Total Pageviews

Search: This Blog, Linked From Here, The Web, My fav sites, My Blogroll

Translate

19 March 2010

Ubuntu --- Network Configuration and Security

  • Real hackers are the electronic equivalent of the National Geographic Society or “Star Trek,” boldly going where no person has gone before.
  • People who break into systems to damage or exploit them are crackers (regard USA mostly in the southern parts of the United States) who give everyone else a bad name.
  • Ubiquitous networking begets the easy availability of tools that enable this sort of thing. The people that use them are often so-called “script kiddies” who use existing tools to demonstrate cleverness in the same way that giving a child an Uzi demonstrates marksmanship.


Almost from the very beginning of home computing in the 1970s, personal computers have reached out to touch other types of computer systems. Long before ISPs, and before the Internet even existed, home computer fans used modems to access bulletin board systems(BBSs), remote mainframe or minicomputers, and ancient content providers like Compuserve and AOL, using various terminal emulation programs to communicate with each other, transfer files, and so on. Early store-and-forward mechanisms such as the Unix-to-Unix Calling Program (UUCP) and fidonet provided great ways of disseminating files and other information across slow networks of computer systems that were networks only in the sense that they knew each other’s phone numbers.
    The conversion of the ARPANET to the Internet and its resultant commercialization gave birth to the notion of ISPs, commercial Internet Service Providers, who provided a mechanism for home computers to directly access the Internet, albeit through kludgey point-to-point solutions that still depended on a modem and thus provided Net surfing speeds that were only guaranteed (supposedly) to be greater than zero. Regardless, the advent of the ISP ended the concept of the PC as an asynchronous island, making it a real participant in the Internet, even if slowly.
    As ISPs surfaced and became a fundamental utility for many home computer users, networking and PC hardware costs continued to drop, approaching the commodity hardware pricing normally associated with toasters and refrigerators. The reality of more and more home computer users, even in the same homes, introduced the notion of home computer networks, often stand-alone or with modems still connecting specific systems to the Internet by functioning as a 9600 or 56KB gateway to the Internet via an ISP. We all owe much to those pioneering users of home computer who were willing to access the Net and download porn though such tragically slow connections.
    Broadband Ethernet, even cheaper wired network hardware, and the explosive growth of wireless networking has made networking a true reality for many home computer users. Home computer systems may now have real IP addresses and functional connection speeds to the Internet, and are also commonly members of home computer networks that share those connections to the net using mechanisms such as Native Address Translation (NAT).
    Better networking and network access comes at a price. Ubiquitous networking gives thousands of “randoms” access to your computer system through a real IP address or Web server and other network processes. Most of them could care less, some are simply curious, and others are downright malicious. The last set gives everyone else a bad name by actively trying to break into computer systems to exploit them in some fashion. I have no problem with hackers who are simply curious about what’s out there — exploration has always been a fundamental part of the human condition.
    Unfortunately, there are plenty of unscrupulous crackers who would love to break into your machine and damage it or turn it into some sort of zombie system, either to supposedly demonstrate their cleverness or to somehow make a buck. Sigh. Ubiquitous networking begets the easy availability of tools that enable this sort of thing.
    The bottom line of ubiquitous networking is that security becomes everyone’s job. If you live in a small town that considers taking two newspapers from the box on the corner a serious crime, locking your door at night may seem silly. Unfortunately, when you use a personal computer with network access, you are part of the big city known as the Internet. The administrators of enterprise and academic systems that require continuous access to the Internet have known this for a long time. Sadly enough, nowadays your grandmother, parents, and you have to worry about it too. Security is more of a concern today than it has ever been before, and tomorrow will just be worse.
This post provides a basic introduction to networking, explains the tools that Ubuntu Linux provides to graphically configure and test your network, and (most importantly) provides some general guidelines on how to secure your system to protect it as best as anyone can. There’s an old saying in the IT biz that the only truly secure system is one that isn’t connected to anything. Although this is true, it’s also impractical.
    There are easy rules to follow to minimize the chances that your system will be broken into. You’re already running Ubuntu Linux, which puts you miles ahead of the millions of vulnerable Windows 98, ME, and 2000 XP Vista users out there.


