Linux how to | Linux Server | Linux tutorials

Grsecurity on Debian

mike — Fri, 19 Aug 2011 10:31:30 +0000

If you do not know yet what is grsec / grsecurity, a good starting point is http://grsecurity.net/.
For linux, grsecurity is a “Holy Grail” in security. In addition, it will get rid of a problem that has linux and that irritates me me:
ps aux (after any user can see all processes.)

In this short tutorial I will show you how to install the debian grsecurity, without configure it from source .

linuxsrv ~ # echo “deb http://debian.cr0.org/repo/ kernel-security/” >> /etc/apt/sources.list
linuxsrv ~ # curl -o kernel-security.asc http://kernelsec.cr0.org/kernel-security.asc
linuxsrv ~ # apt-key add kernel-security.asc
linuxsrv ~ # apt-get update
linuxsrv ~ # apt-get install linux-image-2.6.32.15-1-grsec

If you want the sources from linux-image-2.6.32.15-1-grsec:

linuxsrv ~ # apt-get install linux-source-2.6.32.15-1-grsec
If you need paxctl to set flags on binary (PAGEEXEC, EMUTRMAP, MPROTECT, RANDMMAP, RANDEXEC and SEGMEXEC)

linuxsrv ~ # apt-get install paxctl

After the kernel installed , if you want simlink’s “vmlinuz” and “vmlinuz.old” in “/”, you can delete and then change the ‘lilo.conf’. On this server looks like this:

image=/boot/vmlinuz-2.6.32.15-1-grsec
label=Linux
read-only
initrd=/boot/initrd.img-2.6.32.15-1-grsec

image=/boot/vmlinuz-2.6.32-5-amd64
label=LinuxOLD
read-only
optional
initrd=/boot/initrd.img-2.6.32-5-amd64

Do not forget to lilo-v after the changes. If you are not experienced with OS boot I will not advise you to try changing the kernel. It is recommended that you have access to a console ipkvm / ILO / dell devil.

Reference links:

http://kernelsec.cr0.org/

http://pax.grsecurity.net/

http://grsecurity.net/

Recommended:

http://en.wikibooks.org/wiki/Grsecurity

Debian DHCP server installation and configuration

mike — Fri, 19 Aug 2011 10:09:41 +0000

Installing and configuring dhcpd server on Debian (Lenny)

## Install DHCP server for automatic IP assignment
apt-get update
apt-get install dhcp3-server

## Remove original config file and set the IP address for eth1 (internal network card)
rm /etc/dhcp3/dhcpd.conf
pico /etc/network/interfaces

# —————————————— #
## Example configuration: (no eth0)
auto eth1
iface eth1 inet static
address 192.168.0.1
netmask 255.255.255.0
# —————————————— #

## Configure “dhcpd.conf”
# From file: “/etc/dhcp3/dhcpd.conf”

example:
# ————————————————- ————– #
# ————————- #
# Dhcpd configuration file #
# ————————- #

# Server configuration
DDNS-update-style ad-hoc;
boot-unknown-clients false;
option domain-name-servers 4.2.2.2,4.2.2.3,4.2.2.4,4.2.2.5;
authoritative;
default-lease-time 43200;
max-lease-time 86400;
allow unknown-clients;

subnet 192.168.0.0 netmask 255.255.255.0 {
range 192.168.0.2 192.168.0.254;
option subnet-mask 255.255.255.0;
option routers 192.168.0.1;
option broadcast-address 192.168.0.255;
allow unknown-clients;
}
# ————————————————- ————– #

Notes:

DHCP server will assign IP addresses in the range: 192.168.0.2 – 192.168.0.254
If you want the DHCP server to allocate IP addresses used by Poppy example below (just below the line “allow unknown-clients” in dhcpd.conf)
Hardware address (Mac) can be seen using arping command (ex: arping -I eth1 local_ip)

linuxserver host {
hardware ethernet 00:2b:dc:36:32:46;
fixed-address 192.168.0.10;
}

Installing and configuring memcached

mike — Fri, 19 Aug 2011 05:41:35 +0000

Undoubtedly, memcached is the best caching system can be run distributed reaching extreme performance ( it uses libevent find).

As dependency to be used we will need: libevent, memcached and php-memcached PECL.

