Apprehend Intruders and Direct Traffic with IPCop
Part Two: IPCop provides lots of network services from a single box. This week we take a look at intrusion detection, traffic shaping, and basic maintenance.
Last week's enthralling introduction to IPCop walked through installation and configuring a simple firewall/shared Internet connection. Today we shall look at running IPCop headless, intrusion detection, allowing access to public servers, simple traffic shaping, and backing up/restoring IPCop.
Log in to the IPCop box as root and run the setup command to make changes after installation, such as network configuration, removing or adding zones, and changing passwords. Note that a lot of these changes will require a networking restart, so don't do this when it might annoy users.
IPCop is designed to run on a headless box no keyboard, mouse, or monitor. This depends on your hardware ordinary PC hardware usually needs the BIOS configured to boot without a keyboard, and make sure your boot device (hard drive, floppy, or CD) is listed first in the BIOS boot order.
Remote SSH Access
What if you want to log into your headless IPCop box? Use SSH. The IPCop manual advises that you turn this on only on an as-needed basis, and not to leave it enabled all the time. To enable SSH log into the Web administration page on a remote workstation (remember how? https://192.168.1.1:445 on any workstation on the same subnet as the IPCop box, log in as the "admin" user). Go to System -> SSH Access and check the "SSH Access" box, then click "Save". Then open a terminal and connect via port 222:
$ ssh -p 222 firstname.lastname@example.org
When you're finished, disable SSH on the Web administration page. By default, only access from the Green network is allowed. (See Part 1 to learn what the different color zones represent.) You may also connect from untrusted networks; see the Administrative Guide to learn how to do this.
Setting up intrusion detection couldn't be simpler. IPCop uses Snort, the champion of intrusion-detection systems. Snort works by analyzing packets against a custom ruleset, then disposing of packets according to the rules. So it's more than just an intrusion detection programs, it's an intrusion-prevention program.
You can write or edit your own rules if you really really want to. Log into the IPCop box as root and look in /etc/snort to see the existing rulesets. Or you can take the easy way and use IPCop's Web administration page to download and activate new rulesets. Open the Web administration interface and go to Services -> Intrusion Detection. Click on the checkboxes of the interfaces you want intrusion detection to be active on. Then click "download new ruleset", hit the "save" button, and you're done. After a couple of hours check your logs at Logs -> IDS Logs. Rather amusing how quickly the logfiles fill up, primarily with Windows-targeted exploits.
Note that the Log -> Settings tab is where you configure your log rotation, level of logging details, or point the way to a logging server.