Networking 101

Most modern computer systems can communicate with other systems and devices over a type of network called Ethernet, using the Transmission Control Protocol/Internet Protocol (TCP/IP) and Universal Data Packet (UDP) protocols. Ethernet was invented by Xerox Corporation at Xerox PARC (Palo Alto Research
Center) in the early 1970s. Like most things they’ve invented — except for the photocopier — Xerox failed to make money from Ethernet, which was actually commercialized by many companies (like 3COM, which was founded by the inventor of Ethernet networking, Bob Metcalf, who knew a good thing when he invented it).
    Until a few decades ago, “the Internet” was a fairly techie term, used only by people whose employers or academic experience offered connectivity to the Internet or its predecessor, the ARPANET. The creation and popular explosion of the World Wide Web and the advent of e-mail as a replacement for phone calls changed all that — suddenly, there was a reason for people to want (or perhaps even need) access to the Internet.
    Early home Internet connectivity was primarily done through dial-up connections that emulated TCP/IP connections over dial-up lines using protocols such as Serial Line Internet Protocol (SLIP), Compressed SLIP (CSLIP), or Point-To-Point Protocol (PPP). Unless you were a serious computer geek, developer, or
 researcher, a home network was somewhat rare, but the advent of broadband access to the Internet through cable and telephone providers changed all that. As mentioned, home networks are becoming more common but most people have never needed to set one up before now. If you use a single PC, Mac, or workstation as your sole home machine, a straight connection to a cable or DSL  modem works just fine. However, the instant you want to enable multiple machines to communicate over a home network, you may encounter unfamiliar terms like hubs, switches, 10-BaseT, RJ45, crossover-cables, uplink ports, packets, gateways, routers, Cat5, and a variety of others that pass for popular nouns among nerdier users. Here i tell you how to set up a simple home network and makes you comfortable with the network-related terms that are in use. For more detailed information, consult any of the hundreds of texts available on home networking.
    The basic element of a modern network connection is a standard Ethernet cable, which is just a length of multistrand cable with connectors on either end that enable you to connect a network card in your personal computer (or whatever type) to another network device. The most common connectors used today are plastic connectors known as RJ-45 connectors, which is a transparent plastic jack that looks like a fatter version of a standard telephone cable connector. Ethernet cables that use these connectors are often known as 10-
 BaseT, 100-BaseT, or even 1000-BaseT, where the numeric portion of the name indicates the speed of your network — the cables are the same. 1000-BaseT is more commonly known as gigabit Ethernet, and is the  up-and-coming standard, because things tend to get faster. 10/100 Ethernet (10 megabit or 100 megabit) is
 the standard nowadays.
 You may also encounter the term 10-Base2 when researching network cards. This is an older type of 10-megabit Ethernet cabling that uses shielded Bayonet Neill-Concelman, or Baby N Connector (BNC) cables, and is not supported by most networking hardware today.
The best way to visualize the Internet or any Ethernet network is as an extremely long piece of cable to which several computers and network devices are attached. In the simplest case, you must use a device called a hub, switch, or router to attach multiple machines to an Ethernet.
  • A hub is a device with multiple incoming connectors for attaching the Ethernet cables from different machines, with a single output connector that attaches it to another Ethernet device such as a cable modem, another hub, or a switch, router, or gateway. Network communications on any incoming port of the hub are broadcast to all other devices on the hub and are also forwarded through the outgoing connection. 
  • Switches are much like hubs on steroids because they keep track of how network connections between different machines are made and reserve dedicated internal circuitry for established connections. Switches are therefore both typically faster and more expensive than hubs (that's not true nowadays) because they do more.
  • Gateways and routers are similar to hubs and switches, but are designed to provide connectivity between different networks. If a machine that you are trying to connect to isn’t immediately found on your local network, the request is forwarded through your gateway, which then sends it on.
Network communication is done using discrete units of information that are known as packets. Packets contain the Internet Protocol (IP) address of the host that they are trying to contact. IP addresses are in the form of NNN.NNN.NNN.NNN, and are the network equivalent of a post office box, uniquely identifying a specific machine. Packets for an unknown local host are sent through your gateway.
