Baldo's web log

Prerequisites

Road-Warrior(Host to Net) configuration with OpenVPN

IP forwarding

With IP forwarding you can set your Linux box to act as a router. To enable IP forwarding as root issue the following command.

# echo "1" > /proc/sys/net/ipv4/ip_forward

Note: To enable by default when your system boots up edit the "/etc/sysctl.conf" (on a Debian system).

# Uncomment the next line to enable packet forwarding for IPv4
#net.ipv4.ip_forward=1

Masquerading or packet mangling

Since Internet routers can not forward traffic from private IP addresses you need to invoke IP masquerading. Masquerading is when your Linux system rewrites the IP headers of network packets so the network packet appears to originate from a non-private IP address.

Iptables rules.

This is the set of iptables rules that I use for IP forwarding and packet mangling.

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i tun+ -j ACCEPT
-A FORWARD -i tun+ -j ACCEPT
-A FORWARD -o tun+ -j ACCEPT
.
.
*nat
:PREROUTING ACCEPT [244:17449]
:POSTROUTING ACCEPT [2:486]
:OUTPUT ACCEPT [2:486]
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
.
.
.

Finally in your server configuration file, add the following line and restart the OpenVPN:

push "redirect-gateway def1"

Basically all traffic coming from the internal network(tun0) is forwarded to the Internet through the eth0 interface. Now all the Internet sites I visit record the IP of the OpenVPN server not the IP given by my ISP. One useful application for this configuration is that you can avoid the lack of security on wireless networks, because you connect to the Internet through the VPN.

---

Recently a friend found a script to mitigate a DDoS attack and asked to set up on our Server. Basically this script identifies IPs with large amount of connections and block them for a certain period of time.

Installation is quite easy, just type:

 
$ wget http://www.inetbase.com/scripts/ddos/install.sh
# chmod 0700 install.sh
# ./install.sh
    

It creates a subdirectory under "/usr/local" called ddos, download source files and create a cron task to run every minute.

If you want customize its configuration edit the file "/usr/local/ddos/ddos.conf".

Now, we just have to wait for someone to test it.

Note: This is not an overall solution to prevent this kind of attacks, it just deflate them.

For more information on this project, please visit http://deflate.medialayer.com/.

---

IPFW is one of the firewalls sponsored, authored and maintained by the FreeBSD team.

Firewall designs

• Exclusive: Deny everything that is not specifically allowed. This is the most secure design.

• Inclusive: Allow everything that is not specifically denied.

Note: I focus only on describe an exclusive design.

IPFW rules

Note: To prevent spoofing attacks, I will be using a set of rules only as an example for this post.

To hold the firewall rules create a text file, in this way the set of roles will be available when your system restarts. My firewall rules will be stored in /etc/my.ipfw.conf file.

Rules syntax

Basically the set of rules has the following syntax.

CMD RULE_NUMBER ACTION PROTOCOL from [OPTION] to [OPTION] PORT_NUMBER

CMD = add

ACTION = allow | accept | pass | permit | deny | drop

PROTOCOL = all | udp | tcp | icmp …

FROM = any | all | host | ip

TO = any | all | host | ip

Note 1: it is not mandatory requirement to specify a RULE _NUMBER or PORT_NUMBER

 
add allow tcp from any to 192.168.3.10 80
add allow all from trusted.host.org to any
add 8000 deny all from any to any
    

Note 2: The rules are read in sequential order, be aware of this issue when trying to build your own IPFIREWALL.

Enabling the IPFW

Configure the file /etc/rc.conf by adding the following lines:

 
firewall_enable = “Yes”
firewall_type = ”/etc/my.ipfw.conf”
    

Finally reboot your system.

For more configuration options refer to the IPFW man page or visit the online FreeBSD handbook.

---

This is a basic configuration for a Secure Shell Server under Linux. I assume you already have installed the SSH Server, if not, please refer to the documentation of your favorite Linux Distribution, you will find that it’s quite easy to install.

