Note that if you open /var/log/messages, you only see the logs that were recorded up until the file was opened. Want to see the logs go by in real time? Do this – open a terminal window and type: tail -f -v /var/log/messages The messages will now scroll by in the terminal window as they are continually updated – see Fig.19(a). Making it easy to drive Well, actually, it’s already easy to drive. Provided you’ve followed all the instructions, your Linux gateway will be ready for demand dialling as soon as it’s booted. What’s more, it will work whether you’re logged in as a user or as root (user is best for security). Note that it isn’t necessary to start X Windows for the gateway to function. In fact, you might want to leave the box running in terminal mode if it’s used only as a gateway, since this minimises the load on system resources – something that might be important if you’re running an old 486. Actually, you don’t even have to log in for the gateway Fig.20: /var/log/messages logs any unsuccessful connection attempts. This shows an unsuccessful attempt by a user (us actually) with an IP address of 210.10.178.105 to Telnet into a Linux box on 210.10.188.232. www.siliconchip.com.au You then issue the following commands: gcc -o pppoff pppoff.c chmod a+x pppoff chmod +s pppoff This compiles a binary file called pppoff, makes it execut­able and sets the SUID (set user ID) bit. Copy pppoff into the /bin directory and you are in business. All users can now kill pppd and force the modem to hangup by issuing the command pppoff. You can also create a linked icon to /bin/pppoff on the desktop – just drag the file to the desktop, release the mouse button and choose “Link” from the resulting menu. You can now hangup with just a single mouse click. A better scheme is to create a single executable script file (called hangup) that includes both the pppoff and startpppd commands, as described in the main text. This will automatically restart pppd each time you force the modem to disconnect. Note that you don’t have to restart pppd if the modem dis­connects due to an idle timeout. to function. The system is ready for use as soon as it boots and will automatically dial on demand and disconnect 10 minutes after traffic ceases. Inevitably, there will be occasions when you want to manually disconnect from your ISP, rather than wait for an idle disconnect. However, if you do that, you then have to restart pppd to enable demand dialling again. But who wants to type long command lines in a terminal window each time you wish to disconnect (hangup), restart pppd or monitor the message logs? Not me, that’s for sure, so let’s create some script files to make the job easy. We’ll begin by writing some script files so that we can disconnect and automatically restart pppd – either by single-clicking an icon on the desktop or by typing “hangup” at a termi­nal prompt. First, create a new text file and put the following into it (you should be logged on as root): Script 6: /bin/startppd #!/bin/sh # Start Demand Dialling (startpppd) # /usr/sbin/pppd silchip<at>penguin: /home/silchip August 2001  67 Modem Initialisation And A Revised Chat Script The basic chat-script file listed on page 64 of the June 2001 issue should work with most modems . However, some modems require an initialisation string to work properly with Linux (under Windows, the initialisation string is included in the driver). Try using the basic chat-script first but if you strike problems, modify the /etc/ppp/chat-script file as follows: TIMEOUT 5 ABORT "BUSY" ABORT "NO CARRIER" ABORT "NO DIALTONE" ABORT "ERROR" ABORT "NO ANSWER" "" AT OK-+++\c-OK ATH0 OK "AT&F&D2&C1&K3" TIMEOUT 40 OK ATDT[dialup number] CONNECT "" Let’s take a look at what this does. Following the abort error lines, the script sends the AT (attention) command to the modem (the "" means expect nothing from the modem). Provided the modem is in command mode, it should respond with OK. The next line tells the script to expect this OK. If this isn’t received (OK-), the script then sends +++ (a standard Hayes modem string) to force the modem into command mode. The c-OK says don’t send a carriage return and to wait for OK again. When it arrives, the script sends ATH0 which is the modem hang-up string. This is done so that the script can cope with the Save this file as /bin/startppp and change its permissions as follows: chown root:pppusers /bin/startpppd chmod 750 /bin/startpppd This makes the file readable, writable and executable by root, and readable and executable by members of the pppusers group. Next, create a /bin/pppoff file (this hangs up the modem), as instructed in the accompanying panel: “Hanging Up Fixing The Killall Problem”. Finally, create a new text file with the following: Script 7: /bin/hangup #!/bin/sh # Hangup and restart pppd for demand dialling /bin/pppoff sleep 3 /bin/startpppd 68  Silicon Chip modem being stuck on-line – something that should happen only rarely (if at all). If this is a problem, you can remove this line until you’ve determined the cause (or get rid of the OK ATH0 from the end of the line to give OK-+++\c-). The next line says to expect OK (in response to the ATH0 command) and send the initialisation string: AT&F&D2&C1&K3. As usual, this command string begins with AT to get the modem’s attention. The &F sets the modem to the factory default; &D2 ensures that the modem hangs up when DTR goes low (taking DTR low is the usual method of getting a modem hang up); &C1 ensures that carrier detect follows the carrier signal; and &K3 instructs the modem to use RTS/CTS hardware flow control. After that, the timeout is reset to 40 seconds and the modem instructed to dial the number. Note that the dialling command line begins with OK, since this is expected from the modem in response to the initialisation string. Finally, chat-script is told to expect CONNECT (the modem sends this when the remote modem answers) and to send nothing in reply. This