Routers are expensive, sophisticated pieces of hardware that direct network communication between multiple networks, translate packets between different network communication protocols, and limit network traffic to relevant networks so that your request to retrieve a file from a machine in your son’s bedroom isn’t broadcast to every machine on the Internet.
 The most common way to connect machines on a home network is to use a hub or a home gateway that is connected to your cable or DSL modem. The difference between these is that a hub simply forwards packets through its outgoing connector (known as an uplink port because it simply links the network connections on that device with those on another, forwarding network packets to the other device and is, therefore, wired differently). A home gateway may convert internal network addresses to addresses that are compatible with the outside world before sending the information on through its outgoing or uplink connector. If you’re using a hub to connect your home network to your cable or DSL modem, each machine on your home network would require an IP address that is unique on the Internet. This can be expensive, because most ISPs charge money for each unique host that can be connected to the Internet from your home at any given time. Home gateways provide a way around this because they enable your home network to use a special type of IP address, known as a nonroutable IP address, to assign unique internal network addresses.
    The gateway then internally translates these to appropriate external addresses if you’re trying to connect to a machine on the Internet. The most common nonroutable IP addresses are in the form of 192.168.X.Y,  where X and Y are specific to how you’ve set up your network.
If you’re really interested, you can get more information about non-routable IP addresses and address translation in the Internet RFCs (Request for Comment) that defined them, 1597 and  1918.
IP addresses are assigned to computer systems in two basic ways, either statically or dynamically.
  • Static addresses are unique to your home network that are always assigned to a particular machine. 
  • Dynamic addresses are addresses that are automatically assigned to a computer system or network device when you turn it on. 
Most ISPs use dynamic addresses because only a limited number of IP addresses are available on the Internet. Using dynamic IP addresses enables your ISP to recycle and reassign IP addresses as people turn their machines off and on. Most dynamic IP addresses nowadays are assigned using a protocol called  Dynamic Host Configuration Protocol (DHCP), which fills out the network information for your system when it activates its network interface, including things like
  • the IP address of a gateway system and 
  • the IP addresses of Distributed Name Service (DNS) servers that translate between hostnames and the IP addresses that they correspond to.
To use static addresses on your home network, you simply assign each machine a unique, non-routable IP address from a given family of nonroutable IP addresses. For example, most of my home machines have static addresses in the form of 192.168.6.Y. Because I use a home gateway, I’ve configured it to do address  translation (more specifically known as NAT, or Network Address Translation) to correctly translate between these addresses and the external IP address of my home gateway box.
    If you want to use Dynamic IP addresses on a home network, one of the machines on your home network must be running a DHCP server. Most home gateways nowadays have built-in  DHCP servers that you simply configure to hand out IP addresses from a specific range of addresses (192.168.6.240 through 192.168.6.250, in my case). Once you activate address translation on your home  gateway, your gateway will route packets appropriately.
Remember that your home gateway is probably getting its IP address by contacting your ISP’s DHCP server, whereas hosts on your internal network will get their IP addresses from your DHCP server. 
Don’t set up hosts on an internal network to contact your ISP’s DHCP server unless you:
  • have only a single machine on your home network or 
  • want every one of your machines to be visible on the Internet.
If you are using:
  • a home gateway that doesn’t provide a DHCP server or
  • want to have more control over what your DHCP server does, or
  • are using Ubuntu Linux in an enterprise or commercial setting
you may want to set up your own DHCP server on an Ubuntu system.
    A final aspect of networking is how your system identifies and locates specific computer systems on the Internet. This is typically done through the Domain Name Service (DNS).
    As you might expect, the Internet is knee-deep in Web sites that provide more general information about home networking. For truly detailed information about setting up and configuring a home network on a specific type of machine and operating system, see any of the hundreds of books on those topics at your local bookstore.



