Apprehend Intruders and Direct Traffic with IPCop

By Carla Schroder | Apr 12, 2005 | Print this Page
http://www.enterprisenetworkingplanet.com/netos/article.php/3497156/Apprehend-Intruders-and-Direct-Traffic-with-IPCop.htm

Last week's enthralling introduction to IPCop walked through installation and configuring a simple firewall/shared Internet connection. Today we shall look at running IPCop headless, intrusion detection, allowing access to public servers, simple traffic shaping, and backing up/restoring IPCop.

Post-Installation Changes
Log in to the IPCop box as root and run the setup command to make changes after installation, such as network configuration, removing or adding zones, and changing passwords. Note that a lot of these changes will require a networking restart, so don't do this when it might annoy users.

Running Headless
IPCop is designed to run on a headless box  no keyboard, mouse, or monitor. This depends on your hardware  ordinary PC hardware usually needs the BIOS configured to boot without a keyboard, and make sure your boot device (hard drive, floppy, or CD) is listed first in the BIOS boot order.

Remote SSH Access
What if you want to log into your headless IPCop box? Use SSH. The IPCop manual advises that you turn this on only on an as-needed basis, and not to leave it enabled all the time. To enable SSH log into the Web administration page on a remote workstation (remember how? https://192.168.1.1:445 on any workstation on the same subnet as the IPCop box, log in as the "admin" user). Go to System -> SSH Access and check the "SSH Access" box, then click "Save". Then open a terminal and connect via port 222:

$ ssh -p 222 root@192.168.1.1
root@192.168.1.1's password:
root@ipcop:~ #

When you're finished, disable SSH on the Web administration page. By default, only access from the Green network is allowed. (See Part 1 to learn what the different color zones represent.) You may also connect from untrusted networks; see the Administrative Guide to learn how to do this.

Intrusion Detection
Setting up intrusion detection couldn't be simpler. IPCop uses Snort, the champion of intrusion-detection systems. Snort works by analyzing packets against a custom ruleset, then disposing of packets according to the rules. So it's more than just an intrusion detection programs, it's an intrusion-prevention program.

You can write or edit your own rules if you really really want to. Log into the IPCop box as root and look in /etc/snort to see the existing rulesets. Or you can take the easy way and use IPCop's Web administration page to download and activate new rulesets. Open the Web administration interface and go to Services -> Intrusion Detection. Click on the checkboxes of the interfaces you want intrusion detection to be active on. Then click "download new ruleset", hit the "save" button, and you're done. After a couple of hours check your logs at Logs -> IDS Logs. Rather amusing how quickly the logfiles fill up, primarily with Windows-targeted exploits.

Note that the Log -> Settings tab is where you configure your log rotation, level of logging details, or point the way to a logging server.

Continued on page 2: Opening Access To Public Servers

Continued From Page 1

Opening Access To Public Servers
If you're running a public Web, mail, FTP, or other server, it won't do much good if it's locked away behind a firewall. One option is to put your public servers outside your firewall. The usual way to protect these is to strictly control what is installed on the machine, run daemons in chroot jails, and configure iptables firewalls. But putting your public servers behind an IPCop firewall has a number of advantages: traffic is allowed only to specified ports, plus they get the benefit of IPCop's intrusion detection, proxying, traffic shaping, and other useful features. And by using port forwarding, you may give your servers non-routable private IPs. This gives you the flexibility to move, add, and remove servers with a minimum of hassle.

Go to the Firewall -> Port Forwarding page. All you need to know is the IP of the server and the listening port. /etc/services lists all the standard assigned ports. An HTTP server, by default, listens on TCP 80. SMTP servers use TCP 25, POP3 uses TCP 110, and so forth. Most servers also let you configure a non-standard port, which some folks think is a useful security measure, but if you do the clients connecting to your server must manually specify the port, like http://domain.net:8080. And it really doesn't add much security.

Note that if you are running public servers it is best to give your IPCop gateway a static, routable IP. Sometimes you'll have to pay a few extra dollars to your ISP to get this. But if your IPCop box does not have a static routable IP, you'll have to pull some fancy DNS footwork to enable access to your servers. Using a service like dyndns.org lets you use a consumer-level DHCP account to run public servers. IPCop even provides a configuration page for dyndns.org and other similar services at Services -> Dynamic DNS. Don't do this for high-volume important servers get a proper business account.

Traffic Shaping
IPCop makes simple traffic shaping easy, at the Services -> Traffic Shaping page. You may configure only a global upload/download limit, rather than customized limits for each protocol. But it's still useful because it assigns priorities for latency, which often matters more than download or upload speeds. Enter your actual maximum upload and download speeds, then click "Save." Give interactive traffic like SSH or VNC a high priority this ensures the lowest latency, which means less keystroke and mouse lag. Streaming audio, video, and VoIP (define) should also get high priority, unless these are things you want to discourage. Ordinary Web surfing and email do fine with medium priority.

Backing Up And Restoring IPCop
You need a floppy diskette to do a complete restoration from scratch, so make sure your IPCop box has a floppy drive. Stick the diskette in your IPCop box and format it:

# fdformat /dev/fd0

Then scurry to your remote administration workstation and go to System -> Backup. Under "Backup Configuration- Floppy Disk" click "Backup to Floppy."

Next you'll create backups of your IPCop data. Under "Backup Configuration" click "Create." This creates two files, and both will have an "Export" button. Click "Export" to save these files to the location of your choice.

Restoring data is as easy as selecting the backup of your choice in the "Backup Sets" windows, and clicking "Restore." Or use the file browser dialogue to select a different backup file.

I know I promised howto do VPN and wireless access, but these need an entire article all by themselves, so stay tuned. Be sure to visit IPCop's documentation page for more help.