## Install PHP PECL Memcache and memcached-(Dependencies will be installed along with them)
yum install php-pecl-memcache memcached

## To Configure the memcached edit the file ‘/ etc / sysconfig / memcached “as follows:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# Memcached configuration file
# Port used
PORT=”11211″
# User daemon runs memcached
USER=”memcached”
# The maximum number of connections
MAXCONN=”1024″
# Size of memory that can be used
Cachesize=”512″
OPTIONS=”"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
## Activate memcached to start at boot
chkconfig memcached on

## Start the daemon
memcached service home

Find memory used by a group of processes

mike — Fri, 19 Aug 2011 05:36:21 +0000

## To find memory used by a group of processes (Example: php-cgi / http):
ps aux | grep –exclude=grep httpd | awk ‘BEGIN{s=0;}{s=s+$6;}END{print s;}’

## To find the average memory after a group of processes:
ps aux | grep –exclude=grep httpd | awk ‘BEGIN{s=0;}{s=s+$6;}END{print s/126;}’

Note: The return value is expressed in KB.

From holy “man ps”:
RSS: resident set size, the non-swapped physical memory used That HAS to task (in kilobytes)

Suphp + DSO on the same server

mike — Thu, 18 Aug 2011 19:59:53 +0000

First of all we will explain the terms used.

DSO – Dynamic Shared Object
MPM – Multi-Processing Modules

The idea is to run on the same apache both mod_php (DSO) with suphp. First, mod_php is very fast but sux at security chapter.
In this case (example) Apache with MPM Prefork have two virtual hosts, each one with suPHP and mod_php. For better understand, I’ll start with sections of configuration file (httpd.conf).

If you have any questions, please leave a comment.


# # Load Modules

LoadModule suphp_module            modules/mod_suphp.so

LoadModule php5_module             modules/libphp5.so
# # SuPHP Configuration



 suPHP_Engine on

 suPHP_AddHandler x-httpd-php

 AddHandler x-httpd-php .php .phtml

suPHP_ConfigPath /usr/local/etc


# # Default, mod_php is OFF (PHP engine off), so suPHP is default.

php_admin_flag engine off
# # Virtual host that uses suPHP



 DocumentRoot /home/cristian/www/example.com

 ServerAdmin tech@linuxserver.org

 ServerName example.com

 ServerAlias www.example.com

 CustomLog logs/example.com-access_log combined

 ErrorLog logs/example.com-error_log

 suPHP_UserGroup cristian cristian

 suPHP_ConfigPath /etc/userconfig/cristian


# Virtual host that uses mod_php (DSO)



 DocumentRoot /home/client/www/websiteclient.com

 ServerAdmin cristian@linuxserver.org

 ServerName websiteclient.com

 ServerAlias www.websiteclient.com

 CustomLog logs/websiteclient.com-access_log combined

 ErrorLog logs/websiteclient.com-error_log

 suPHP_Engine Off

 php_admin_flag engine on

 RemoveHandler .php

PHP virtual host settings in Apache with DSO

mike — Thu, 18 Aug 2011 12:12:31 +0000

Perhaps you have wondered how to set per virtual host settings when using mod_php (DSO) to apache.
The suPHP is simple for each user or virtual host can have his own php.ini .
In the example below you can see how to configure a virtual host with PHP custom settings.
We use Suhosin to enhance security.

DocumentRoot /home/vhosts/www/linuxserver.org
ServerAdmin admin@linuxserver.org
ServerName linuxserver.org
ServerAlias www.linuxserver.org
CustomLog logs/linuxserver.org-access_log combined
ErrorLog logs/linuxserver.org-error_log
php_admin_value suhosin.executor.func.blacklist “exec,shell_exec,passthru,show_source,dl,leak,ini_alter,ini_restore,proc_open,proc_nice,proc_terminate,proc_close,proc_get_status,symlink,system,popen,pcntl_getpriority,pcntl_wait,diskfreespace,disk_free_space,disk_total_space,get_current_user,get_headers,headers_list,stream_socket_accept,stream_socket_client,stream_socket_get_name,stream_socket_recvfrom,stream_socket_sendto,stream_socket_server,stream_socket_shutdown”
php_admin_value disable_functions “exec,shell_exec,passthru,dl”
php_admin_value open_basedir “/home/vhosts/www:/usr/local/bin:/usr/bin:/tmp:/usr/local/share/pear”
php_admin_value memory_limit 88M
php_admin_value post_max_size 56M
php_admin_value max_execution_time 25
php_admin_value max_input_time 60