Manually Configuring Your Network Hardware


Configuring the network hardware on your computer system is part of the Ubuntu installation process, which requires network access in order to download the bulk of a vanilla installation of Ubuntu Linux.
    However, things change. You may install new network hardware, change existing hardware from relying on DHCP to using static IP addresses on your network, prioritize one interface over another in multiport machines such as laptops, or simply want to have a better understanding of how networking works or is configured on your system(s).
    In the past Ubuntu releases provides a convenient tool for reconfiguring existing networking interfaces and configuring new ones called gnome-network-admin package (System ➪ Administration ➪ Networking menu item to start this tool). Nowadays (although gnome-network-admin is available to repos but no more supported by Canonical) instead Ubuntu come with NetworkManager Applet in the up panel. Right click on them ➪ click Edit
connections (you don't have to supplying your password), a dialog displays. The contents of this dialog depend on the number and type of possible Ethernet interfaces that are available on your system. By default, the networking application dialog always displays a Point-to-Point Protocol (PPP) item regardless of whether a modem is present in your system, because PPP Ethernet network connections are also possible over standard serial ports.
Systems on which multiple Ethernet connections are available are quite common today. If you are using multiple Ethernet connections simultaneously, it usually only makes sense to have them connected to different network, because network routing is somewhat confusing otherwise. Systems with multiple Ethernet connections where each of these connections are attached to different networks are known as multi-homed systems.
 For the rest of this &, I’ll use the sample system that provides both wired and wireless Ethernet inter faces because that is a common configuration that many laptop users will recognize. Desktop computer systems typically provide a single or double Ethernet interface — providing multiple wired  Ethernet interfaces is fairly uncommon, and is normally seen only in systems that route between multiple networks or need a separate network for applications or system development and testing.
    Regardless of what the initial Networking Connections dialog looks like on your system, you can select any of the network interfaces in their tabs(Wired, wireless etc) displayed in this and click Edit to examine or modify its current configuration. You’ll notice that this Ethernet interface is configured to use DHCP to dynamically obtain an Ethernet address, so many of the network configuration options are not active. To transform this same network configuration dialog for a wired Ethernet interface that uses a static IP address
  1.  Go to IPv4 Settings tab in Editing network interface name dialog
  2. change Method: automatic(DHCP) to Manual 
  3. click Add button and fill your LAN's  (non-routable) host IP (like 192.168.1.3) and netmask (mostly 255.255.255.0) address. 
  4. If you want you can fill the Ip's of DNS servers (primary,secondary) like that on OpenDNS. If  you are not using DHCP (i.e. in Automatic(DHCP) adresses only and manual), you must fill DNS's. This setting is common to all of the Ethernet interfaces on your system, so if you are configuring a second Ethernet interface, you may not need to provide this information.
  5. Optionally when present  in DHCP client IP goes mostly the home gateway  non-routable (local) IP address like 192.168.1.1 or any other DHCP server in LAN.
  6. Once you’ve defined the properties for the network interface that you want to configure, click OK to close the properties dialog
As mentioned in the “Networking 101” &  most systems today use Domain Name Service (DNS) servers to find out the IP addresses associated with different systems on a network. Though you and I simply want to go to  www.google.com, your computer needs to know the numeric network address of that system.
 Also, as mentioned previously, this is usually necessary only on systems that do not get their IP addresses via DHCP, because most DHCP servers also provide the IP addresses of DNS servers as part of the general network configuration information that they provide.
Because DNS servers are the usual source of information that map IP addresses to hostnames, you can enter only IP addresses in this dialog. If you somehow specified a hostname, your system would need to use a DNS server to figure out the IP address associated with that name, which would  cause a nasty chicken-and-egg loop.
On most systems, your Network settings dialog contains only a single network interface. At this point, you’ll probably want to test your new network configuration to ensure that everything is working correctly. Ubuntu  provides a nice graphical tool for testing your system’s networking capabilities. For information about using  that tool, see the & later in this section entitled “Network Testing with GNOME’s Network Tools.”
    If you are using a system with multiple network interfaces, see the next section for information about making the most of them by using different interfaces in different locations.


Manually Configuring Modem Connections

As mentioned in the previous &, all Ubuntu Linux installations include an option for establishing network connections via PPP , which is a modern way of creating a network interface that runs over a serial or modem connection.
    Though broadband Internet access is becoming more and more common, dial-up connections using protocols such as PPP are still the way in which some people connect to the Internet. I suspect that this will change, both because people will get tired of waiting for complex Web pages to load, and  because telephone and cable companies can make a lot more money from you once you get used to the wire Internet that broadband Internet access provides. Many people, including myself, have both — I use my dial-up account primarily as a fallback whenever the cable in my suburban neighborhood goes out, but it’s also generally useful for testing purposes. However, PPP accounts are also useful for portability. Until recently, many of my vacation planning sessions have included getting a free AOL CD and setting up an account so that I can read my mail and submit posts like this one with minimal toll charges from whatever retro paradise my wife and I have chosen to vacation in.
    At any rate, PPP connections to the Internet via a modem are still very useful in many cases. My first Linux systems required me to write a little script, connect to my ISP, sacrifice a chicken, and hope for the best. Both protocols and ISP support have improved since then. Ubuntu’s Network settings utility makes it just as  easy to configure a PPP connection as it is to set up a physical network interface.
    To configure a dial-up PPP connection to a network (premised that you have a hardware modem --instead of a winmodem that use the cpu. Winmodems not work in Linux unless it is supported by sl-modem-daemon-- they do not require particular drivers and Ubuntu should recognize any external hardware modem.) open a terminal window and type in  
  1. sudo pppconfig, which is a configuration program included in Ubuntu that sets up an internet connection, and followed the instructions from there. During the configuration process you get the option to give a name to your internet connection such as myISP. There are plenty good guides on the net and even the man page for pppd is very helpful in itself.
  2. Connecting to the internet is by typing sudo pon myISP in the terminal window, with a connection established, you can then download a GUI front-end for pon poff scripts such as gnome-ppp if you're using a Gnome desktop, or kppp if you're using KDE.
  3. Type poff to disconnect. 
Another one solution is to download the network-admin package and do it trough his gui (i don't describe it here because nowadays ADSL is predominant). Finally WvDial sacrifices some of the flexibility of programs like "chat" in order to make your dialup configuration easier.  When you install this package, your modem will be detected automatically and you need to specify just three parameters: the phone number, username, and password. WvDial knows enough to dial with most modems and log in to most servers without any other help.