I will be using FreeBSD as a client and Linux as SSH Server.

SSH public/private key

Public/private key is one effective method to secure access to our server. A public key is placed on the server, whereas the private key is placed on the local computer. If someone login onto our server, they must have to provide the private key, instead of just a simple password.

Generating public/private rsa key pair on the local computer(client)

 
$ ssh-keygen -t rsa
Generating public/private rsa key pair.		
Enter file in wich to save the key (/home/baldo/.ssh/id_rsa):		
Created directory ’/home/baldo/.ssh’.
Enter passphrase (empty for no passphrase):
Enter the same passphrase again:
Your indetification has been saved in /home/baldo/.ssh/id_rsa.
Your indetification has been saved in /home/baldo/.ssh/id_rsa.pub.
The key fingerprint is:
c0:a7:25:c0:4a:aa:32:58:88:16:f9:56:97:f2:05:1f baldo@baldiyo.com
    

Once the rsa key pair is generated copy the id_rsa.pub(public key) to the server.

Note: Since FreeBSD does not have a ssh-copy-id as a part of OpenSSH package, copy the id_rsa.pub to the server and setup it manually.

 
$ scp  ~ /.ssh/id_rsa.pub baldo@192.168.1.68:/home/baldo/.ssh/id_rsa.pub.tmp
baldo@192.168.1.68’s password:
id_rsa.pub         100% 399    0.4KB/s 00:00   

I already have created a user called baldo on the server.

 
$ ssh baldo@192.168.1.68
baldo@192.168.1.68’s password:
			

The programs included with the Debian GNU/Linux system are free software;	
the exact distribution terms for each program are described in the	
individual files in /usr/share/doc/ * /copyright.


Debian GNU/Linux comes with ABSOLUTELY NO WARRATY, to the extent
permitted by applicable law.
You have mail.
Last login: Tue Nov 11 02:45:51 2008 from 192.168.1.12
baldo@baldiyo: ~ $ cat .ssh/id_rsa.pub.tmp >> authorized_keys
baldo@baldiyo: ~ $ rm .ssh/id_rsa.pub.tmp

Configuring the ssh server

I highly recommend do not use the default configuration. As root modify the ”/etc/ssh/sshd_config” file.

This is my configuration.

 
# Package generated configuration file
# See the sshd(8) manpage for details


# What ports, IPs and protocols we listen for
Port 70000
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes


# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 768


# Logging
SyslogFacility AUTH
LogLevel INFO


# Authentication:
LoginGraceTime 120
PermitRootLogin no
StrictModes yes


RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile    %h/.ssh/authorized_keys


# Don’t read the user’s ~ /.rhosts and ~ /.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don’t trust ~ /.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes


# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no


# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no


# Change to no to disable tunnelled clear text passwords
PasswordAuthentication no


# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes


# GSSAPI options
GSSAPIAuthentication no
#GSSAPICleanupCredentials yes


X11Forwarding no
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
KeepAlive yes
#UseLogin no


#MaxStartups 10:30:60
#Banner /etc/issue.net


# Allow client to pass locale environment variables
AcceptEnv LANG LC_*


Subsystem sftp /usr/lib/openssh/sftp-server


UsePAM no


UseDNS no


AllowUsers baldo

Finally restart the SSH Server and log out to test the configuration.

 
# /etc/init.d/ssh restart
Restarting OpenBSD Secure Shell server: sshd.


$ ssh -p 7000 baldo@192.168.1.68
Enter passphrase for key ’/home/baldo/.ssh/id_rsa’:
Last login: Wed Nov 12 01:41:45 from 192.168.1.12
baldo@baldiyo.com:~$
    

---

GnuPG is a free (free of freedom) version of PGP that allow encrypt and sign your data and communication. Widely used to encrypt and sign email, there are a lot of email clients with support for GnuPG, even you can use it in GMail with Mozilla FireGPG extension.

