Apprehend Intruders and Direct Traffic with IPCop

Part Two: IPCop provides lots of network services from a single box. This week we take a look at intrusion detection, traffic shaping, and basic maintenance.

 By Carla Schroder
Page 1 of 2
Print Article

Last week's enthralling introduction to IPCop walked through installation and configuring a simple firewall/shared Internet connection. Today we shall look at running IPCop headless, intrusion detection, allowing access to public servers, simple traffic shaping, and backing up/restoring IPCop.

Post-Installation Changes
Log in to the IPCop box as root and run the setup command to make changes after installation, such as network configuration, removing or adding zones, and changing passwords. Note that a lot of these changes will require a networking restart, so don't do this when it might annoy users.

Running Headless
IPCop is designed to run on a headless box  no keyboard, mouse, or monitor. This depends on your hardware  ordinary PC hardware usually needs the BIOS configured to boot without a keyboard, and make sure your boot device (hard drive, floppy, or CD) is listed first in the BIOS boot order.

Remote SSH Access
What if you want to log into your headless IPCop box? Use SSH. The IPCop manual advises that you turn this on only on an as-needed basis, and not to leave it enabled all the time. To enable SSH log into the Web administration page on a remote workstation (remember how? on any workstation on the same subnet as the IPCop box, log in as the "admin" user). Go to System -> SSH Access and check the "SSH Access" box, then click "Save". Then open a terminal and connect via port 222:

$ ssh -p 222 root@
root@'s password:
root@ipcop:~ #

When you're finished, disable SSH on the Web administration page. By default, only access from the Green network is allowed. (See Part 1 to learn what the different color zones represent.) You may also connect from untrusted networks; see the Administrative Guide to learn how to do this.

Intrusion Detection
Setting up intrusion detection couldn't be simpler. IPCop uses Snort, the champion of intrusion-detection systems. Snort works by analyzing packets against a custom ruleset, then disposing of packets according to the rules. So it's more than just an intrusion detection programs, it's an intrusion-prevention program.

You can write or edit your own rules if you really really want to. Log into the IPCop box as root and look in /etc/snort to see the existing rulesets. Or you can take the easy way and use IPCop's Web administration page to download and activate new rulesets. Open the Web administration interface and go to Services -> Intrusion Detection. Click on the checkboxes of the interfaces you want intrusion detection to be active on. Then click "download new ruleset", hit the "save" button, and you're done. After a couple of hours check your logs at Logs -> IDS Logs. Rather amusing how quickly the logfiles fill up, primarily with Windows-targeted exploits.

Note that the Log -> Settings tab is where you configure your log rotation, level of logging details, or point the way to a logging server.

Continued on page 2: Opening Access To Public Servers

This article was originally published on Apr 12, 2005
Get the Latest Scoop with Networking Update Newsletter