Defining and Using Multiple Network Configurations

As mentioned earlier, if you’re lucky enough to be using a machine with multiple network interfaces, you really don’t want to have multiple Ethernet adaptors available on the same network at the same time. This can easily confuse your system when it tries to figure out which interface to use when sending information to that network (except if the interfaces  are configured to work on separate networks).
    However, having simultaneous access to multiple networks from a single computer system is fairly rare. More commonly, you will either want your system to be on different networks when it is in different locations (home and office, for example), or to use different network interfaces when you are using your system in different locations. Wired Ethernet interfaces are much faster than wireless Ethernet interfaces, so if you are using a laptop with both types of Ethernet interfaces, you’ll want to switch to your wired interface whenever possible.
As discussed in the last & a tool called the Network Manager that will do this for you is available from the Synaptic repositories. However, if you have limited success using this application. A similar tool, called whereami, can also be used to do this for you.
    Automatic network reconfiguration is convenient, but can be tricky to set up and, frankly, can be a pain unless you’re a networking guru and know every networking buzzword around. Ubuntu’s networking dialog makes it easy for you to do this for yourself by defining multiple networking configurations, known as locations, which you can easily switch whenever necessary. As described in this &, switching locations is a manual process, but it is also an empirical one that requires no configuration beyond setting up the networking interfaces correctly and creating locations that correctly enable the one that you want to use.
    Ubuntu’s Network settings tool simplifies defining combinations of network
configuration settings on your available network interfaces and then saving them with a unique name, known as a location.
    The first step in creating a location is to configure all of your available network interfaces as they would be when your system is in a specific physical location, being used in a certain way. Next, click the Location drop-down menu at the top of the Network settings dialog to display the menu shown in Figure. Select the Create location menu item a dialog displays, prompting you for a name for this specific combination of configured/unconfigured network interfaces.  Enter a Location name that reflects how and where you anticipate using this network configuration combination, and click OK to save this configuration combination.
    In the future, whenever you want to activate this particular combination of network configuration settings, all you have to do is to select the System ➪ Administration ➪ Networking menu item, enter your password, and then select this location from the Location drop-down menu.
Creating new locations doesn’t change your existing default networking configuration; it merely adds named combinations to the Locations menu. Once you select a new location, there is no easy way to return to your system’s default settings. Therefore, if you’re going to use multiple locations, it’s a good idea to define a location named Default, which is just a clone of your system’s default configuration. You can then return to your system’s default settings at any time by selecting that location.

Network Testing with GNOME’s Network Tools

To maintain its tradition of easy graphical network tools, Ubuntu Linux also provides a convenient graphical tool that simplifies examining the current configuration of any of your network interfaces. Ubuntu provides GNOME’s Network Tools application to give you a graphical display of network configuration information, as well as easy graphical access to a variety of network tools. Select the System ➪ Administration ➪ Network Tools menu item to start the Network Tools application.
    By default, the Network Tools application shows information about your system’s loopback interface. To see  information about a specific interface, click the Network device drop-down menu and select the Ethernet  interface that you’re interested in.
    The easiest and fastest way to identify the current configuration of one of your Ethernet interfaces will probably always be to run the ifconfig interface-name command in an xterm or GNOME Terminal window. As you can see, the text display of Ethernet interface information provided by the ifconfig command still requires a certain amount of interpretation when compared to the friendlier display of information shown in Network Tools.  In addition to a more readable display of basic network configuration information, the Network Tools application supports the graphical display of information produced by several standard network utilities, which traditionally operate only in text mode. The tabs provided in the Network Tools application, along with the purpose of each tab, are the following from left to right:
  • Devices: Displays configuration and traffic summary information for each available network interface on the system. This corresponds to the information provided by the traditional Linux/Unix command-line ifconfig application.
  • Ping: Displays connectivity and availability information by sending packets to a specified host or IP address, and displays elapsed time and success/failure information. This corresponds to the information provided by the traditional Linux/Unix command-line ping application.
  • Netstat: Displays status information about all active and available TCP and UDP network ports on the system. This corresponds to the information provided by the traditional Linux/Unix command-line netstat application.
  • Traceroute: Displays the systems through which communication to a specified host pass and the time required for each intersystem communication, known as a hop. This corresponds to the information provided by the traditional Linux/Unix command-line traceroute application.
  • Port Scan: Displays information about available ports and services on a specified remote machine. This roughly corresponds to the information provided by the traditional Linux/Unix command-line nmap application.
  • Lookup: Displays IP address information and available DNS aliases for a specified system. This roughly corresponds to the information provided by the traditional Linux/Unix command-line nslookup or host applications.
  • Finger: Displays any available personal information about a specific user or a specified host. This corresponds to the information provided by the traditional Linux/Unix command-line finger application. Few hosts provide this information any longer.
  • Whois: Displays information about the registrant and technical contact for a specified Internet domain. This corresponds to the information provided by the traditional Linux/Unix command-line whois or bwhois applications.