chat-script file should work with the vast majority of modems. In fact, you might like to use it as a matter of course, in place of the version described last month. If you still have problems, use the initialisation string listed in your modem’s manual or at the manufacturer’s website. You can also extract the ini­tialisation string from the Windows 98/Me .inf driver file sup­plied with the modem. Just open up the .inf driver file using Notepad on a Windows box and search for “Init” (without the quotes). You’ll see the initialisation string at the end of one of the Init lines. Save this file as /bin/hangup and do the following: chown root:pppusers /bin/hangup chmod 750 /bin/hangup That’s it – issuing the command “hangup” at a terminal prompt will now force the modem to hangup (if it’s connected) and then automatically restart pppd. The system is then ready for the next dial-out request. The “hangup” command can also be used to restart demand dialling if pppd has exited due to four successive unsuccessful connection attempts. Note the “sleep 3” line. This inserts a delay of three seconds between hanging up the modem and restarting pppd, to give the modem time to reset. You can see this if you watch the terminal log. What about that desktop icon? Easy – just open the file manager, left-click the /bin/hangup file and drag it onto the desktop. Release the mouse button, then click “Link” from the drop-down menu that appears. This creates an icon that’s linked to the original file (just like a Windows shortcut). www.siliconchip.com.au Fig.21: creating shortcuts on the desktop makes it easy to manually hang up and view the messages log. You can force the modem to hang up (and automatically restart pppd) by clicking once on the hangup icon, or by issuing the hangup command at a terminal prompt. Tidying Up The Previous Stuff (1) Chat-script file On page 64 of the June 2001 issue, it states that some modems may require an initialisation string in the /etc/ ppp/chat-script file. If you do place the line "" +++[initialisation string] into this file, change the next line to read: Single-clicking this icon is now all it takes to disconnect the link and automatically restart pppd for demand dialling. What could be easier? There’s another option here – if you want to separate the disconnect and restart pppd functions, just create links to /bin/pppoff and /bin/startpppd by dragging them to the desktop in exactly the same manner. You can also type pppoff and startpppd at a terminal prompt to disconnect and to restart demand dia­lling, respectively. Be careful if you adopt the latter approach though – it’s easy to forget that you have to restart pppd if you disconnect by using pppoff. Using a single command (hangup) is the easiest, since it automatically restarts pppd for you. Note that you will have to repeat the above procedure for creating the desktop icon shortcuts when you subsequently log on as a user. Now let’s make it easier to following the logging. Create a new file and place the following lines it: Script 8: /bin/logit #!/bin/sh # logit - for logging in real time # tail -f -v /var/log/messages Save this as /bin/logit and set the permissions as follows: chown root:pppusers /bin/logit chmod 750 /bin/logit Now all you have to do is issue the command “logit” in a terminal window and you can watch the logs go by in real time. You can test that it’s working by disconnecting the phone line from the modem and clicking the hangup icon on the desktop a few times. OK, I’ve probably now got a few Linux gurus frothing at the mouth, since the /bin directory is normally reserved for binary files only. However, one of the files (pppoff) is a binary file and by placing them all in /bin, all the files are kept in one place. More importantly, we don’t have to type in the complete path to the file when we want to execute a command. That’s it – your Linux Internet gateway is complete. As far as your Windows clients are concerned, it should look as though it isn’t there. Next month, we’ll take a look at SC the steps you can take to improve security. www.siliconchip.com.au OK ATDT[dialup number] Better still, if your modem does require an initialisation string, we suggest that you modify the chat-script file as shown in the accompanying panel: “Modem Initialisation & A Revised Chat Script”. (2) Modifying /etc/rc.d/rc.local On page 68 of the June 2001 issue, the lines “logger Firewall up” and “logger Demand dialling started” in the /rc.d/rc.local file should read “echo Firewall up” and “echo Demand dialling started” (without the quotes). Alternatively, these two lines can be omitted. (3) Cleaning up /etc/rc.d/rc.firewall The full path was left out of the last two lines of the firewall script. Change these lines as follows: # Log everything else to syslog and drop the packet /sbin/ipchains -A input -s $ANY -d $ANY -l -j DENY /sbin/ipchains -A output -s $ANY -d $ANY -l -j DENY Also, rule (6) under the section headed “# Set up rules for Internet (ppp0) traffic” can be changed to read: /sbin/ipchains -A input -p tcp -s $ANY -d $ANY auth -i ppp0 -l -j REJECT This denies and logs any incoming authorisation requests. (4) Fixing /etc/ppp/pap-secrets & chap-secrets Use tabs instead of a spaces before and after the asterisk (some systems won’t work with spaces); ie, [username][tab]*[tab][password] Tip 2: Improving Security Here’s a quick way of denying access to any services that have been left running on your Linux box to outsiders on the Internet. First, open up the /etc/hosts.deny file and add the following rule to the end of the commented section: # /etc/hosts.deny ALL: ALL This tells the “TCP wrappers” to deny connections to all services from all hosts. It will also stop local machines on your network from accessing any wanted services, so we need to weaken the rules by adding some exceptions to /etc/hosts.allow. Open this file and add these lines: # /etc/hosts.allow ALL: 127.0.0.1 ALL: 192.168.0. August 2001  69