Fullscreen HTML5Med Res (??MB)HTML4

COMPUTERS: Linux firewall logs Using Linux to Share an Optus Cable Modem Internet Con­nection Pt.4: firewall logs, operating without a key­board or monitor & automatic shutdowns In this final article, there’s a useful script file to enable easy viewing of the firewall log plus further advice on Internet security. We also describe how you can operate your Linux box without a keyboard or monitor and shut the system down correctly just by pressing the power switch! By JOHN BAGSTER A USEFUL SCRIPT FILE I wrote called zplog is available for free download from the SILICON CHIP website. In case you’re wondering where the name came from, I have convention of starting all my programs and scripts with “z” so I know that they are “home grown” (not many commercial programs start with “z”). The “plog” bit stands for “packet log”. I will not attempt to explain how it works as it contains a lot of diabolical “awk” code. However, if you read the “man” pages on “awk”, you should be able to make some sense of it. The script can be run with or without arguments. The optional arguments are: zplog [-a] [-e string] [-f fn] [-i] [-m nm] [-n] [-p] [-s] [-v] Basically, running the zplog command displays ipchains packet logs. The optional command line switches can be in any order and using no arguments will display packet logs using defaults (where applicable). Here’s what it all means: -a – show ACCEPTs and MASQs (these are excluded by default). -e string – gives a string to search for (ie, only include lines containing it). If -e is used more than once, then the patterns from all of them are matched (ie, www.siliconchip.com.au a line must contain all the patterns). Matches are done before the site names, services or ICMP type names from any of -i -n -p arguments are included, so you cannot match any of these (you can match numeric IP ad­dresses, services and ICMP types). -f fn – is the messages file; eg, messages.fn (the default if -f missing). This is useful if the (syslog) messages file has recen­tly been cleared. -i – show ICMP type names. -m nm – sets number of messages to display (default is 10 if -m is missing). -n – show the site name by doing a host command on IP addresses. This slows up the log output. Ignored if followed by -p. -p – do a ping on IP addresses to try to get the site name. This is slower than using -n but shows you if the site is still on-line when the log is output. Ignored if followed by -n. -s – show the service (port) name for TCP and UDP if it is in /etc/services. -v – match all but the -e strings (ignored if no -e’s). Example logs In the following examples, there are only five messages shown instead of the expected 10. That’s because five duplicates have been removed. February 2003  69 COMPUTERS: Linux firewall logs Beefing Up Security On Your Linux Box Apart from having a good firewall, there are a few other things you van do to beef up security. First, edit the /etc/hosts.deny and /etc/hosts.allow files so that only PCs on your internal network can access the Linux gateway. That’s done by first opening /etc/hosts.deny and adding the following rule at the end of the commented section: # /etc/hosts.deny ALL: ALL This tells the “TCP wrappers” to deny connections to all services from all hosts. So we need to weaken this rule by adding some exceptions to /etc/hosts.allow, as follows: #/etc/hosts.allow ALL: 127.0.0.1 ALL: 192.168.0. This tells the “TCP wrappers” to allow connections to serv­ices from the local machine (127.0.0.1) and from the local net­work (192.168.0.). And yes, you must include the full stop at the end of the second line. Another very effective way to improve security is to shut down any services that you don’t need and restrict access to any that you do need. Have a look at the articles published in June 2001, August 2001 and September 2001 issue of SILICON CHIP if you require detailed information on how to do this. Note also that these logs were produced by a “stronger” firewall (cablefirewall.unfriendly) than the one presented in Pt.3 – one that rejects a lot of outgoing UDP to stop spyware sending things out (the simple firewall presented in Pt.3 doesn’t stop outgoing Internet traffic). Cablefirewall.unfriendly is too long to publish here but can be downloaded from the SILICON CHIP website. The script is fully commented and experienced Linux users should have little trouble adapting it to their needs. Please note, however, that neither SILICON CHIP nor the author are in a position to offer any further advice on this firewall. Here are some typical tail /var/log/messages packet logs (grep -e “Packet log:” /var/log/messages|tail): Aug 22 17:17:15 fire-wall kernel: Packet log: output REJECT eth1 PROTO=17 210.49.34.215:61499 67.233.33.88:1214 L=1341 S=0x00 I=54295 F=0x0000 T=127 (#15) Aug 22 17:58:50 fire-wall kernel: Packet log: input DENY eth1 PROTO=6 217.225.157.216:2634 210.49.34.215:21 L=48 S=0x00 I=8952 F=0x4000 T=113 SYN (#18) Aug 22 18:13:55 fire-wall kernel: Packet log: in70  Silicon Chip You should also only set up users that you need. If you connect via SSH, you will need one user who can log in (other than root). If you require other users for email, etc, create them with a shell of /bin/false and a login directory of /dev/null so they cannot log in. Do not remove the existing root access restrictions to allow root to log in via SSH (or similar). Instead, log in as a normal user and then use su to log in as root. If you use Samba to transfer files back and forth, then don’t set up home shares. Restrict access to one share limited to one directory and have a password on it. Make sure you include an interfaces command in your smb.conf file to stop Samba using the cable modem interface, as Samba by default uses all interfaces. If you are using a terminal utility to connect to your Linux box, use SSH instead of Telnet and disable the Telnet service. That’s because SSH encrypts all data, while Telnet