Tips for Securing Your System

System security is an open-ended topic because it has so many different aspects. These include:
  • physical security
  • login authentication
  • file and filesystem protections, and so on. 
Entire books have been written about security topics, and more are doubtless on the way. As mentioned,security in all forms will become an ever-increasing concern because of the increasing ubiquity of networking and the increasing availability of easy-to-use tools for probing, exploring, and breaking into remote machines.
    The following are some specific suggestions for increasing the security of your system on a network. As you’d expect, these include some aspects of other security topics but also have their own unique concerns:
  • If you are using an off-the-shelf home gateway, change gateway's  password and  name of the authenticated user if possible before you put it into service . If I had a nickel for how many systems have been broken into because people didn’t change default passwords, I wouldn’t even know how many nickels I had because most of these break-ins go unnoticed.
  • Disable any unnecessary services on your system. You can use the Network Tools Port Scan tab to identify ports on your system that are listening from requests for services. Disable any services that you are not using through a tool such as the System Boot Up Manager, which was discussed in the & entitled “Optimizing the Ubuntu Boot Process” here
  • Remove accounts for any users that are no longer using your system. This includes system accounts that were created for use by or with services that you are no longer running on your system.
  • Always keep your system up to date using the Ubuntu Update Manager. Patches to system and application software are released for a (good) reason.
  • Monitor important system log files regularly. The /var/log/messages and /var/log/syslog files can be an important source of information about who is trying to break into your system, and how.
  • Change your password regularly. Ubuntu’s dependence on the sudo command rather than the traditional root account for system administration tasks is a useful obfuscation, but your dedicated cracker in Beijing often doesn’t have anything better to do than try and try again.
As mentioned previously, security is your responsibility. Some interesting applications are available to test and probe your own system, which can be both educational and useful. My long-term favorites are:
  • chrootkit: Checks for “root kits,” which is the term for precompiled sets of hacked applications that are often installed on systems that have been broken into. These root kits both make it easier for a cracker to get into your system again and also collect additional login/password information from a cracked system. On that purpose install also rkhunter
  • nmap: Probes network connectivity on your machine and identifies potential problem points.
As you might expect, both of these applications are available in the Ubuntu repositories and can easily be installed on your system using apt-get, aptitude, or the Synaptic Package Manager.



Installing a Firewall

Firewall is the term used to describe a system that sits between one or more computer systems and monitors and manages network traffic. Just as with the firewall in your automobile, which prevents a fire in the engine compartment from proceeding into the passenger compartment and incinerating its occupants, a network firewall is intended to prevent malicious, spurious, or unnecessary network traffic from moving through it. Many firewalls serve multiple functions, also performing services such as Network Address Translation (NAT), but their primary purpose is to protect against network attacks and other unwelcome intrusions.
    On modern Linux systems, firewalling is typically done using kernel modules that support a packet filtering framework known as netfilter, and an associated interface and user-space command known as iptables.
    Packet filtering refers to the ability to analyze network packets and perform various actions based on their source, destination, type, or other information that they contain.
Because support for packet filtering is built into the Linux kernel, a Linux system that is directly connected to the Internet can serve as its own firewall, monitoring and managing network traffic before that traffic actually gets to any daemons or network-aware processes that it is running. 
Of course, a dedicated device or Linux system can also serve as a firewall, and many vendors sell prepackaged solutions that do just that. The fact that many of these off-the-shelf systems run Linux and use the netfilter/iptables mechanism to implement their firewalling solutions is just proof of the power of the Linux kernel’s built-in support for packet filtering.
    Whether or not an Ubuntu system actually requires a firewall is a hot debate topic among Ubuntu fans.
  1. Standard Ubuntu Desktop installations do not expose any open ports to an outside network, so there are no  network ports that need to be protected. 
  2. This is not true, of course, for Ubuntu server systems that expose ports for services such as DNS, e-mail, SSH, a Web server, and so on, so a firewall (more correctly a firewal's  interface) is always a good idea for  any server system.
If you are using your Ubuntu system in an environment that is already protected by a firewall, you probably do not need to set up a firewall on your system. You should, however, make sure that the firewall that your system is located behind is actually doing the right thing by checking with the  manufacturer, your IT group in a business or academic environment, or your Internet Service Provider. Just  because a box has “Firewall” printed on it doesn’t mean that it is actually doing anything.
    As far as Ubuntu desktop systems go, you will probably find yourself opening up some ports on a desktop installation as you use your Ubuntu system over time, and a netfilter/iptables firewall introduces  very little overhead on a desktop system, so I suggest that you always install at least a simple firewall. This  way, if you subsequently increase the exposure of your system by opening ports, the firewall will already be in place. You may want to revisit your initial firewall implementation in the future, but you will at least have some protection even if you neglect firewalling in your excitement to make some new service available from your Ubuntu system. Installing a simple firewall by default is also a good idea if you are setting up systems for friends, relatives, or small businesses where you may not always have complete control over what they add to or activate on their systems.