VPN Server on Debian Lenny

mike — Wed, 17 Aug 2011 10:52:44 +0000

Installation and setup for a VPN server on Debian Lenny in few minutes

# Install pptpd
apt-get install pptpd

# Turn on IP Forwarding
sysctl-w net.ipv4.ip_forward = 1

# We set the permanent IP forwarding
pico /etc/sysctl.conf
# Remove the comment line “net.ipv4.ip_forward = 1″

# Configure pptpd
# Example:
10.0.1.1 LOCALIP
remoteip 10.0.0.3-10.0.0.200

# Configure DNS
# File “/etc/ppp/pptpd-options”
# Example DNS sites:
ms-dns 4.2.2.2
ms-dns 4.2.2.3

# We add authentication in “/etc/ppp/pap-secrets’
# Format: username pptpd password *
echo “test pptpd cdhc1346wvkv *”> /etc/ppp/pap-secrets

# Restart the daemon
/etc/init.d/pptpd restart

# allow port 1723 / TCP if we want to connect from outside.
iptables-I INPUT-p tcp – dport 1723 -j ACCEPT

# we are done here.

Set Date Time and Timezone on linux

mike — Wed, 17 Aug 2011 10:43:50 +0000

To synchronize with a server on the exact time and if you want to set the hardware clock in localtime and time as short as possible, you can use the example below, (this example is for linux)

root@example[~] # rm /etc/localtime && ln -s /usr/share/zoneinfo/US/Pacific /etc/localtime
root@example[~] # ntpdate -vb de.pool.ntp.org && hwclock -w
Aug 17 04:23:43 ntpdate[6332]: ntpdate 4.2.4p4@1.1520-o Mon May 12 19:58:15 UTC 2009 (1)
Aug 17 04:23:49 ntpdate[6332]: step time server 92.86.31.38 offset 14.817283 sec
root@example[~] # date
Wed Aug 17 12:40:25 EEST 2011
root@example[~] #

Installing Apache and PHP on Debian

mike — Wed, 17 Aug 2011 10:36:25 +0000

This is a tutorial for beginners extremely small: In this short tutorial I will show you how to install apache and php on Debian in just 4 minutes. Setting the example was done on a virtual machine.

root@example:~# apt-get install apache2
root@example:~# apt-get install php5 php5-cli php5-cgi php5-curl php5-common php5-gd php5-mcrypt php5-mysql php5-tidy libapache2-mod-php5
root@example:~# a2enmod rewrite
root@example:~# /etc/init.d/apache2 restart
root@example:~# echo “” >> /var/www/index.php
root@example:~# rm /var/www/index.html

DNS configuration Ubuntu

mike — Sat, 19 Mar 2011 11:20:50 +0000

9WWVWRNNBR6R

Domain Name Service (DNS) is an Internet service that maps IP addresses and fully qualified domain names (FQDN) to one another. In this way, DNS alleviates the need to remember IP addresses. Computers that run DNS are called name servers. Ubuntu ships with BIND (Berkley Internet Naming Daemon), the most common program used for maintaining a name server on GNU/Linux.

Installation

At a terminal prompt, enter the following command to install dns:

sudo apt-get install bind

Configuration

The DNS configuration files are stored in the /etc/bind directory. The primary configuration file is /etc/bind/named.conf. The content of the default configuration file is shown below:

// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind/README.Debian for information on the
// structure of BIND configuration files in Debian for BIND versions 8.2.1
// and later, *BEFORE* you customize this configuration file.
//

include "/etc/bind/named.conf.options";

// reduce log verbosity on issues outside our control
logging {
	category lame-servers { null; };
	category cname { null; };
};

// prime the server with knowledge of the root servers
zone "." {
        type hint;
        file "/etc/bind/db.root";
};

// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912

zone "localhost" {
        type master;
        file "/etc/bind/db.local";
};

zone "127.in-addr.arpa" {
        type master;
        file "/etc/bind/db.127";
};

zone "0.in-addr.arpa" {
        type master;
        file "/etc/bind/db.0";
};

zone "255.in-addr.arpa" {
        type master;
        file "/etc/bind/db.255";
};

// add local zone definitions here
include "/etc/bind/named.conf.local";

The include line specifies the filename which contains the DNS options. The directory line in the options file tells DNS where to look for files. All files BIND uses will be relative to this directory.