sends plain text (including passwords). Having said that, I have been using Telnet on my internal network for months and have not had any security problems, because the firewall rules and hosts.allow and hosts.deny files stop any would-be crackers anyway. Finally, having a good firewall doesn’t mean you can become complacent. Be sure to keep an eye on your log files and remember to install any security updates as the come along. Just remember this: human beings are clever and resourceful little blighters and no protection system or firewall can be guaranteed to be foolproof. put DENY eth1 PROTO=6 210.244.158.43:22 210.49.34.215:22 L=40 S=0x00 I=31977 F=0x0000 T=122 SYN (#18) Aug 22 18:14:54 fire-wall kernel: Packet log: output REJECT eth1 PROTO=17 210.49.34.215:62017 68.17.240.77:1214 L=1341 S=0x00 I=29821 F=0x0000 T=127 (#15) Aug 22 18:50:48 fire-wall kernel: Packet log: input DENY eth0 PROTO=17 0.0.0.0:68 255.255.255.255:67 L=328 S=0x00 I=0 F=0x0000 T=128 (#18) Here are the same messages via zplog: Aug 22 17:17:15 output REJECT eth1 udp eth1:61499 67.233.33.88:1214 (#15) Aug 22 17:58:50 input DENY eth1 tcp 217.225.157.216:2634 eth1:21 SYN (#18) Aug 22 18:13:55 input DENY eth1 tcp 210.244.158.43:22 eth1:22 SYN (#18) Aug 22 18:14:54 output REJECT eth1 udp eth1:62017 68.17.240.77:1214 (#15) Aug 22 18:50:48 input DENY eth0 udp 0.0.0.0:68 255.255.255.255:67 (#18) www.siliconchip.com.au using a graphical interface like Gnome or KDE, so you don’t need a mouse either! A word of warning though: if you do have a mouse plugged in and remove it, Linux will prompt you about its removal the next time the system restarts. So if you want to remove the mouse, unplug it and restart the system and follow the screen prompts before you remove the screen and keyboard. Switching off Here’s a cunning idea: you can make a dummy keyboard by scrounging the circuit board inside a “real” keyboard that’s been discarded. The circuit board can then be housed inside a small plastic case, or even hidden inside the main system case (see SILICON CHIP, February 2002). And with zplog -n -i -s, we get: Aug 22 17:17:15 output REJECT eth1 udp eth1:61499 67.233.33.88 (1Cust88.tnt1.valparaiso2.in.da. uu.net):1214 (#15) Aug 22 17:58:50 input DENY eth1 tcp 217.225.157.216 (pD9E19DD8.dip.t-dialin.net):2634 eth1:21=ftp SYN (#18) Aug 22 18:13:55 input DENY eth1 tcp 210.244.158.43 (c43.h210244158.is.net.tw):22=ssh eth1:22=ssh SYN (#18) Aug 22 18:14:54 output REJECT eth1 udp eth1:62017 68.17.240.77 (adsl-17-240-77.jax.bellsouth. net):1214 (#15) Aug 22 18:50:48 input DENY eth0 udp 0.0.0.0:68=bootpc 255.255.255.255:67=bootps (#18) Apart from the fact that zplog only returns packet logs, the format it returns is a lot easier to interpret. It displays the internal network (192.168.0.x for example) as eth0.x and the external IP address as eth1 (these will be swapped around if you have eth0 and eth1 swapped) to make interpretation easier. No keyboard or monitor If you have a method of communicating with the Linux PC other than via the keyboard and screen (eg, a terminal utility such as SSH), you can dispense with the keyboard and screen. The February 2002 issue of SILICON CHIP explained how to do this, by making up a dummy keyboard. In my case, I had to make up a dummy keyboard in a small box but depending on your BIOS, you may be lucky and not have to do this. My Linux PC also made several annoying beeps when booting if it didn’t have a monitor – but it would boot. I found that the “three 75Ω resistors in the dummy SVGA plug” trick cured this (see SILICON CHIP, February 2002). If you aren’t using a screen or keyboard, you won’t be www.siliconchip.com.au It’s all very well to run your Linux box without a mouse, keyboard or monitor but how do you shut it down in an orderly fashion without these components? Well, if your Linux PC has an ATX power supply, you can download a utility called “Powerswitch” from http://deadlock.et.tudelft.nl/~joris/powerswitch/ and in­stall it. The instructions that come with it are easy to follow and once installed, the driver automatically shuts Linux down and powers off the machine when ever the power switch is pressed. Since the standard Linux modules are in directories within /lib/modules, I created a directory called /lib/ modules/3rdparty and put powerswitch.o in that but you could put it anywhere. It needs to be loaded on system start up and this can be done by including the appropriate entry (eg, /lib/modules/3rdparty/pow­erswitch in /etc/rc.d/rc.modules file (see Pt.2 of this series in last month’s issue). This module works by trapping the suspend mode and execut­ing shutdown -h now. Apart from that, there are just a few BIOS settings to tweak. First, the BIOS must be configured so the power switch enables suspend mode when it is briefly pressed (ACPI support = yes in mine). Second, I found that I had to set the CPU and monitor entries to suspend for powerswitch to activate. And third, it is important to disable all suspend timers in the BIOS, otherwise the PC will shut down when one of these activates! If you cannot get powerswitch to do a shutdown (or if the system shuts down incorrectly), play around with the power set­tings in the BIOS. Provided everything is OK, pressing the power switch will now result in Linux shutting down correctly before the PC switch­es off. The powerswitch module is very handy and does make one lazy! Why log in to shutdown when you can simply turn the PC off? It is also a nice safety feature, as Linux doesn’t like being switched off without being SC shut down in the correct manner. DISCLAIMER Although the two firewalls mentioned in these articles should make for a reasonably secure system (especially if unwanted services are turned off), neither Silicon Chip Publications nor the author can offer any guarantees. If security is vital to your organisation, be sure to seek expert professional advice when it comes to setting up a firewall. February 2003  71