Overview of Linux Firewalling and Packet Filtering

The packet filtering mechanism used by the current Linux kernel (2.6.xx) is a combination of :
  1. a loadable kernel module framework and API called netfilter, and 
  2. an interface and associated and user-space administrative command called iptables. The iptables interface is one of several kernel modules based on the netfilter framework; others include a module that handles Network Address Translation (which enables multiple machines to share one public IP address), and the module that implements and supports connection tracking.
Throughout the rest of this post, I will collectively refer to this as iptables, because that is the interface that is most commonly associated with modern Linux firewalls and  packet filtering.
    The iptables interface and the netfilter framework are actually the fourth generation of Linux packet filtering solutions. The original Linux packet filtering implementation, ipfw, was liberated from BSD-based systems and was introduced in Linux by Alan Cox in the Linux 1.1 kernel, and was designed to support the  creation of simple IP firewalls and routers through packet inspection and filtering. The iwfwadmin tool and associated ipfw changes, which simplified creating ipfw-based firewalls, was added to the Linux 2.0 kernel and makes up the second generation. The third generation of Linux packet filtering, consisting of a major rewrite of the entire Linux networking layer and introducing the user-space ipchains tool, was introduced in the 2.1 kernel series. The current netfilter framework and iptables interface were  introduced in the 2.4 kernel, and have been the standard mechanism for packet filtering, network address  and port translation, and general packet manipulation (often referred to as packet mangling) in the 2.6  series of Linux kernels.
    Linux packet filtering works by inspecting incoming and outgoing packets and acting upon them based on filtering rules that have been loaded into the netfilter framework’s filter table by the iptables command.
    By default, the iptables command supports three default sets of rules, known as chains, for filtering network packets using the information stored in the iptables filter table. These default chains are the chains:
  • INPUT
  • OUTPUT, and 
  • FORWARD
  1. The rules in the INPUT chain are used to examine and process incoming packets intended for ports on the local machine
  2. The rules in the OUTPUT chain are for examining and processing outgoing packets that are being sent from the local machine
  3. The rules in the FORWARD chain are used to examine and process packets that are being routed through the local machine.
Each of the default filtering rule chains can have its own set of filtering rules. You can also define other sets of rules and use them for your own purposes. Many modern Linux and other Unix-like systems come with predefined INPUT, OUTPUT, and FORWARD rule chains and automatically load them at boot time. As discussed later in this post, a variety of graphical and command-line software is available for all Linux distributions to make it easy to define your own packet filtering rules.
    Other netfilter-based modules use packet-matching tables other than the filter table. The NAT module uses the NAT table, which contains three built-in rule chains:
  • OUTPUT
  • POSTROUTING, and 
  • PREROUTING
Specialized packet manipulation operations use the mangle table, which contains pre-built chains:
  • FORWARD
  • INPUT
  • OUTPUT
  • PREROUTING, and 
  • POSTROUTING 
The connection tracking module uses the raw table, which contains preconfigured chains:
  • OUTPUT and 
  • PREROUTING
You must have superuser privileges to examine, create, or modify any netfilter-based rule chains. You can do this by putting iptables commands in a script that is executed as part of the system’s boot process or by using a command such as sudo as a normal user to run the iptables commands with root privileges.


Installing and Configuring a Firewall Using Lokkit

As mentioned in the previous &, many different software packages are available to help you configure and activate a firewall on your Ubuntu system. These packages include Lokkit (the package described in this section), Firestarter, Fwbuilder, Guarddog, and many more. I think that Lokkit does a great job of setting up a basic firewall, asks the right questions, and is very easy to use, so that’s the package I’ve chosen to discuss in this section.


