Shorewall and Firewall Configuration via the port knocking.
Today we will see how to configure our firewall so as to close off our servers as much as possible from external attacks and/or unauthorized access.
To do this we will use Shorewall, a software implemented in Perl that will facilitate very much the management of our firewall rules.
Later we will see how to configure a policy of port knocking in a way that enable access to the SSH port only for our IP address and only after we sent a sequence of packets and TCP/UDP or pre determined.
Installing Shorewall
To install you just need a simple shorewall
sudo apt-get install shorewall
You will need to verify that you have installed at least version 4.4 using the command
shorewall version
Otherwise, you must install it using the packages available on the official website linked above.
Configuring Shorewall
Once we installed the software, proceed to copy the default configurations that are distributed with the package, to do this:
sudo cp /usr/share/doc/shorewall/default-config/* /etc/shorewall/
Now we begin to edit these files to customize our installation, we must first define zones, namely the ‘alias’ with whom we will call other configuration files in our network. Edit the file
/etc/shorewall/zones
And insert the following contents:
#
# shorewall version 4 - Zones File
#
# for information about this file, type "man shorewall-zones"
#
# the manpage is Also online at
# http://www.shorewall.net/manpages/shorewall-zones.html
#
################################################## #############################
#ZONE TYPE OPTIONS IN OUT
#OPTIONS OPTIONS
fw firewall
net ipv4
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVEAs you can see, we have defined the area fw that identifies the local network from the point of view of the firewall, and the net area, considered as the external network.
Next step, the definition of the network we want to check the firewall, edit the file
/etc/shorewall/interfaces
And insert the contents:
# # shorewall version 4 - Interfaces File # # for information about entries in this file, type "man shorewall-interfaces" # # the manpage is Also online at # http://www.shorewall.net/manpages/shorewall-interfaces.html # ################################################## ############################# #ZONE INTERFACE BROADCAST OPTIONS net eth0 detect #LAST LINE - ADD YOUR ENTRIES BEFORE THIS ONE - DO NOT REMOVE
In the event that your network interface is named differently, replace eth0 with the name. We detect the parameter avoids having to specify the properties, leaving the task of shorewall ‘understand’ what kind of interface it is.
Now for the firewall policy, the default will block all incoming traffic on all ports and then will open only the ports we are interested in this mode-locked syn flooding, ping, etc. etc. Edit the file
/etc/shorewall/policy
And insert the content:
# # shorewall version 4 - Policy File # # for information about entries in this file, type "man shorewall-policy" # # the manpage is Also online at # http://www.shorewall.net/manpages/shorewall-policy.html # ################################################## ############################# #SOURCE DEST POLICY LOG LIMIT: BURST fw net ACCEPT net all DROP info to all REJECT info #LAST LINE - DO NOT REMOVE
Translated into human language, allow all traffic from the server to the outside, and blocks all traffic to the server by logging in as ‘info’ in the syslog.
Now we insert the rule that unlocks the port 80 on the webserver, which will be the only door unlocked by default in a way that allows navigation of any our website or otherwise to exercise any service on that port. To do this, edit the file
/etc/shorewall/rules
And insert the content:
# # shorewall version 4 - Rules File # # for information on the settings in this file, type "man shorewall-rules" # # the manpage is Also online at # http://www.shorewall.net/manpages/shorewall-rules.html # #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER / MARK #PORT PORT (S) DEST LIMIT GROUP ACCEPT net fw tcp www #LAST LINE - ADD YOUR ENTRIES BEFORE THIS ONE - DO NOT REMOVE
Fairly intuitive.
At this point we can configure shorewall to start automatically at system startup, by editing the file:
/etc/default/shorewall
and set the startup parameter to 1.
Do not even start the firewall! because they have not yet entered the port knocking policies, block access to SSH and you would surely cut off:)
Installing and configuring knockd
Well, I sincerely hope that you have followed the advice just given, let’s install our port knocking daemon, first a brief explanation of what the port knocking for those who do not know.
The port knocking (hereafter abbreviated to PK because I write every time the cock: D) is a technique that allows, in general, to perform an action on a server at a time when the daemon detects certain PK tcp and / or incoming udp. The most common case, or what we need and we will see, if a user connects to a well-defined sequence of ports (ports that do not necessarily have to be open, however, the demon will catch SYN packets) can decide to open the SSH port for example (example taken at random eh XD), and another sequence (or the same, repeated a second time) to close it.
This usually means that the server there will be nothing if not open the door of your webserver, then when we connect we will send these packets (knock through the appropriate client or through a fucking bash script that connects to all ports, as I do I: D) and the server magically open the SSH port, just for our IP address, then the rest of the world will continue to see it closed … cool is not it? ^ ^
Then why, we proceed to the installation:
sudo apt-get install knockd
And insert in the file:
/etc/knockd.conf
The rule:
[ssh] sequence = 1234:tcp,8765:tcp,54321:tcp,2023:tcp seq_timeout = 5 start_command = /sbin/iptables --append dynamic -s %IP% -p tcp --dport 22 -j ACCEPT tcpflags = syn cmd_timeout = 60 stop_command = /sbin/iptables --delete dynamic -s %IP% -p tcp --dport 22 -j ACCEPT
The sequence consists of our famous doors in 1234, 8765, 54321 and 2023 (do not make the balls, use long, complex sequences!) TCP all for simplicity. We have 5 seconds to complete this sequence of connections (in this order, remember!), After which it will unlock the door 22 for our address. This door will remain unlocked for 60 seconds, after which if there was no connection will be automatically closed. dynamic is the name of a chain that automatically creates shorewall to which we will add our rules for the PK.
Now the final configuration, edit the file:
/etc/default/knockd
START_KNOCKD flag set to 1 to start automatically at startup knockd, and uncomment the line that contains the flag KNOCKD_OPTS appropriately modified based on the name of our network interface, in the case of this example:
KNOCKD_OPTS = "-i eth0"
Start and termination
Without this, we are ready!
We start the daemon knockd:
sudo /etc/init.d/start knockd
Then we start shorewall:
sudo shorewall start
And the firewall is served! You can check everything with a nice scan of your server, something like:
sudo nmap-sS-P0-A-vvv address-of-your-server
And you will see only port 80 open, although there is also 22, which of course is filtered by the firewall. To open and log in, you can use telnet, netcat or anything you like on the famous sequence of PK-door, and then use the standard SSH client to login.
For this is all part of the guide:)