The file named /etc/bind/db.root describes the root name servers in the world. The servers change over time and must be maintained now and then.

The zone section defines a master server, and it is stored in a file mentioned against file tag. Every zone file contains 3 resource records (RRs): an SOA RR, an NS RR and a PTR RR. SOA is short of Start of Authority. The “@” is a special notation meaning the origin. NS is the Name Server RR. PTR is Domain Name Pointer. To start the DNS server, run the following command from a terminal prompt:

sudo /etc/init.d/bind start

You can refer to the documentation mentioned in the references section for details.

References

DNS HOWTO

DHCP server on Ubuntu

mike — Sat, 19 Mar 2011 11:17:31 +0000

Learn how to install Dynamic Host Configuration Protocol

The Dynamic Host Configuration Protocol (DHCP) is a network service that enables host computers to be automatically assigned settings from a server as opposed to manually configuring each network host. Computers configured to be DHCP clients have no control over the settings they receive from the DHCP server, and the configuration is transparent to the computer’s user.

The most common settings provided by a DHCP server to DHCP clients include:

IP-Address and Netmask
DNS
WINS

However, a DHCP server can also supply configuration properties such as:

Host Name
Domain Name
Default Gateway
Time Server
Print Server

The advantage of using DHCP is that changes to the network, for example a change in the address of the DNS server, need only be changed at the DHCP server, and all network hosts will be reconfigured the next time their DHCP clients poll the DHCP server. As an added advantage, it is also easier to integrate new computers into the network, as there is no need to check for the availability of an IP address. Conflicts in IP address allocation are also reduced.

A DHCP server can provide configuration settings using two methods:

MAC Address: This method entails using DHCP to identify the unique hardware address of each network card connected to the network and then continually supplying a constant configuration each time the DHCP client makes a request to the DHCP server using that network device.
Address Pool: This method entails defining a pool (sometimes also called a range or scope) of IP addresses from which DHCP clients are supplied their configuration properties dynamically and on a fist come first serve basis. When a DHCP client is no longer on the network for a specified period, the configuration is expired and released back to the address pool for use by other DHCP Clients.

Ubuntu is shipped with both DHCP server and client. The server is dhcpd (dynamic host configuration protocol daemon). The client provided with Ubuntu is dhclient and should be installed on all computers required to be automatically configured. Both programs are easy to install and configure and will be automatically started at system boot.

Installation

At a terminal prompt, enter the following command to install dhcpd:

sudo apt-get install dhcpd

You will see the following output, which explains what to do next:

Please note that if you are installing the DHCP server for the first
time you need to configure. Please stop (/etc/init.d/dhcp
stop) the DHCP server daemon, edit /etc/dhcpd.conf to suit your needs
and particular configuration, and restart the DHCP server daemon
(/etc/init.d/dhcp start).

You also need to edit /etc/default/dhcp to specify the interfaces dhcpd
should listen to. By default it listens to eth0.

NOTE: dhcpd's messages are being sent to syslog. Look there for
diagnostics messages.

Starting DHCP server: dhcpd failed to start - check syslog for diagnostics.

Configuration

The error message the installation ends with might be a little confusing, but the following steps will help you configure the service:

Most commonly, what you want to do is assign an IP address randomly. This can be done with settings as follows:

# Sample /etc/dhcpd.conf
# (add your comments here)
default-lease-time 600;
max-lease-time 7200;
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.1.255;
option routers 192.168.1.254;
option domain-name-servers 192.168.1.1, 192.168.1.2;
option domain-name "mydomain.org";

subnet 192.168.1.0 netmask 255.255.255.0 {
range 192.168.1.10 192.168.1.100;
range 192.168.1.150 192.168.1.200;
}

This will result in the DHCP server giving a client an IP address from the range 192.168.1.10-192.168.1.100 or 192.168.1.150-192.168.1.200. It will lease an IP address for 600 seconds if the client doesn’t ask for a specific time frame. Otherwise the maximum (allowed) lease will be 7200 seconds. The server will also “advise” the client that it should use 255.255.255.0 as its subnet mask, 192.168.1.255 as its broadcast address, 192.168.1.254 as the router/gateway and 192.168.1.1 and 192.168.1.2 as its DNS servers.

