by Ryan Detert
Jan. 14, 2000

Phone line modems are quickly becoming a tool of the past. Now, digital subscriber lines (DSL) and cable modems have brought home high-speed connections that were once only enjoyed at offices and universities. Along with each of these services comes a static IP address that never changes and allows you to host your own web site and administer your own server. The benefits of increased bandwidth are obvious: You can download the latest Internet Explorer Update in minutes instead of hours, and you don't need to purchase a separate phone line.

However, constant connectivity to the information superhighway may come at a higher price than you bargained for. Already we've read reports of home systems being hacked. In this article, we will go over some basic, but effective, concepts that will make your Linux and NT servers at home much more secure.

(And, by the way, since Red Hat is the most popular, we will be sticking to it. So please, no religious e-mails about how much better Slackware is.)

The biggest concern

The primary motivation for hacking cable and DSL subscribers is corporate espionage. This may sound like something out of a James Bond movie, but it's real nonetheless. Many people these days are taking their work home on laptop computers, maintaining copies of files both at home and in the office. Though hackers may have a hard time breaking into the cyber-fortress at your law firm, most will have no trouble infiltrating a weakly guarded home server and gaining access to your files.

First things first

As you already know, the first line of defense against unwanted guests is a good password. Without a good password, especially for the super-user, it doesn't matter what other goodies you've used to secure your site. Briefly, a good password should adhere to the following criteria:

• Do make sure it's at least 6-8 letters in length.
• Don't use dictionary words spelled forwards or backwards because many hackers use dictionaries when trying to guess your password.
• Do make sure it contains a mix of upper- and lower-case characters, as well as non-alphabetic characters such as numbers and @, %, &, etc.

Many of the latest versions of Linux will tell you if you've chosen a good password or not.

Common cracks

Oftentimes, computer hackers are not the geniuses we see depicted in movies. There are a couple of common methods that hackers, elite or otherwise, often use to try to break into your system. One of the most common is called a Trojan Horse. This is where a commonly used file (such as ifconfig) is modified without your knowledge and appears to still be the exact same file, meaning that it may have the same date-last-modified and file size. Trojan Horses can be disastrous, and if you find one in your system, chances are a hacker has already been utilizing it. A common Trojan Horse will record all keys that you press and save them to a file. This way a hacker can just open the file and find your logins and passwords. One way you can get a Trojan Horse is by opening a malicious program received via email. A word from the wise: if you value your server, don't open e-mail attachments of strange origin or give any unreliable persons access to any accounts on your server.

Firewalls

OK, enough with the common sense advice, now lets get our hands dirty. One of the best ways to secure your home server is to set up a firewall. Businesses and large-scale corporations depend on firewalls to keep out unwanted guests. Chances are you've had some type of interaction with one at work.

There are no set criteria for how a firewall should be implemented. In businesses where there are large networks of computers, for example, there are often several firewalls many layers thick. However, a single firewall can be set-up at home too. Realize, however, that a firewall cannot single-handedly defend your system; it should be used in conjunction with other security tools.

To understand how firewalls work, you must first understand how information is sent over a network. It is divided up into smaller sections, called packets, which are then sent on their way. Here's a good way to visualize packets. When information is sent over a network, the information needs to be put in some sort of virtual envelope. It is addressed and shipped off just as snail mail is. The type of "envelope" will often vary depending on the type of protocol being used: TCP, IPX, etc. However, each packet will contain the IP of origin, the IP of the addressee, and of course, information being sent. Upon arrival, the gateway reads each of these packets and decides what to do with them.

The heart of the firewall, often called the gateway or choke, parses the packets of information it receives and then relays "safe" information that adheres to certain rules to the correct computer within some sort of internal network. Likewise, a gateway also pre-reads outgoing packets as well. This too has many advantages. For instance, you may want to prohibit employees or children from visiting certain domains that may contain confidential information or unsuitable content.

