Linux Networking, Part 6: Securing Your Network
By: William Wong
Wednesday, November 8, 2000 09:28:42 AM EST
URL: http://www.linuxplanet.com/linuxplanet/tutorials/2607/1/
Preparing for the Worst
The only sure way to lock down a PC is to disconnect it from any network and never load a program or a document file that supports macros. That is rather impractical especially when our goal is to connect the network to the Internet.
There are a number of avenues and methods through which security of a network can be breached. Attacks from the Internet through the firewall are the ones we look at here. Other threats include computer viruses and insider manipulation.
Attacks from the Internet can be divided into two types. The first are ones that try to gain access to the router/firewall or the network itself. These are the ones we will concentrate on. The second type attempts to prevent the connection to the Internet from being used. These types of attack are made from computers on the Internet and flood the firewall. There is not much typical users can do about this second type without the help of their Internet service providers and some rather technical assistance. Luckily, this type of attack will not result in the loss of information or compromise the security of the network.
Unfortunately, people trying to gain access to the network from the Internet are often determined and well equipped with attack software. It is therefore important to have multiple security measures in place. We will take a look at the security measures implemented on the Linux router/firewall discussed in the previous articles, but these measures should not be the only ones employed. Additional measures should be incorporated on network workstations as well, to limit problems should the router be compromised. In particular, user names and passwords should be used on workstations. Firewall configurations can also be employed on workstations. Linux workstations can use some of the techniques presented here, while Windows workstations can use third party products to provide similar firewall services.
Finally, there is just general preparations and vigilance. Check access logs periodically to see if they indicate improper or unusual access. Keep multiple backups just in case data may be corrupted. Make sure the root password is long and complicated. It can be something simple to remember like I12like34a56secure78server90. Use different root passwords for different servers. It makes logon more difficult but it means that compromising one server does not compromise the network. Also, do not create default or dummy users with minimal or blank passwords.
Firewalls and Services
There are three areas where Linux network security can be compromised. The first is the network interface where the firewall exists. We look at all three in detail including the firewall, server-based services and remote access to the router or network via a PC connected to the Internet.
This security discussion is very basic, so those with serious security concerns should take a look at any one of a number of books on Linux server and network security. The details outlined here should be sufficient for an on-demand modem connection since the IP address of the router will change each time, providing an additional level of obscurity from an Internet point of view. Those with "always on" DSL or cable modem connections should pay close attention and probably pick up a book on security, as these types of connections are most prone to attack since the average user with this type of connection is typically unconcerned with security and is a prime target for hackers.
Firewall
The ipchains firewall configurations in the last two articles were presented in an open and tight security version. The open version should be avoided. This allows Internet systems to access the router and possibly the internal network. Security tends to be better if NAT masquerading is used, but the router is still prone to attack.
The tight security version allowed local computers and the router to access the Internet through a single connection. The computers on the network have unlimited access to any IP port, but this can be tightened up by using ipchains to allow only selected ports to be used. This would be the case if access were restricted to POP3 email and web browsing. Port 80 is normally enabled for web browsing and POP3 mail uses ports 25 (SMTP) and 110 (POP3). The file /etc/services lists the port numbers typically used by Linux applications.
The ipchains program has built in logging capabilities using the -l or --log options. This is handy when trying to debug a tighter router configuration. Check the ipchains online manual pages for more details.
Services
Linux can run a number of services or daemons on a router such as a web server or FTP server. In general, these additional services should be avoided unless you have some security expertise with respect to the service. For example, the Apache web browser can be secured in a number of ways, especially if it is only serving up static web pages. Add a few forms or something even more complex and all bets are off. Keeping up with the latest releases and security updates for the respective application are important for preventing a security breach through the service.
If two servers are available, then use one for the router/firewall and the other for the Internet services. Configure the firewall to pass packets for a specific port through the router to the second server with the services. It is even possible to configure a router with three adapters so the server with the services is placed on its own network. The router can then provide Internet access to the local network and the network with the services server. This is a rather complex configuration and one more in line with a small to medium size business than a home network.
A simpler approach is to allow the service such as a web server to support only the local network. This is normally done through the service configuration file. For the Apache web server, the file is httpd.conf. The service can be set up to listen to only the IP address of the network adapter for the local network. This approach is service specific.
Turning off excess services is relatively easy. Most are started by the inetd service configured using the /etc/inetd.conf file. Each line in the file is either a comment or a specification such as:
; comment telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd
Online documentation provides the details, but in general few services are necessary for running Linux as a router. Likewise, certain services should not be used on the router for security reasons, such as the telnet server listed above because this can provide remote access to Linux. Just add a semicolon before the word telnet to disable this service when the system is restarted.
If you have a console on the Linux PC then you can disable just about everything. Do this incrementally if you do not know which service provides functionality that you may want to retain. If you need remote access then check out the next section about adding a secure remote access service before disabling remote access services such as telnet that you might already be using for configuration. The same is true if the Linux PC is being configured via a web browser interface.
If services like the Apache Web server must be enabled then consider using the tcp_wrappers program, written by Wietse Venema, who also wrote the SATAN network diagnostic package. SATAN can be used to test the security of a firewall from another Linux PC on the Internet.
The tcp_wrappers program is more efficient than inetd and allows services to be run using a specific user. This should be something other than root. The Linux file system security can then limit access to the service's resources even if the service is compromised. It is even possible to have multiple web services that are independent and assigned different user accounts.
Remote Access
Access to a Linux PC is usually through the main console or through a remote access package such as telnet. Telnet is normally enabled for Linux installations and is useful in a secure network. It is a potential problem in an unsecure environment like the Internet because the user name/password signon and the following session communication are unencrypted.
If remote access is necessary, then consider using a secure shell (SSH) service. This operates like the telnet service and remote telnet client except that the signon along with the entire session are encrypted. SSH is a good way to access Linux remotely, but do not get rid of strong (long) passwords as both are needed for good security.
SSH can provide console access, and can also be used with other applications such as X Window. This allows remote graphical access over a secure, encrypted channel.
We do not go into detail about SSH installation, but in general it is a relatively simple task, especially if you can obtain RPM files for the service and client. SSH supports a number of different encryption methods. Most implementations even support digital key authorization that is even more difficult to crack than user name/password logins.
SSH has not been bundled with most Linux distributions for licensing reasons but it is readily available on the Internet from a number of different sources including OpenSSH. The www.freessh.org Web site is another source of SSH information including resources and discussions about SSH alternatives.
Commercial versions of SSH are available from a number of companies such as SSH Communications Security. Commercial versions tend to have slightly better documentation and immediate support and there may be additional features that are lacking in noncommercial versions, such as encryption key management. Most home installations will be best served by the free versions of SSH.
SSH clients are available for non-Linux operating systems, such as Windows. This is handy if the remote PC is not running Linux as may be the case when using a company-provided laptop that runs Windows. Check out the Win32 Telnet/SSH client by Simon Tatham.
I highly recommend using SSH for remote management of a router and remote access of a local network.
The SATAN program is one way to check out your router configuration, but requires another Linux PC running SATAN.
A useful site for network tools, albeit Windows-based, is Gibson Research Corp. Check out the Shields Up! section. It provides a basic test of your Linux router including what services can be seen from the Internet.
Getting access to the Internet is only half the job. Keeping the firewall secure is the other half.
Checking your router