Securing your Environment, Part One

Surprisingly, securing a site’s production environment is a task that many ignore until it’s too late. But the task need not be so onerous. Several LAMP tools can help shore up security.

This month and next, let’s look at two LAMP-based tools that can help protect your environment: Big Fish Firewall for deploying and configuring netfilter- based firewalls, and SNORT for intrusion detection.

Once you realize how simple these tools are to deploy, you’ll want to get started immediately rather than after your first security incident.

One Fish, Two Fish, Red Fish, Big Fish

There are many commercial firewall products available, and vendors sell options suited to corporations, individuals, and sites of all sizes in between. For example, Checkpoint (http://www.checkpoint.com/) manufactures firewalls and several other security products for production environments, and Cisco (http://www.cisco.com) offers the PIX series of firewalls for every site from home offices to Internet service providers. While both Checkpoint and Cisco offer products that are full-featured, robust, and reliable, deploying and managing these devices can be costly and can require a significant learning curve.

Luckily, the TCP/IP stack in the Linux operating system is very robust, featuring extensive packet filtering, network address translation (NAT), and other advanced firewall functions. Additionally, the netfilter package provides simple load-balancing for high-availability systems. In effect, you can deploy a commercially viable firewall solely on Linux, running the free operating system you already know on low-cost hardware in all layers of your network.

To be fair, however, one of the most significant drawbacks of Linux firewall solutions — netfilter included — is usability. netfilter is sometimes called a “wild beast,” as developing iptables rulesets can be a daunting task for even the most experienced network administrators.

Aware of this shortcoming, several LAMP projects have emerged to make the job much simpler. One such project is Big Fish Firewall, available from http://bigfish.sourceforge.net. Big Fish, maintained by Fred Cox, allows you to easily create and manage iptables firewall scripts. Big Fish includes pre-configured rulesets that you can alter to suit your needs, or you can create your own rulesets from scratch. Some common rulesets included are IP spoofing, syn flood blocking, service blocking (to block, say, IRC or an instant messenger), and source and destination network address translation (SNAT and DNAT, respectively).

Development on the Big Fish package is constant. As Linux Magazine goes to press, the latest production release of Big Fish is Version 1.33, which is compatible only with PHP 5 and kernel 2.4. (However, the Big Fish developers are currently developing a version for PHP 4, which should be available by the time you read this.)

Getting Started with Big Fish

Big Fish has several prerequisites. For this sample installation, the host ran Linux kernel 2.4.20-8, Apache 1.3.28, PHP 5.0.3RC1, and mod_SSL 2.8.1501.3.28 supported by OpenSSL 0.9.7a. (Since Big Fish can be accessed via the Internet and manipulates your server, it’s imperative that you install SSL into Apache.)

Your system also needs sudo (which is probably already installed), the Smarty Template Engine, located at http://smarty.php.net/, and the HTML_Common, HTML_Menu, HTML_Table, HTML_QuickForm, File, File_Passwd, File_SearchReplace, and Net_Portscan modules from the PHP Extension and Application Repository (PEAR).

To install the PEAR packages, type pear install package_name on the command line, such as pear install File_Passwd.

Next, setup the sudo commands for the Apache user, typically named nobody. First, create a local directory that’s not in your web root for storing your firewall script, such as /usr/local/bigfish/script. Then, edit the file /etc/sudoers by running as root visudo and enter the following text:

# Assuming you’re running apache as the user nobody
nobody ALL = NOPASSWD: //usr/local/bigfish/script/firewall.sh

To continue, download the Big Fish tarball, create a directory under your Apache DocumentRoot named bigfish, and extract the tarball into this directory. Next, as root, and assuming your Apache user is nobody, change the ownership and permissions on the cache/ and templates_c/ subdirectories as follows:

$ chown –R nobody:nobody cache
$ chmod –R 775 cache

$ chown –R nobody:nobody templates_c
$ chmod –R 775 templates_c

Now, using your favorite text editor, open the file config.inc.php located within the bigfish/conf directory of your DocumentRoot and edit and set the following variables to match your system:

$conf[’path’] = ‘/usr/local/bigfish/script’;

$conf[’username’] = ‘h3lpm3′;
$conf[’password’] = ‘h@ckm3′;

$conf[’iptables’] = ‘/sbin/iptables’;
$conf[’sudo’] = ‘/usr/bin/sudo’;

$conf[’if_ext’] = ‘eth0′;
$conf[’if_int’] = ‘eth0:1′; // A virtual interface on a single NIC

$conf[’if_ext_ip’] = ‘192.168.1.1′;
$conf[’if_int_ip’] = ‘192.168.2.1′
$conf[’netmask’] = ‘ 255.255.254.0/8′;

If you haven’t installed the Smarty PHP template engine yet, grab the latest version of Smarty at http://smarty.php.net/download.php. The version used for this article was 2.6.6. Installing Smarty is a snap: after you extract the contents of the package, copy all of the files and direcories to the libs directory in your PHP include path. On the sample system, for instance, the files were copied to /usr/local/lib/php/Smarty/.

Finally, the Big Fish application uses Apache’s htpasswd authentication for redundant security. You’ll need to setup a .htaccess file in the bigfish directory within your DocumentRoot. If you don’t perform this step, Big Fish won’t work properly.