Though a firewall can be wonderful, it is not invincible. One of its main weaknesses is that the actual task of parsing a packet can become immensely complex as each packet header is potentially different. As a result, some "naughty" packets might be let through the firewall. On the other hand, a complex set of guidelines for the parsing utility could also lead to some human error that would be difficult to troubleshoot.

Are your packets sniffable?

This brings us to another interesting point about Internet security. When you send packets across the information superhighway, they are really open to anybody. Your packets must sometimes travel thousands of miles and be processed by numerous computers and routers along the way. Ideally, when a packet is encountered by another computer that isn't the intended recipient, it's simply forwarded to the next router or computer until it arrives, safe and sound, at its intended home. However, this process can be intervened by a technique known as sniffing.

If you set your Linux box to promiscuous mode by typing something like:
ifconfig eth0 promisc or tcpdump,
using a sniffer client (or WebWatcher in NT), you can actually "listen" to the packets buzzing around the Internet. System administrators can use sniffing to monitor their site, but when hackers sniff your packets, the outcome can be quite devastating.

Data encryption:bubble-wrapping your packets

Data encryption allows you to render your packets "odorless." Make sure that all sensitive data traversing over the Internet is encrypted. One of the reasons why hackers love file transport via telnet or ftp is because those traveling packets are not encoded. Fortunately, there are low-cost alternatives to those programs.

For example, instead of using telnet, use Secure Shell (SSH). This is only one link to SSH info—there are other distributions to choose from. As for FTP, SecureCopy (SCP) is a quick and easy alternative that may come with your SSH package. These two programs basically use a DES-type encryption algorithm that encodes your packets before sending them out over the Internet. So, even if a hacker does successfully sniff your packets, it will take him a couple million years to decode them. Literally.

Setting up a firewall for 2.0 kernels

Setting up a firewall for a Linux server, especially a personal one, can be fairly easy to do and requires little or no additional software, though there are off-the-shelf solutions as well. For 2.0 kernels, all you need to do is edit the /etc/sysconfig/network file to make sure that 'FORWARD_IPV4=yes' and then pass several arguments to the /sbin/ipfwadm daemon.

Firewalls can be as complex as you want them to be. There are entire books written on the subject, one of which is published by O'Reilly: Building Internet Firewalls by Zwicky & Chapman. However, a simple firewall may be set up by entering the following commands at the Linux console. (We will cover firewalls in NT a little later on.)

    % /sbin/ipfwadm -F -f
    % /sbin/ipfwadm -F -p deny
    % /sbin/ipfwadm -F -a accept m -S 192.168.1.0/24 -D 0.0.0.0/0

This code originated in an article by Tarique Sani, which can be found at irt.org.

I want to point out that the "-p deny" in the second line of code tells the firewall to set up a policy of deny. When setting up a firewall, there are two basic policies you can use; default allow, which will allow any hosts through that are not forbidden, and default deny, which will deny all hosts unless otherwise specified. A policy of denial is usually the best way to go.

Setting up a firewall for 2.2 kernels

The latest toy for dealing with firewalls in Linux relies on Linux's ability to do what is known as "masquerading." The daemon that does what we need is called "ipchains." Though the newer kernels still have support for ipfwadm, there are some features in ipchain-ing that you might find more useful, not to mention the fact that ipchains are part of a newer, more stable kernel. ipchains incorporate some new features, such as ICMP codes, that are useful for filtering out such things as the famous Ping of Death, but you can still provide many of the same services as its counterpart. Taken from the IPCHAINS-HOWTO, the following is a quick list of how you might translate some of the commands:

hosts.allow/deny

The inetd (internet daemon) listens for connections on certain Internet sockets and accordingly calls or spawns other daemons or programs when a connection is found on one of the sockets. This way, things are simplified for the OS to some extent. To assist the inetd in setting policies for spawned daemons, there are two files (located in the /etc/ directory) named "hosts.allow" and "hosts.deny". They allow or deny, respectively, the daemons that specified IPs can instigate. Some of the most common daemons instigated remotely are finger, netstat, systat, ftp, POP, etc. You can find other daemons by doing a "less /etc/inetd.conf". To forbid any access to daemons from remote locations, you can either comment-out the definitions in the /etc/inetd.conf file, or simply add the following line to the hosts.deny file.

