Apprehend Intruders and Direct Traffic with IPCop

Last week’s enthralling introduction to IPCop walked
through installation and configuring a simple firewall/shared Internet
connection. Today we shall look at running IPCop headless, intrusion
detection, allowing access to public servers, simple traffic shaping,
and backing up/restoring IPCop.

Post-Installation Changes
Log in to the IPCop box as root and run the setup command to
make changes after installation, such as network configuration,
removing or adding zones, and changing passwords. Note that a lot of
these changes will require a networking restart, so don’t do this when
it might annoy users.

Running Headless
IPCop is designed to run on a headless box  no keyboard, mouse, or
monitor. This depends on your hardware  ordinary PC hardware usually
needs the BIOS configured to boot without a keyboard, and make sure
your boot device (hard drive, floppy, or CD) is listed first in the
BIOS boot order.

Remote SSH Access
What if you want to log into your headless IPCop box? Use SSH. The
IPCop manual advises that you turn this on only on an as-needed basis,
and not to leave it enabled all the time. To enable SSH log into the
Web administration page on a remote workstation (remember how?
https://192.168.1.1:445 on any workstation on the same subnet as the
IPCop box, log in as the “admin” user). Go to System -> SSH Access and
check the “SSH Access” box, then click “Save”. Then open a terminal and
connect via port 222:

$ ssh -p 222 root@192.168.1.1
root@192.168.1.1's password:
root@ipcop:~ #

When you’re finished, disable SSH on the Web administration page. By
default, only access from the Green network is allowed. (See Part 1 to learn what the different color zones represent.)
You may also connect from untrusted networks; see the Administrative
Guide to learn how to do this.

Intrusion Detection
Setting up intrusion detection couldn’t be simpler. IPCop uses Snort,
the champion of intrusion-detection systems. Snort works by analyzing
packets against a custom ruleset, then disposing of packets according
to the rules. So it’s more than just an intrusion detection programs,
it’s an intrusion-prevention program.

You can write or edit your own rules if you really really want to. Log
into the IPCop box as root and look in /etc/snort to see the
existing rulesets. Or you can take the easy way and use IPCop’s Web
administration page to download and activate new rulesets. Open the Web
administration interface and go to Services -> Intrusion Detection.
Click on the checkboxes of the interfaces you want intrusion detection
to be active on. Then click “download new ruleset”, hit the “save”
button, and you’re done. After a couple of hours check your logs at
Logs -> IDS Logs. Rather amusing how quickly the logfiles fill up,
primarily with Windows-targeted exploits.

Note that the Log -> Settings tab is where you configure your log
rotation, level of logging details, or point the way to a logging
server.

Continued on page 2: Opening Access To Public Servers

Continued From Page 1

Opening Access To Public Servers
If you’re running a public Web, mail, FTP, or other server, it won’t do
much good if it’s locked away behind a firewall. One option is to put
your public servers outside your firewall. The usual way to protect
these is to strictly control what is installed on the machine, run
daemons in chroot jails, and configure iptables firewalls. But putting
your public servers behind an IPCop firewall has a number of
advantages: traffic is allowed only to specified ports, plus they get
the benefit of IPCop’s intrusion detection, proxying, traffic shaping,
and other useful features. And by using port forwarding, you may give
your servers non-routable private IPs. This gives you the flexibility
to move, add, and remove servers with a minimum of hassle.

Go to the Firewall -> Port Forwarding page. All you need to know is the
IP of the server and the listening port. /etc/services lists all
the standard assigned ports. An HTTP server, by default, listens on TCP
80. SMTP servers use TCP 25, POP3 uses TCP 110, and so forth. Most
servers also let you configure a non-standard port, which some folks
think is a useful security measure, but if you do the clients
connecting to your server must manually specify the port, like
http://domain.net:8080. And it really doesn’t add much security.

Note that if you are running public servers it is best to give your
IPCop gateway a static, routable IP. Sometimes you’ll have to pay a few
extra dollars to your ISP to get this. But if your IPCop box does not
have a static routable IP, you’ll have to pull some fancy DNS footwork
to enable access to your servers. Using a service like dyndns.org lets you use a
consumer-level DHCP account to run public servers. IPCop even provides
a configuration page for dyndns.org and other similar services at
Services -> Dynamic DNS. Don’t do this for high-volume important
servers get a proper business account.

Traffic Shaping
IPCop makes simple traffic shaping easy, at the Services -> Traffic
Shaping page. You may configure only a global upload/download limit,
rather than customized limits for each protocol. But it’s still useful
because it assigns priorities for latency, which often matters more
than download or upload speeds. Enter your actual maximum upload and
download speeds, then click “Save.” Give interactive traffic like SSH
or VNC a high priority this
ensures the lowest latency, which means less keystroke and mouse lag.
Streaming audio, video, and VoIP (define) should also
get high priority, unless these are things you want to discourage.
Ordinary Web surfing and email do fine with medium priority.

Backing Up And Restoring IPCop
You need a floppy diskette to do a complete restoration from scratch,
so make sure your IPCop box has a floppy drive. Stick the diskette in
your IPCop box and format it:

# fdformat /dev/fd0

Then scurry to your remote administration workstation and go to System
-> Backup. Under “Backup Configuration- Floppy Disk” click “Backup to
Floppy.”

Next you’ll create backups of your IPCop data. Under “Backup
Configuration” click “Create.” This creates two files, and both will
have an “Export” button. Click “Export” to save these files to the
location of your choice.

Restoring data is as easy as selecting the backup of your choice in
the “Backup Sets” windows, and clicking “Restore.” Or use the file
browser dialogue to select a different backup file.

I know I promised howto do VPN and wireless access, but these need an
entire article all by themselves, so stay tuned. Be sure to visit IPCop’s documentation page for
more help.