≡ Menu


Introduction to Firewall Builder 4.0

This is an user contributed article.

This is the first article in the mini-series of two articles about Firewall Builder.

Systems administrators have a choice of modern Open Source and commercial firewall platforms at their disposal. They could use netfilter/iptables on Linux, PF, ipfilter, ipfw on OpenBSD and FreeBSD, Cisco ASA (PIX) and other commercial solutions. All these are powerful implementations with rich feature set and good performance. Unfortunately, managing security policy manually with all of these remains non-trivial task for several reasons. Even though the configuration language can be complex and overwhelming with its multitude of features and options, this is not the most difficult problem in my opinion. Administrator who manages netfilter/iptables, PF or Cisco firewall all the time quickly becomes an expert in their platform of choice. To do the job right, they need to understand internal path of the packet inside Linux or BSD kernel and its interaction with different parts of packet filtering engine. Things get significantly more difficult in the installations using different OS and platforms where the administrator needs to switch from netfilter/iptables to PF to Cisco routers and ASA to implement coordinated changes across multiple devices. This is where making changes get complicated and probability of human error increases. Unfortunately typos and more significant errors in firewall or router access list configurations lead to either service downtime or security problems, both expensive in terms of damage and time required to fix.
[click to continue…]

Security Through Obscurity: MAC Address Filtering ( Layer 2 Filtering )

MAC Filtering (layer 2 address filtering) refers to a security access control methodology whereby the 48-bit address assigned to each network card is used to determine access to the network. Iptables, pf, and IPFW can block a certain MAC address on a network, just like an IP. One can deny or allow from MAC address like 00:1e:2a:47:42:8d using open source firewalls. MAC address filtering is often used to secure LAN or wireless network / devices. Is this technique effective?
[click to continue…]

Vsftpd Set Download Only Anonymous Internet Server

This example shows how you might set up a large internet facing FTP site for distributing file or software updates. The emphasis will be on security and performance. VSFTPD will make sure only world-readable files and directories are served to the world via anonymous / ftp account. You force to originates FTP port connections from a secure port - so users on the FTP server cannot try and fake file content. You will hide the FTP server user IDs and just display ftp in directory listings. This is also a performance boost. Set a 40000-60000 port range for passive connections. This will help firewall setup.
[click to continue…]

Linux: Install Urchin 6 Web Analytics Software

Web analytics is the study of online behaviour in order to improve it. There are two categories; off-site and on-site web analytics. Google's Urchin 6 can be installed under Linux kernel 2.6 or 2.4 for Apache web log analysis. Urchin 6 is just like Google Analytics the most widely used hosted web analytics system. It is targeted at ecommerce or enterprise users:

Urchin Software from Google analyzes traffic for one or more websites and provides easy-to-understand reports on your visitors - where they come from, how they use your site, what converts them into customers, and much more. If you have content behind a security firewall or on an intranet or internal network that prevents you from using the Google Analytics service, Urchin Software from Google is for you.

In this small tutorial you will learn about installing Urchin 6 Web Analytics under Red Hat Enterprise Linux 5.x.

Step #1: Download Urchin 6

Visit offical site to grab latest Urchin 6 for Linux kernel 2.6. You can also use wget command as follows:
$ cd /tmp
$ wget http://dl.google.com/urchin/current_urchin6_linux2.6_kernel.zip

Step #2: Create MySQL database to store urchin data

First, connect to mysql server, enter:
$ mysql -h server-ip -u root -p
$ mysql -u root -p
Once connected type the following two command to create urchin database:
mysql> create database urchin character set utf8;
Create urchin user and grant all permissions:
mysql> GRANT ALL ON urchin.* to 'urchin'@'localhost' IDENTIFIED BY 'mySecreteUrchinPassword';
mysql> quit;

Step #3: Install Urchin

Untar urchin software:
$ unzip current_urchin6_linux2.6_kernel.zip
$ mkdir urchin
$ tar -zxvf urchin6402_linux2.6_kernel.tar.gz -C urchin

Install urchin software, enter:
$ cd urchin
$ ./install.sh

Follow on screen instructions, at the end you should see information as follows:

Installation Directory: /usr/local/urchin
Webserver Port: 9999
Webserver User: nobody
Webserver Group: nobody
SQL Server Type: mysql
SQL Server:
SQL Port: 3306
SQL Database: urchin
SQL User: urchin
SQL Password: (set but not displayed)
Initialize configuration database during install: Yes
Automatic monthly geodata updates: Yes
Start Webserver and Scheduler: Yes
Please select continue or exit [Default: 1]
   1. Continue
   2. Exit
Installing Urchin
Configuring Urchin to use existing SQL server
-- Initializing SQL database for Urchin
-- Configuring SQL parameters in urchin.conf
Creating webserver configuration
Setting file ownership and permission
Starting the Urchin webserver and scheduler daemon
Urchin webserver started on port 9999
Urchin SLAVE scheduler started
Urchin MASTER scheduler started
-- Installation Complete
The Urchin administrative interface should be ready to use at
To start or stop the Urchin webserver or scheduler, run 'urchinctl start'
or 'urchinctl stop' from the installation bin directory.
The administrative interface default username is admin and the password
is urchin.  A wizard will direct you through the process of licensing
the product and changing the default password.  We strongly recommend
that you change the default value to something more secure.