This is the simplest way to compile and install GnuPG.

 
$ wget ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-1.4.9.tar.gz
$ tar -zxf gnupg-1.4.9.tar.gz
$ cd gnupg-1.4.9/


$ ./configure


Version info:   gnupg 1.4.9
Configured for: GNU/Linux (i686-pc-linux-gnu)


$ make
$ make check
gpg (GnuPG) 1.4.9
Copyright© 2008 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later
http://gnu.org/licenses/gpl.html
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.


Home: .
Supported algorithms:
Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA
Cipher: 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH
Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB
PASS: version.test
PASS: mds.test
PASS: decrypt.test
PASS: decrypt-dsa.test
MD5 SHA1 RIPEMD160 SHA256 SHA384 SHA512 SHA224 – PASS: sigs.test
PASS: sigs-dsa.test
3DES CAST5 BLOWFISH AES AES192 AES256 TWOFISH – PASS: encrypt.test
3DES CAST5 BLOWFISH AES AES192 AES256 TWOFISH – PASS: encrypt-dsa.test
PASS: seat.test
PASS: clearsig.test
PASS: encryptp.test
PASS: detach.test
PASS: armsigs.test
PASS: armencrypt.test
PASS: armencryptp.test
PASS: signencrypt.test
PASS: signencrypt-dsa.test
PASS: armsignencrypt.test
PASS: armdetach.test
PASS: armdetachm.test
PASS: detachm.test
PASS: genkey1024.test
3DES CAST5 BLOWFISH AES AES192 AES256 TWOFISH – PASS: conventional.test
3DES CAST5 BLOWFISH AES AES192 AES256 TWOFISH – PASS: conventional-mdc.test
PASS: multisig.test
PASS: verify.test
PASS: armor.test

===================

All 27 tests passed
		
===================

		
$ su
Password:


# make install



    

Creating secret and public key

If security is top priority pick the largest key length available and pay attention to other security issues.

 
$ gpg—gen-key
gpg (GnuPG) 1.4.9; Copyright© 2008 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.


Please select what kind of key you want:
(1) DSA and Elgamal (default)
(2) DSA (sign only)
(5) RSA (sign only)
Your selection? 1
DSA keypair will have 1024 bits.
ELG-E keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 1024
Requested keysize is 1024 bits
Please specify how long the key should be valid.
0 = key does not expire
<n>   = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0) 0
Key does not expire at all
Is this correct? (y/N) y


You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
“Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>“


Real name: Baldomero Valdez Valenzuela
Email address: my_email_address
Comment:
You selected this USER-ID:
“Baldomero Valdez Valenzuela my_email_address”


Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
You need a Passphrase to protect your secret key.


We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
++++++++++++++++++.+++++++++++++++++++++++++++++
+++++.+++.+++.++++++.++++++......+++++++++>+++.++...
.........>+++.........+++
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
+++++++++.++++++++++++.+++.++++++.++++++++++++++
++++++++..+++++++++...+++...+++++++++++++++>+++
+...........................................................................
.............................................
..............................................+++^		
gpg: key 0D447986 marked as ultimately trusted
public and secret key created and signed.


gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
pub   1024D/0D447986 2008-10-13
Key fingerprint = DB8A 7D9E 1C91 D14A C539  2F23 90BA AE56 0D44 7986
uid                  Baldomero Valdez Valenzuela <b.valdez@baldiyo.com>
sub   1024g/FABD7AA0 2008-10-13
    

For more information on this tool refer to the proyect’s web page. http://www.gnupg.org

GnuPG with FireGPG extension

FireGPG Is a Firefox extension under MPL to encrypt, decrypt, sign or verify the signature of text in any web page using GnuPG. This extension allows you to use GPG’s features in your Gmail. If you encrypt a message in your system an send it via email to someone, the person who receive the email need to have your public key in order to decrypt the message.

FireGPG Installation

http://getfiregpg.org/install.html

My GMail Inbox looks like this.

---