If you need to specify a WINS server for your Windows clients, you will need to include the netbios-name-servers option, e.g.

option netbios-name-servers 192.168.1.1;

Dhcpd configuration settings are taken from the DHCP mini-HOWTO, which can be found here.

Network File System on Ubuntu

mike — Sat, 19 Mar 2011 11:12:41 +0000

NFS allows a system to share directories and files with others over a network. By using NFS, users and programs can access files on remote systems almost as if they were local files.

Some of the most notable benefits that NFS can provide are:

Local workstations use less disk space because commonly used data can be stored on a single machine and still remain accessible to others over the network.
There is no need for users to have separate home directories on every network machine. Home directories could be set up on the NFS server and made available throughout the network.
Storage devices such as floppy disks, CDROM drives, and USB Thumb drives can be used by other machines on the network. This may reduce the number of removable media drives throughout the network.

Installation

At a terminal prompt enter the following command to install the NFS Server:

sudo apt-get install nfs-kernel-server

Configuration

You can configure the directories to be exported by adding them to the /etc/exports file. For example:

/ubuntu  *(ro,sync,no_root_squash)
/home    *(rw,sync,no_root_squash)

You can replace * with one of the hostname formats. Make the hostname declaration as specific as possible so unwanted systems cannot access the NFS mount.

To start the NFS server, you can run the following command at a terminal prompt:

sudo /etc/init.d/nfs-kernel-server start

NFS Client Configuration

Use the mount command to mount a shared NFS directory from another machine, by typing a command line similar to the following at a terminal prompt:

sudo mount example.hostname.com:/ubuntu /local/ubuntu


	The mount point directory `/local/ubuntu` must exist. There should be no files or subdirectories in the `/local/ubuntu` directory.

An alternate way to mount an NFS share from another machine is to add a line to the /etc/fstab file. The line must state the hostname of the NFS server, the directory on the server being exported, and the directory on the local machine where the NFS share is to be mounted.

The general syntax for the line in /etc/fstab file is as follows:

example.hostname.com:/ubuntu /local/ubuntu nfs rsize=8192,wsize=8192,timeo=14,intr

Openssh server on ubuntu

mike — Tue, 22 Feb 2011 08:59:22 +0000

OpenSSH is a freely available version of the Secure Shell (SSH) protocol family of tools for remotely controlling a computer or transferring files between computers. Traditional tools used to accomplish these functions, such as telnet or rcp, are insecure and transmit the user’s password in cleartext when used. OpenSSH provides a server daemon and client tools to facilitate secure, encrypted remote control and file transfer operations, effectively replacing the legacy tools.

The OpenSSH server component, sshd, listens continuously for client connections from any of the client tools. When a connection request occurs, sshd sets up the correct connection depending on the type of client tool connecting. For example, if the remote computer is connecting with the ssh client application, the OpenSSH server sets up a remote control session after authentication. If a remote user connects to an OpenSSH server with scp, the OpenSSH server daemon initiates a secure copy of files between the server and client after authentication. OpenSSH can use many authentication methods, including plain password, public key, and Kerberos tickets.

Installation

Installation of the OpenSSH client and server applications is simple. To install the OpenSSH client applications on your Ubuntu system, use this command at a terminal prompt:

sudo apt-get install openssh-client

To install the OpenSSH server application, and related support files, use this command at a terminal prompt:

sudo apt-get install openssh-server

Configuration

You may configure the default behavior of the OpenSSH server application, sshd, by editing the file /etc/ssh/sshd_config. For information about the configuration directives used in this file, you may view the appropriate manual page with the following command, issued at a terminal prompt:

man sshd_config

There are many directives in the sshd configuration file controlling such things as communications settings and authentication modes. The following are examples of configuration directives that can be changed by editing the /etc/ssh/ssh_config file.

Prior to editing the configuration file, you should make a copy of the original file and protect it from writing so you will have the original settings as a reference and to reuse as necessary.

Copy the /etc/ssh/sshd_config file and protect it from writing with the following commands, issued at a terminal prompt:

sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.original
sudo chmod a-w /etc/ssh/sshd_config.original

The following are examples of configuration directives you may change:

To set your OpenSSH to listen on TCP port 2222 instead of the default TCP port 22, change the Port directive as such:Port 2222
To have sshd allow public key-based login credentials, simply add or modify the line:PubkeyAuthentication yes
in the /etc/ssh/sshd_config file, or if already present, ensure the line is not commented out.
To make your OpenSSH server display the contents of the /etc/issue.net file as a pre-login banner, simply add or modify the line:Banner /etc/issue.net
in the /etc/ssh/sshd_config file.

