Core Linux Router - NO NAT

Core Linux Router - NO NAT

[Mark Seamans]

I have a Linux router that consists of 4 T1ports and 1 ethernet.
This "Router" will act as an ISP core router doing Routing Only!
I wish to protect the box itself, while it preforms it's duties as a Router 
allowing only ssh from the ip's that I wish for management.  This way I can 
also setup rules to protect it form DOS attacks etc...
Now I have been thinking of this, but I can go two ways:
1.  Making it harder than it really is  -OR-
2.  Allowing it to be so easy it is not secure.

So any suggestions would be great.

Thanks!

Mark
marks@crvinc.com

Re: Core Linux Router - NO NAT

[Joel Newkirk]

On Thursday 20 March 2003 06:23 pm, Mark Seamans wrote:
> I have a Linux router that consists of 4 T1ports and 1 ethernet.
> This "Router" will act as an ISP core router doing Routing Only!
> I wish to protect the box itself, while it preforms it's duties as a
> Router allowing only ssh from the ip's that I wish for management. 
> This way I can also setup rules to protect it form DOS attacks etc...
> Now I have been thinking of this, but I can go two ways:
> 1.  Making it harder than it really is  -OR-
> 2.  Allowing it to be so easy it is not secure.
>
> So any suggestions would be great.
>
> Thanks!
>
> Mark
> marks@crvinc.com

For the basic task of restricting access to the routing box itself, and 
allowing only SSH connections from designated IPs:

iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -N SSHLOG
iptables -A SSHLOG -j LOG --log-level debug --log-prefix "Router SSH 
Access:"
iptables -A SSHLOG -j ACCEPT
iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -s a.b.c.d -j SSHLOG
{repeat last rule as needed for different authorized IPs}

Another approach might be to have only one or two IPs from which you 
allow SSH connections.  Then if you need to connect from a remote 
client, SSH to the authorized client, (an admin box at the office?) then 
SSH from that client to the router.  (I use this approach to SSH to my 
home desktop - which cannot be directly reached from the internet - by 
first initiating an SSH session to my gateway from one of the IPs from 
which IT will accept an SSH connection) 

If your usage will permit, you can match more closely in the INPUT rules 
by also restricting to input on a particular interface.  This is made 
more likely if you use the double-SSH approach above, the main reason I 
mentioned it.

You can change /etc/syslog.conf to add a new target like:
kern.=debug	/var/log/firewall
or even set it up for remote logging with 
kern.=debug	@remotelogginghostname
(this would make it much harder for someone who has compromised the box 
to cover their tracks, and would require an additional OUTPUT rule 
ACCEPTing UDP dport 514 to the designated logging host)

j

Re: Core Linux Router - NO NAT

[Mark Seamans]

So, this will allow all routing between all interfaces to all networks but 
only allowing host 1.2.3.4 have access to ssh?
See!  I was going to make it too hard.  I do appreciate the tip.  I will be 
doing this on a production box for an ISP 1600 miles away with little room 
for error.

-----Original Message-----
On Thursday 20 March 2003 06:23 pm, Mark Seamans wrote:
> I have a Linux router that consists of 4 T1ports and 1 ethernet.
> This "Router" will act as an ISP core router doing Routing Only!
> I wish to protect the box itself, while it preforms it's duties as a
> Router allowing only ssh from the ip's that I wish for management.
> This way I can also setup rules to protect it form DOS attacks etc...
> Now I have been thinking of this, but I can go two ways:
> 1.  Making it harder than it really is  -OR-
> 2.  Allowing it to be so easy it is not secure.
>
> So any suggestions would be great.
>
> Thanks!
>
> Mark
> marks@crvinc.com

For the basic task of restricting access to the routing box itself, and
allowing only SSH connections from designated IPs:

iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -N SSHLOG
iptables -A SSHLOG -j LOG --log-level debug --log-prefix "Router SSH
Access:"
iptables -A SSHLOG -j ACCEPT
iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -s a.b.c.d -j SSHLOG
{repeat last rule as needed for different authorized IPs}