ALL : ALL

One thing I would discourage is allowing finger, netstat, or systat without good reason as this automatically provides a hacker with a great deal of information about your system. To disable fingering access, for example, you can either comment-it-out with a pound sign in the inetd.conf file, or add something like this to the hosts.deny file:

in.fingerd : ALL

Aside from the inetd, it's also a good idea to disable any daemons that you don't intend to use, such as the possible dhcpd, apache, etc., because the fewer bells and whistles your system has, the less likelihood there is for a system hack. More information on the hosts.deny/allow files can be found by typing "man hosts.deny" or "man hosts.allow", both of which should bring up the same page.

Proxy servers

Proxies and firewalls often go hand-in-hand. A proxy server is a program that serves as an intermediary between a user and a firewall gateway. Some advantages to using a proxy are enhanced security, administrative control, and caching services. Caching services are useful because once you've downloaded a site safely, you don't have to go back out to the Internet to retrieve it again later on—the page is saved locally.

For NT, your best bet for installing a firewall is using Microsoft's Proxy Server, which claims to be the first extensible firewall and web cache server for NT.

For Linux, a common proxy is Squid, which should be on your CD-ROM. Squid is probably your best bet, however, there are others like TIS and SOCKS.

Virtual private networks

A virtual private network (VPN) is something like a firewall. It is designed to make the computer think that all network activity is taking place over a private network. Private networks are those in which you own absolutely everything, from the computers to the cables that connect them. However, if you belong to a large corporation like Microsoft, and you work from home in San Francisco, it would be quite expensive to buy all the bandwidth running from your home to Seattle. Because of this, virtual private networks have steadily gained popularity.

VPNs can be created using some sort of a masquerading with ipchains and such. However, especially for the home user, it may be more beneficial to use some sort of extranet hardware. One of the benefits of using extranet hardware is that it is easier to configure than using straight software and can also be applied to either NT or Linux platforms.

The hardware will look similar to a hub or router and will act as a sort of physical firewall. One of the main things this device does is encrypt packets going from Point A to Point B. The encryption used for VPN devices is often very good in that it makes use of Triple DES algorithms and keys that are hardcoded into the silicon. This encryption is difficult to crack. Though not all of the VPN device software supports the same protocols, the two that are most commonly used are known as IPSec (IP Security Protocol) and Microsoft's widely used PPTP (Point to Point Tunneling Protocol), so make sure your computer supports both.

Extranet hardware is available from many large vendors (such as 3Com), and has become increasingly popular with smaller companies such as http://www.sonicwall.com. It is easy to use, and can be a relatively inexpensive and less frustrating alternative to private networks and firewalls.

So, do you need to consider using one of these protective devices for your home connection? The answer is a definitive "maybe." If you have sensitive data sitting on a client/server with an open connection to the Internet, you should begin thinking about how you're going to protect that information. Just 'cause you're at home doesn't mean you won't get hacked. Take a look at these options, do a little research, and come up with a solution that best fits your needs.

Further Resources

• www.data.com—Bulletproof IP
• Amazon.com—Practical Unix and Internet Security
• ftp://ftp.tis.com/pub/firewalls/toolkit/"
• Microsoft.com—Proxy Server Home Page
• VPN Information on the World Wide Web

HOWTOs

HOWTOs will be on your Linux Distribution's CD-ROM. They always prove at least somewhat useful and are available in several languages.

• Firewall-HOWTO
• IPCHAINS-HOWTO
• VPN-Masquerade-HOWTO

Also this week in Web Review

Web Browsing on Linux

Key Policy Issues to Watch in Telecom

A Basic Guide to Home Network Security