After you’ve edited and saved the Big Fish configuration file, have installed Smarty and all of the required PEAR modules, you should be able to access the Big Fish web interface. Make certain you access it via SSL, using a URL such as https://your-host/bigfish.

If you setup the .htaccess file properly, the browser should prompt you for your htpasswd username and password. Once authenticated, you’ll need to authenticate again in PHP-generated login form. Use the username and password that you specified in conf.inc.php.

Reeling in the Big Fish

The Big Fish application is organized into four areas, Security, Packet Filtering, and SNAT/DNAT and Priority Services. Click on the Security menu link to edit available port security options. This menu gives you options to prevent access threats such as “Ping of Death,” “Syn-Flood” and suspect packets. It also allows you to block access to chat and instant messenger ports such as AOL, MSN, and IRC, and if you’re interested in blocking access to file sharing networks, this menu gives you the option to block Limewire, Kazaa, Morpheus, and others.

Extending the security options is quite easy. With your favorite text editor, open up the regras.php file and search for the $locks array. This is where you can add or customize rules for your firewall.

For example, if you wanted to add a block for a service called “IllegalWarezNet” operating on port 9102, add the following lines to the $locks array:

array(’#IllegalWarezNet: ‘,
$conf[’iptables’].” –A int_ext –p tcp ––dport 9102 –j REJECT”
),

When you reload the Security menu, you should see your security service option on the list.

The Packet Filtering section of Big Fish allows you to take full control of packet routing by creating rulesets for your network interfaces. The current set of options allow you to create rules for packets originating within your network destined to an external network (menu item:[ Int] & gt;[ Ext]), packets originating within your network destined to the firewall (menu item:[ Int] & gt;[ Fwl]), packets origination outside your network destined inside your network (menu item:[ Ext] & gt;[ Int]) and packets originating outside your network destined to your firewall (menu item:[ Ext] & gt;[ Fwl]).

The real fun begins with SNAT/DNAT packet rewriting. SNAT allows you to rewrite the source address in the IP header. In other words, use an SNAT rule to rewrite a local address on your network to the source IP address of your Internet connection. This is useful (and necessary) if you want to share a network connection through your firewall.

For example, using the Big Fish interface you can easily rewrite HTTP packets originating from Internet addresses on your firewall to your Internet connection IP, say 69.68.147.63. Click on the Redirects SNAT/DNAT menu link, enter 80 for both source and destination ports, enter your Internet connection address for the host, and select “SNAT” for “Direction” and “TCP” for the protocol.

DNAT allows you to rewrite the destination address in the IP header. Using a DNAT rule you can rewrite packets arriving on your host on one or many ports to a new destination IP address.

For example, using the Big Fish interface you can rewrite HTTP packets destined for your firewall host to the internal IP address 192.168.2.1. Click on the Redirects SNAT/DNAT menu link, enter 80 for both source and destination ports, enter 192.168.2.1 for “Host,” select “DNAT” for “Direction” and “TCP” for the protocol.

Using a combination of packet filtering with DNAT/SNAT rules, you can protect internal web servers (or web servers living on your Linux firewall host) by giving them a local IP address and rewriting packets to/from the hosts. Big Fish makes it easy to move your Apache servers behind a firewall so you don’t have to leave them hanging out on the Internet with a public IP address.

Big Fish also provides you with a simple interface to prioritize services traversing through your firewall. For example, using iptables’ packet mangling feature, you can assign SSH packets a higher priority than another service’s packets, like file sharing or FTP. Click on the Priority menu item to display available services on your host. Select Port 22 (SSH) and click apply to add the priority to your ruleset.

Although the current implementation of packet mangling is very basic, rest assured this area will be expanded to include additional Quality of Service (QoS) options for packet mangling.

Finally, the Firewall Status page is soon to become your best friend. Not only does Big Fish display the exact rule syntax applied to your firewall, the Status page displays all of the chains currently applied to your host. This is a useful learning tool for when you find yourself in a situation where you have to construct rules by hand. When you’re satisfied with the rules you’ve created with Big Fish, go to this Status page and click the Restart button to push your changes live.

The Future of Big Fish Firewall Administration

Big Fish is a great product, with an easy to use interface and enough tools for even the most advanced firewall administrator. However, there are a number of areas where development is focused, including expanded ability to support multiple interfaces for true standalone netfilter/iptables management. The forthcoming release promises theme support with a bundled Smarty template engine, a feature to load and unload netfilter kernel modules, and expanded network interface support.

A great feature for Big Fish would be integration with MySQL for storing and creating a strict change control policy. A data repository would let you audit all changes made to your firewall from its inception.

Setting up a firewall can be quick and easy with the right tool. Whether setting up a firewall for your business or for your personal needs, it’s essential to have complete control of your data and how it’s accessed. With the combination of netfilter, Big Fish, and LAMP in your arsenal, there’s no excuse not to protect your assets.

Next month, in Part Two, we’ll look at intrusion detection with Snort and ACID.

Michael Bordash is an open-source integration specialist at IPsoft, Inc., and is the founder of InternetDJ.com. Michael can be reached at class="emailaddress">michael.bordash@ip-soft.net.