Configure Urchin

You need to open default port using iptables. A sample rule, adjust it according to your setup:
/sbin/iptables -A INPUT -i ${PUB_IF} -p tcp --destination-port 9999 -j ACCEPT
Next, type the following url to start the Urchin administrative interface:

Fig.01: Urchin 6 Login Screen

Fig.01: Urchin 6 Login Screen

The default username is admin and the password is urchin. A wizard will direct you through the process of licensing the product and changing the default password. You must obtained license from Urchin software authorized consultants.

Linux Iptables Firewall: Log IP or TCP Packet Header

Iptables provides the option to log both IP and TCP headers in a log file. This is useful to:
=> Detect Attacks

=> Analyze IP / TCP Headers

=> Troubleshoot Problems

=> Intrusion Detection

=> Iptables Log Analysis

=> Use 3rd party application such as PSAD (a tool to detect port scans and other suspicious traffic)

=> Use as education tool to understand TCP / IP header formats etc.

How do I turn on Logging IP Packet Header Options?

Add the following command to your iptables script beo:

iptables -A INPUT -j LOG --log-ip-options
iptables -A INPUT -j DROP

How do I turn on Logging TCP Packet Header Options?

Add the following command to your iptables script:

iptables -A INPUT -j LOG --log-tcp-options
iptables -A INPUT -j DROP

You may need to add additional filtering criteria such as source and destination ports/IP-address and other connection tracking features. To see IP / TCP header use tail -f or grep command:
# tail -f /var/log/messages

Recommended readings:

Protect Your Network from spamming, scanning, harvesting and dDoS attacks with DROP List

DROP (Don't Route Or Peer) is an advisory "drop all traffic" list, consisting of stolen 'zombie' netblocks and netblocks controlled entirely by professional spammers. DROP is a tiny sub-set of the SBL designed for use by firewalls and routing equipment.

DROP is currently available as a simple text list, but will also be available shortly as BGP with routes of listed IPs announced via an AS# allowing networks to then null those routes as being IPs that they do not wish to route traffic for.

The DROP list will NEVER include any IP space "owned" by any legitimate network and reassigned - even if reassigned to the "spammers from hell". It will ONLY include IP space totally controlled by spammers or 100% spam hosting operations. These are "direct allocations" from ARIN, RIPE, APNIC, LACNIC, and others to known spammers, and the troubling run of "hijacked zombie" IP blocks that have been snatched away from their original owners (which in most cases are long dead corporations) and are now controlled by spammers or netblock thieves who resell the space to spammers.

When implemented at a network or ISP's 'core routers', DROP will protect all the network's users from spamming, scanning, harvesting and dDoS attacks originating on rogue netblocks.

Shell script to apply DROP

Here is a shell script, you need to run on Linux based firewall / router / dedicated Linux web / mail server:

echo ""
echo -n "Applying DROP list to existing firewall..."
[ -f $FILE ] && /bin/rm -f $FILE || :
cd /tmp
wget $URL
blocks=$(cat $FILE  | egrep -v '^;' | awk '{ print $1}')
iptables -N droplist
for ipblock in $blocks
 iptables -A droplist -s $ipblock -j LOG --log-prefix "DROP List Block"
 iptables -A droplist -s $ipblock -j DROP
iptables -I INPUT -j droplist
iptables -I OUTPUT -j droplist
iptables -I FORWARD -j droplist
echo "...Done"
/bin/rm -f $FILE

Call above script from existing firewall script every 24 hrs to update and block list. Every time it's run by crontab it will download the list and reapply the changes. You may need to modify above script to delete droplist chain before applying list. Please note that if you are using Cicso routers, use this script for the same purpose. You can also use CISCO 'null route' command:

ip route <network> <mask> null0

If you don't want to play with iptables, null route all bad ips using following route command under Linux syntax:
# route add <IP> gw lo
# route add -net <IP/mask> gw lo

Try this and you will surprise to see how much spam and other bad stuff can be blocked.

Linux: The hole trick to bypass firewall restriction

Have you ever wondered how P2P software like Skype directly exchanges data when both client desktop sitting behind a firewall that only permits outgoing traffic.

This article explains how Skype & Co. get round firewalls using the hole trick. From the article:
Peer-to-peer software applications are a network administrator's nightmare. In order to be able to exchange packets with their counterpart as directly as possible they use subtle tricks to punch holes in firewalls, which shouldn't actually be letting in packets from the outside world.
[click to continue…]