Another approach might be to have only one or two IPs from which you
allow SSH connections.  Then if you need to connect from a remote
client, SSH to the authorized client, (an admin box at the office?) then
SSH from that client to the router.  (I use this approach to SSH to my
home desktop - which cannot be directly reached from the internet - by
first initiating an SSH session to my gateway from one of the IPs from
which IT will accept an SSH connection)

If your usage will permit, you can match more closely in the INPUT rules
by also restricting to input on a particular interface.  This is made
more likely if you use the double-SSH approach above, the main reason I
mentioned it.

You can change /etc/syslog.conf to add a new target like:
kern.=debug	/var/log/firewall
or even set it up for remote logging with
kern.=debug	@remotelogginghostname
(this would make it much harder for someone who has compromised the box
to cover their tracks, and would require an additional OUTPUT rule
ACCEPTing UDP dport 514 to the designated logging host)

j

Re: Core Linux Router - NO NAT

[James A. Pattie]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Mark Seamans wrote:
> I have a Linux router that consists of 4 T1ports and 1 ethernet.
> This "Router" will act as an ISP core router doing Routing Only!
> I wish to protect the box itself, while it preforms it's duties as a
Router
> allowing only ssh from the ip's that I wish for management.  This way
I can
> also setup rules to protect it form DOS attacks etc...
> Now I have been thinking of this, but I can go two ways:
> 1.  Making it harder than it really is  -OR-
> 2.  Allowing it to be so easy it is not secure.
>
> So any suggestions would be great.

Newer versions of ssh will honor the hosts.allow and hosts.deny files,
so you might want to make sure that hosts.allow only lets sshd
connections from the IP's you are interested in.  Just make sure you do
a ALL : ALL in hosts.deny so that no other services can get to the box
that you haven't allowed in hosts.allow.

Note:  there are services that don't use the hosts.allow/deny files
(apache for example) so you need to make sure you don't have anything
uneeded running.

You could do this without needing to setup firewall rules, but then it
becomes harder to limit DOS attacks, etc.


- --
James A. Pattie
james@pcxperience.com

Linux  --  SysAdmin / Programmer
Xperience, Inc.
http://www.pcxperience.com/
http://www.xperienceinc.com/

GPG Key Available at http://www.pcxperience.com/gpgkeys/james.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQE+ey2KtUXjwPIRLVERAiQAAJ9QL0671K+msi/BdVwL+pS2UmQXRACg2w28
MJVVHt8CEYPu1h3boVkvjpI=
=RgM/
-----END PGP SIGNATURE-----


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

Re: Core Linux Router - NO NAT

[Kelly Setzer]

On Fri, Mar 21, 2003 at 01:41:22AM -0500, Joel Newkirk wrote:
> On Thursday 20 March 2003 06:23 pm, Mark Seamans wrote:

> > I wish to protect the box itself, while it preforms it's duties as a
> > Router allowing only ssh from the ip's that I wish for management. 
> > This way I can also setup rules to protect it form DOS attacks etc...
> >
> > So any suggestions would be great.
> >
> Another approach might be to have only one or two IPs from which you 
> allow SSH connections.  Then if you need to connect from a remote 

I've seen the argument made that ssh should be configured only to
authenticate with rsa keys.

(PasswordAuthentication no)

It makes it impossible for someone to try guessing passwords.
Whether or not you can keep your key secure is another matter.
Also, running ssh on another port, say port 25 or 80 will help you
evade some of the automated scanning tools.

Kelly

--
Kelly Setzer, System Administrator/Architect - Placemark Investments
14180 Dallas Pkwy, Suite 200, Dallas, TX 75240
kelly.setzer@placemark.com  http://www.placemark.com
(972)404-8100x41 (work)       (214) 287-3464 (cell)