redhat

​This will be part 1 in a series of configuring CentOS/Red Hat 6 as a secured firewall. Though I am a huge fan of pfSense (which can be found here pfSense), I wanted to build my own from scratch. So, the first part of this series will consist of setting up PAT (or NAT overload for the Cisco geeks) on Linux.

The first step is to configure the network cards.  In this scenario we will use eth0 as the WAN connection and eth1 as the LAN connection.  Refer to the diagram below

 | ISP - 192.168.1.1/30 | <--- | eth0(WAN) - 192.168.1.2/30 | --- NAT Server --- | eth1(LAN) - 192.168.2.1/24 | ---> Internal Network

Edit both the ifcfg-eth0 and the ifcfg-eth1 files located in /etc/sysconfig/network-scripts/, make sure both of the network cards are set to BOOTPROTO=”static”.

The second step is to setup IP forwarding which can be done by editing the /etc/sysctl.conf file and adding

    net.ipv4.ip_forward = 1

You can then either reload the server or issue the ‘sysctl -p’ command. Once that command is run, you will see the output of the command and you should see ‘net.ipv4.ip_forward = 1’ in the output. You can also verify by running ‘cat /proc/sys/net/ipv4/ip_forward’ and it will return a ‘1’. If it returns a 0 then the command did not run correctly and you need to try again.

The last step is to set up masquerade with IPTABLES. As eth0 is your outside (or WAN) connection, run

    iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Connect a laptop to the eth1 NIC with a crossover cable, and statically set the IP address to 192.168.2.2/24 with the default gateway of 192.168.2.1.  You should now be able to ping out of the LAN to the Internet. If successful run,

    service iptables save

which will save the command to the /etc/sysconfig/iptables file when either the service or the server is reloaded.

​Mounting a USB device

 Attach the USB device to the Dom0 and run ‘dmesg’ to see if the device attached

Run ‘fdisk -l’ to see if the drive is partitioned the way you want it

For instance:

[[email protected] ~]# fdisk -l /dev/sdc

Disk /dev/sdc: 1000.2 GB, 1000204886016 bytes

255 heads, 63 sectors/track, 121601 cylinders

Units = cylinders of 16065 * 512 = 8225280 bytes

Device Boot Start End Blocks Id System

dev/sdc1 1 121601 976760001 8e Linux LVM

Now find a drive letter that is not being used on the DomU, in this instance we’ll use /dev/sde

To attach the USB device to the DomU run the following command

xm block-attach exampledomu phy:/dev/sdc sde w

You should now see the device on the DomU, run either ‘dmesg’ or ‘fdisk -l’ to verify

Mount the device as normal

mount /dev/sde1 /mnt/usb

Unmounting the device

You first need to get the device id number from the block list. Do this by running:

xm block-list exampledomu

This will return:

    Vdev BE handle state evt-ch ring-ref BE-path

    51712 0 0 4 9 8 /local/domain/0/backend/tap/23/51712

    2176 0 0 4 10 1338 /local/domain/0/backend/vbd/23/2176

The number you need to use to remove the device is 2176

Unmount the USB device from the DomU

umount /mnt/usb

 Now on the Dom0 run:

xm block-detach exampledomu 2176

You may now remove the USB device

As a part of the sys admin’s job, it is important to take a few extra minutes to go through and properly secure a newly installed Linux server. These steps include enabling SELinux on the machine, configuring the firewall, and setting user permissions. There are however additional steps one should take in order to secure their server. One would be to tune and secure kernel parameters, set limits on kernel dumps, prevent IPv6 from loading if you company is not using it, and turning off unnecessary services.

Networking 

First, lets take a look at configuring kernel parameters to prevent network based attacks. These include disallowing intruders to alter routing tables and source routed packets, preventing an intruder from configuring the server to become a router, and turning on reverse path filtering. To change these settings edit the /etc/sysctl.conf file and enter:

    net.ipv4.conf.all.accept_source_route = 0 

    net.ipv4.conf.all.accept_redirects = 0 

    net.ipv4.conf.all.secure_redirects = 0 

    net.ipv4.conf.all.log_martians = 1 

    net.ipv4.conf.default.accept_source_route = 0 

    net.ipv4.conf.default.accept_redirects = 0 

    net.ipv4.conf.default.secure_redirects = 0 

    net.ipv4.icmp_echo_ignore_broadcasts = 1 

    net.ipv4.icmp_ignore_bogus_error_messages = 1 

    net.ipv4.tcp_syncookies = 1 

    net.ipv4.conf.all.rp_filter = 1 

   net.ipv4.conf.default.rp_filter = 1 

If you are currently running IPv6 at your company, here are a few kernel parameters to prevent network based attacks:

    net.ipv6.conf.default.router_solicitations = 0 

    net.ipv6.conf.default.accept_ra_rtr_pref = 0 

    net.ipv6.conf.default.accept_ra_pinfo = 0 

    net.ipv6.conf.default.accept_ra_defrtr = 0 

    net.ipv6.conf.default.autoconf = 0 

    net.ipv6.conf.default.dad_transmits = 0 

    net.ipv6.conf.default.max_addresses = 1 

To make these settings effective without rebooting the server type sysctl -p 

We can go a step further by disabling unused network functions such as IPv6 and prevent self assigned addressing.

To detect whether or not IPv6 is running on a server type: ifconfig | grep inet6 which will return:

    inet6 addr: fe80::240:5ff:fe32:ef19/64 Scope:Link 

    inet6 addr: ::1/128 Scope:Host 

    inet6 addr: fe80::200:ff:fe00:0/64 Scope:Link 

To prevent IPv6 from loading, run the following command:

echo install ipv6 /bin/true > /etc/modprobe.d/ipv6 

Then add the following lines to /etc/sysconfig/network:

NETWORKING_IPV6=no 

    IPV6INIT=no 

This will deactivate the IPv6 protocol from running on the server.

To prevent self assigned addressing on network cards, open the /etc/sysconfig/network file and add:

NOZEROCONF=yes 

Server security 

Turning off the ability to create core dumps is important as intruders can use this to gather information about running services and configurations in order to exploit them. To do so, edit the /etc/security/limits.conf file and insert:

* hard core 0 

We should also prevent setuid programs from creating these as well:

sysctl -w fs.suid_dumpable=0 

There are also built in kernel features which can help protect against buffer overflow attacks. These features are turned on by default, however these kernel parameters should be enabled in case they have been turned off:

    sysctl -w kernel.exec-shield=1 

    sysctl -w kernel.randomize_va_space=1 

These settings ensure randomization of the stack and memory regions, which are refereed to as the ExecShield.

There are many services which are running on a default installation which include cups, sendmail, isdn, bluetooth, and many others. If these services are not being used on the server then they should be turned off and configured not to start up on a reboot. To do so we can run the following bash script:

for i in acpid autofs avahi-daemon luetooth cups firstboot gpm hidd ip6tables sendmail exim xfs xinetd yum-updatesd rhnsd pcscd readahead_early readahead_later apmd hplip isdn ip6tables mcstrans 

    do 

    service $i stop 

    chkconfig $i off 

    done 

Your services will vary depending on the installation. We should also ensure that X does not run on reboot, placing the server in run level three. To do so, edit the /etc/inittab file and change id:5:initdefault: to id:3:initdefault: