In issue 51 of the Linux Gazette, the article titled « Private Networks and RoadRunner using IP masquerading », explains how to setup a Linux based gateway with good security in mind. The authors suggest starting with a clean install of Linux, which is an excellent idea, as security starts with a secure install, and that is what this article is about. When finished this will be a very lean install, weighing in at about 130 MB plus swap, there will be no X Windows, though I like to install Midnight Commander for file management.
I’m going to make a couple of assumptions here, first, you know how to install Linux and are familiar with its use. Second I assume you are setting up a gateway computer permanently attached to the internet be it by cable modem, DSL or whatever and will not be used for anything else like a ftp, telnet or web server.
What you will need
My machine is an old Dell Optiplex 466/MXe, it is a 486 DX2 66, with 16 MB of RAM, a 512 MB Hard Drive, a sound card and a 4X IDE CDROM. I acquired this one for $50 and upgraded it to a 486DX4 100, 40 MB of RAM, I removed the sound card and added 2 network cards, a SCSI card and installed a 320 MB SCSI hard drive, all of which I had in spare parts. The minimum system you will need, is a 486 (any flavor), 16 MB of RAM, 200 MB hard drive, two network cards and either a CDROM or the ability to do a network install. You will also need a copy of RedHat Linux 6.x. Although any distribution will work just fine, I will only cover RedHat. The system will only need a monitor during the install, after that it can run headless and can be administered remotely using Openssh.
Before you begin, go to ftp://ftp.redhat.com, download and copy to floppy disks, the following;
If you are using RedHat 6.2, the previous files are unnecessary. Go to ftp://thermo.stat.ncsu.edu/pub/openssh-usa and again, download and copy to disk;
Installing and configuring Linux
I will only be covering the items which deviate from the default settings.
- Choose a custom install. When Disk Druid comes up, make the following partitions.
Partition Minimum size % of total Mine / 40 MB 10% 75 MB /boot 5 MB 5 MB 5 MB /home 100 MB 25% 200 MB /tmp 40 MB 10% 75 MB /usr 220 MB 45% 320 MB 1 /var 40 MB 10% 75 MB swap 64 MB 2X RAM 80 MB 2
1 For simplicity I used the entire SCSI drive
2 In reality you could make the swap partition size equal to your RAM size or even smaller. I suggest larger in case you want to setup a web or ftp site later.
This chart shows roughly how to divide up your Hard Drive, The minimums are just that, if your hard Drive is larger then 512 MB, then use the percentages after the swap and /boot sizes have been taken out. If your drive is smaller than 512 MB, then just make a swap partition and a root partition. By doing this, if an intruder does get in, he will not be able to fill up your hard drive by writing large files to either the /tmp or the /home directories. It also lets you do some Interesting things in /etc/fstab, like set nosuid and nodev on /tmp and /home. Some people will ask why I dedicate such a large chunk of drive space to the /home partition, when in theory, this system won’t have many, if any real users. The answer is, room for transferring files to and from remote locations, like sharing MP3’s or work files.
- When selecting the components to install, only choose Networked Workstation, Network Management Workstation, Utilities and Select Individual Packages. If you are using RedHat 6.2 and did not download the updated RPM’s, select Lynx, so it is installed.
Deselect the following packages: git, finger, ftp, fwhois, ncftp, rsh, rsync, talk, telnet ghostscript, ghostscript-fonts, mpage, rhs-printfilters arpwatch, bind-utils, knfsd-clients, procinfo, rdate, rdist, screen, ucd-snmp-utils, chkfontpath, yp-tools, XFree86-xfs, lpr, pidentd, portmap, routed, rusers, rwho, tftp, ucd-snmp, ypbind, XFree86-libs, libpng, XFree86-75dpi-fonts, urw-fonts
- After the system reboot, log in as root and type in the following command line, to clean out the packages the install program doesn’t let you deselect.
rpm -e --nodeps pump mt-st eject bc mailcap apmd kernel-pcmcia-cs getty_ps setconsole setserial raidtools rmt sendmail
You may also want to consider removing Linuxconf, kudzu, kbdconfig, authconfig, timeconfig, mouseconfig, ntsysv and setuptool, depending on your skill level. All of the above packages are either security risks, such as rsh or not needed like XFree86 fonts.
- Copy all the rpm’s you downloaded from RedHat to a couple of floppies, take it to the newly installed machine and mount the floppy drive with mount -t msdos /dev/fd0 /mnt/floppy then install the files by typing rpm -Uvh /mnt/floppy/*.rpm
- Copy all the Openssh files to a floppy disk and again take it to the newly installed system and mount the floppy disk by typing mount -t msdos /dev/fd0 /mnt/floppy and type rpm -ivh /mnt/floppy/open* . Change into the /etc/ssh directory and open sshd.config and look for »PermitRootLogin yes » and change it to no. This will cause the system to deny access to anyone trying to log onto the system as root from a remote system. If you need to logon as root remotely, logon as a normal user, then use the su command to get root access.
I am not going to go into detail about setting up a good firewall, « Private Networks and RoadRunner using IP Masquerading » does an excellent job of that, however I have a couple of suggestions.
I believe for security purposes DNS services should not be placed on the firewall system, either each client should be setup individually to use your internet service provider for DNS or a different machine on the network should be configured to act as a DNS server. Futher, I feel no inetd services from should be run on the firewall machine either, the only port which should be open is port 22, the ssh port. I as a rule will delete the inetd.conf file and replace it with an empty one, using « touch /etc/inetd.conf ».
If you have more than two or three users on the system, you may want to consider using Squid, which is a web proxy/caching program. This speeds things up by keeping copies of often visited web sites on the local machine. It can also be used to block web sites, which can be useful if there are under age users in the house. If you decide to use Squid, I recommend at least 1 GB hard drive, 32 MB of RAM and a 486DX2/66 processor. Squid can be installed off the RedHat CD. Alternately, you can install Junkbuster, which is also a proxy program, it does not cache web sites and therefore will not require a larger hard drive, more RAM or a faster processor, what it does is blocks ad banners, which depending on the sites you visit will speed things up and keep these companies from gathering information about you. Junkbuster can be downloaded from http://www.waldherr.org/junkbuster.
For easy firewall construction, you should download either Seawall or pmfirewall, these are ipchains based firewall programs designed for simplicity, I have tried both and they work as promised and will save you the trouble of learning ipchains. Seawall is harder to setup, but has more configuration options, pmfirewall is easier to setup, but has less options.
Now go back to « Private Networks and RoadRunner using IP Masquerading » and finish configuring the gateway. Please remember this is not the end all and be all of Linux security, this simply give you a solid starting point. For a masters tutorial on Linux security download, see http://pages.infinit.net/lotus1/opendocs/book.htm. This document is massive at 475 pages, but the first two chapters alone are worth the read.