After making changes to the /etc/ssh/sshd_config file, save the file, and restart the sshd server application to effect the changes using the following command at a terminal prompt:

sudo /etc/init.d/ssh restart

Many other configuration directives for sshd are available for changing the server application’s behavior to fit your needs. Be advised, however, if your only method of access to a server is ssh, and you make a mistake in configuring sshd via the /etc/ssh/sshd_config file, you may find you are locked out of the server upon restarting it, or that the sshd server refuses to start due to an incorrect configuration directive, so be extra careful when editing this file on a remote server.

How to configure ubuntu firewall

mike — Tue, 22 Feb 2011 08:54:34 +0000

The Linux kernel includes the Netfilter subsystem, which is used to manipulate or decide the fate of network traffic headed into or through your server. All modern Linux firewall solutions use this system for packet filtering.

Firewall Introduction

The kernel’s packet filtering system would be of little use to administrators without a userspace interface to manage it. This is the purpose of iptables. When a packet reaches your server, it will be handed off to the Netfilter subsystem for acceptance, manipulation, or rejection based on the rules supplied to it from userspace via iptables. Thus, iptables is all you need to manage your firewall if you’re familiar with it, but many frontends are available to simplify the task.

IP Masquerading

The purpose of IP Masquerading is to allow machines with private, non-routable IP addresses on your network to access the Internet through the machine doing the masquerading. Traffic from your private network destined for the Internet must be manipulated for replies to be routable back to the machine that made the request. To do this, the kernel must modify the source IP address of each packet so that replies will be routed back to it, rather than to the private IP address that made the request, which is impossible over the Internet. Linux uses Connection Tracking (conntrack) to keep track of which connections belong to which machines and reroute each return packet accordingly. Traffic leaving your private network is thus “masqueraded” as having originated from your Ubuntu gateway machine. This process is referred to in Microsoft documentation as Internet Connection Sharing.

This can be accomplished with a single iptables rule, which may differ slightly based on your network configuration:

sudo iptables -t nat -A POSTROUTING -s 192.168.0.0/16 -o ppp0 -j MASQUERADE

The above command assumes that your private address space is 192.168.0.0/16 and that your Internet-facing device is ppp0. The syntax is broken down as follows:

-t nat — the rule is to go into the nat table
-A POSTROUTING — the rule is to be appended (-A) to the POSTROUTING chain
-s 192.168.0.0/16 — the rule applies to traffic originating from the specified address space
-o ppp0 — the rule applies to traffic scheduled to be routed through the specified network device
-j MASQUERADE — traffic matching this rule is to “jump” (-j) to the MASQUERADE target to be manipulated as described above

Each chain in the filter table (the default table, and where most or all packet filtering occurs) has a default policy of ACCEPT, but if you are creating a firewall in addition to a gateway device, you may have set the policies to DROP or REJECT, in which case your masqueraded traffic needs to be allowed through the FORWARD chain for the above rule to work:

sudo iptables -A FORWARD -s 192.168.0.0/16 -o ppp0 -j ACCEPT
sudo iptables -A FORWARD -d 192.168.0.0/16 -m state --state ESTABLISHED,RELATED -i ppp0 -j ACCEPT

The above commands will allow all connections from your local network to the Internet and all traffic related to those connections to return to the machine that initiated them.

Tools

There are many tools available to help you construct a complete firewall without intimate knowledge of iptables. For the GUI-inclined, Firestarter is quite popular and easy to use, and fwbuilder is very powerful and will look familiar to an administrator who has used a commercial firewall utility such as Checkpoint FireWall-1. If you prefer a command-line tool with plain-text configuration files, Shorewall is a very powerful solution to help you configure an advanced firewall for any network. If your network is relatively simple, or if you don’t have a network, ipkungfu should give you a working firewall “out of the box” with zero configuration, and will allow you to easily set up a more advanced firewall by editing simple, well-documented configuration files. Another interesting tool is fireflier, which is designed to be a desktop firewall application. It is made up of a server (fireflier-server) and your choice of GUI clients (GTK or QT), and behaves like many popular interactive firewall applications for Windows.