Installing Lokkit
Because whether or not you need a firewall is a hot topic among Ubuntu users, a firewall isn’t installed as part of any default Ubuntu installation. However, as with all software packages on Ubuntu, both the command-line software maintenance tools such as apt-get and aptitude and the Synaptic Package Manager make it easy to install a firewall creation and configuration tool. The one that I suggest installing is Lokkit, which is found in the lokkit package. I also suggest that you install the gnome-lokkit package, which provides an easy-to-use graphical interface that simplifies configuring and customizing a firewall. To install this package using apt-get or aptitude (without the graphical configuration tool), use the commands
sudo apt-get install lokkit or sudo aptitude –r install lokkit
There’s no point in installing the gnome-lokkit package if you don’t have a graphical user interface on your Ubuntu system(i.e in Ubuntu Server edition). To install these packages graphically,
  1. start the Synaptic Package Manager from the System ➪ Administration menu and supply your password to start Synaptic. Once the Synaptic application starts, 
  2. click Search to display the search dialog. Make sure that “Description and Name” are the selected items to search through, enter Lokkit as the string to search for, and click Search
  3. After the search completes, scroll down in the search results until you see the lokkit package, right-click its name, and select Mark for Installation to select that package for installation from the pop-up menu.
  4. After you have selected the lokkit package, you should also select the gnome-lokkit package, which is a graphical GNOME utility for configuring and customizing your firewall. Right-click its name, and select Mark for Installation to select that package for installation from the pop-up menu. 
  5. Selecting this package will display a dialog that suggests other packages for installation that are required for this package. Click Mark to also accept these packages for installation. 
  6. After selecting these packages for installation, click Apply in the Synaptic toolbar to install lokkit and its graphical configuration utility. 
  7. When the installation completes, you can exit from Synaptic.

Using Lokkit to Set Up a Basic Firewall
Installing lokkit and the gnome-lokkit graphical configuration utility doesn’t add a menu item for these commands, because you generally run them only once to set up a basic firewall.
  • To start the graphical gnome-lokkit tool, execute the command:
gksudo gnome-lokkit 
  • from any Ubuntu command line and supply your password in the dialog that displays. An initial gnome-lokkit dialog displays that provides some basic information about Lokkit. Click Next to proceed.
  •  In the dialog shown in most cases, the Low Security firewall is your best choice. As discussed earlier, a default Ubuntu Desktop
    installation doesn’t expose any ports to the outside world, so a firewall is simply extra protection in case you subsequently open system ports to the outside world (or install services that do). If you are configuring a firewall on an Ubuntu Server system, you may want to select the High Security option, but you should be prepared to modify the rules created by Lokkit (or specially configure the services that you have installed) to ensure that the services that you want your server to provide are not being blocked by the firewall. Click Next to proceed. 
  • The dialog shown asks if you want to trust hosts on your internal network, i.e., hosts with the same address settings for the first three quads of your system’s IP address. For example, if your system’s IP address is 192.168.6.6.121, selecting Yes here would enable any hosts with IP addresses of the form 192.168.6.XXX to connect to any services that your system provides. You should select Yes if you have more than one host on your internal network and the system that you are configuring is not directly connected to the Internet. Click Next to proceed. 
  • The dialog shown asks if you want to enable the DHCP port. You should select Yes if you are running (or plan to run) a DHCP server on this system, or if this system gets its IP address from another system using DHCP. Click Next to proceed. 
  • The dialog shown in enables you to select services that you are running on your system, and to which you want other systems to be able to connect. If you are not currently running (and do not plan to run) services such as a DNS, FTP, mail, or Web server, select No. If you are running these services or plan to, select Yes. Click Next to proceed. 
  • If you selected Yes, subsequent dialogs display that ask, respectively, if
    you want to enable incoming Web, mail, secure shell, and Telnet services. I suggest that you answer Yes to all of these except for Telnet, which is an older, insecure mechanism for connecting to systems over the network that has largely been replaced by SSH
  • After answering these dialogs, or if you selected No to the dialog before the Activate your Firewall dialog displays. Click Finish to activate your firewall and exit the gnome-lokkit configuration utility. If you’ve changed your mind, click Cancel — you can always rerun this utility later if you decide that you want to install a firewall. If you select Yes, lokkit will perform some basic tests of your firewall, and will then activate the firewall and add starting the firewall to the series of startup scripts that your system runs when you boot your system, by adding the /etc/init.d/lokkit startup script to the startup sequence for all system run levels.


Resources

  • Ubuntu Linux Bible by William von Hagen ISBN-13: 978-0-470-03899-4

    No comments:

    Post a Comment