Logs

Firewall logs are essential for recognizing attacks, troubleshooting your firewall rules, and noticing unusual activity on your network. You must include logging rules in your firewall for them to be generated, though, and logging rules must come before any applicable terminating rule (a rule with a target that decides the fate of the packet, such as ACCEPT, DROP, or REJECT). For example:

sudo iptables -A INPUT -m state --state NEW -p tcp --dport 80 -j LOG --log-prefix "NEW_HTTP_CONN: "

A request on port 80 from the local machine, then, would generate a log in dmesg that looks like this:

[4304885.870000] NEW_HTTP_CONN: IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=58288 DF PROTO=TCP SPT=53981 DPT=80 WINDOW=32767 RES=0x00 SYN URGP=0

The above log will also appear in /var/log/messages, /var/log/syslog, and /var/log/kern.log. This behavior can be modified by editing /etc/syslog.conf appropriately or by installing and configuring ulogd and using the ULOG target instead of LOG. The ulogd daemon is a userspace server that listens for logging instructions from the kernel specifically for firewalls, and can log to any file you like, or even to a PostgreSQL or MySQL database. Making sense of your firewall logs can be simplified by using a log analyzing tool such as fwanalog, fwlogwatch, or lire.

How to configure Ubuntu network

mike — Tue, 22 Feb 2011 08:49:22 +0000

Ethernet

Most ethernet configuration is centralized in a single file, /etc/network/interfaces. If you have no ethernet devices, only the loopback interface will appear in this file, and it will look something like this:

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback
address 127.0.0.1
netmask 255.0.0.0

If you have only one ethernet device, eth0, and it gets its configuration from a DHCP server, and it should come up automatically at boot, only two additional lines are required:

auto eth0
iface eth0 inet dhcp

The first line specifies that the eth0 device should come up automatically when you boot. The second line means that interface (“iface”) eth0 should have an IPv4 address space (replace “inet” with “inet6” for an IPv6 device) and that it should get its configuration automatically from DHCP. Assuming your network and DHCP server are properly configured, this machine’s network should need no further configuration to operate properly. The DHCP server will provide the default gateway (implemented via the route command), the device’s IP address (implemented via the ifconfig command), and and DNS servers used on the network (implemented in the /etc/resolv.conf file.)

To configure your ethernet device with a static IP address and custom configuration, some more information will be required. Suppose you want to assign the IP address 192.168.0.2 to the device eth1, with the typical netmask of 255.255.255.0. Your default gateway’s IP address is 192.168.0.1. You would enter something like this into /etc/network/interfaces:

iface eth1 inet static
	address 192.168.0.2
	netmask 255.255.255.0
	gateway 192.168.0.1

In this case, you will need to specify your DNS servers manually in /etc/resolv.conf, which should look something like this:

search mydomain.com
nameserver 192.168.0.1
nameserver 4.2.2.2

The search directive will append mydomain.com to hostname queries in an attempt to resolve names to your network. For example, if your network’s domain is mydomain.com and you try to ping the host “mybox”, the DNS query will be modified to “mybox.mydomain.com” for resolution. The nameserver directives specifiy DNS servers to be used to resolve hostnames to IP addresses. If you use your own nameserver, enter it here. Otherwise, ask your Internet Service Provider for the primary and secondary DNS servers to use, and enter them into /etc/resolv.conf as shown above.

Many more configurations are possible, including dialup PPP interfaces, IPv6 networking, VPN devices, etc. Refer to man 5 interfaces for more information and supported options. Remember that /etc/network/interfaces is used by the ifup/ifdown scripts as a higher level configuration scheme than may be used in some other Linux distributions, and that the traditional, lower level utilities such as ifconfig, route, and dhclient are still available to you for ad hoc configurations.

Managing DNS Entries

This section explains how to configure the nameserver to use when resolving IP address to hostnames and vice versa. It does not explain how to configure the system as a name server.

To manage DNS entries, you can add, edit, or remove DNS names from the /etc/resolv.conf file. A sample file is given below:

search com
nameserver 204.11.126.131
nameserver 64.125.134.133
nameserver 64.125.134.132
nameserver 208.185.179.218

The search key specifies the string which will be appended to an incomplete hostname. Here, we have mentioned it as com. If we run: ping ubuntu it would be interpreted as ping ubuntu.com.

The nameserver key specifies the nameserver IP address. It will be used to resolve the given IP address or hostname. This file can have multiple nameserver entries. The nameservers will be used by the network query in the same order