Firewall Configuration
The Linux kernel includes the Netfilter subsystem, which is used to manipulate or decide the fate of network traffic headed into or through your server. All modern Linux firewall solutions use this system for packet filtering. Firewall Introduction
The kernel's packet filtering system would be of little use to administrators without a userspace interface to manage it. This is the purpose of iptables. When a packet reaches your server, it will be handed off to the Netfilter subsystem for acceptance, manipulation, or rejection based on the rules supplied to it from userspace via iptables. Thus, iptables is all you need to manage your firewall if you're familiar with it, but many frontends are available to simplify the task.IP Masquerading
The purpose of IP Masquerading is to allow machines with private, non-routable IP addresses on your network to access the Internet through the machine doing the masquerading. Traffic from your private network destined for the Internet must be manipulated for replies to be routable back to the machine that made the request. To do this, the kernel must modify the source IP address of each packet so that replies will be routed back to it, rather than to the private IP address that made the request, which is impossible over the Internet. Linux uses Connection Tracking (conntrack) to keep track of which connections belong to which machines and reroute each return packet accordingly. Traffic leaving your private network is thus "masqueraded" as having originated from your Ubuntu gateway machine. This process is referred to in Microsoft documentation as Internet Connection Sharing.This can be accomplished with a single iptables rule, which may differ slightly based on your network configuration:
sudo iptables -t nat -A POSTROUTING -s 192.168.0.0/16 -o ppp0 -j MASQUERADEThe above command assumes that your private address space is 192.168.0.0/16 and that your Internet-facing device is ppp0. The syntax is broken down as follows:
· -t nat -- the rule is to go into the nat table
· -A POSTROUTING -- the rule is to be appended (-A) to the POSTROUTING chain
· -s 192.168.0.0/16 -- the rule applies to traffic originating from the specified address space
· -o ppp0 -- the rule applies to traffic scheduled to be routed through the specified network device
· -j MASQUERADE -- traffic matching this rule is to "jump" (-j) to the MASQUERADE target to be manipulated as described above
Each chain in the filter table (the default table, and where most or all packet filtering occurs) has a default policy of ACCEPT, but if you are creating a firewall in addition to a gateway device, you may have set the policies to DROP or REJECT, in which case your masqueraded traffic needs to be allowed through the FORWARD chain for the above rule to work: sudo iptables -A FORWARD -s 192.168.0.0/16 -o ppp0 -j ACCEPT
sudo iptables -A FORWARD -d 192.168.0.0/16 -m state --state ESTABLISHED,RELATED -i ppp0 -j ACCEPTThe above commands will allow all connections from your local network to the Internet and all traffic related to those connections to return to the machine that initiated them.
Tools
There are many tools available to help you construct a complete firewall without intimate knowledge of iptables. For the GUI-inclined, Firestarter is quite popular and easy to use, and fwbuilder is very powerful and will look familiar to an administrator who has used a commercial firewall utility such as Checkpoint FireWall-1. If you prefer a command-line tool with plain-text configuration files, Shorewall is a very powerful solution to help you configure an advanced firewall for any network. If your network is relatively simple, or if you don't have a network, ipkungfu should give you a working firewall "out of the box" with zero configuration, and will allow you to easily set up a more advanced firewall by editing simple, well-documented configuration files. Another interesting tool is fireflier, which is designed to be a desktop firewall application. It is made up of a server (fireflier-server) and your choice of GUI clients (GTK or QT), and behaves like many popular interactive firewall applications for Windows.Logs
Firewall logs are essential for recognizing attacks, troubleshooting your firewall rules, and noticing unusual activity on your network. You must include logging rules in your firewall for them to be generated, though, and logging rules must come before any applicable terminating rule (a rule with a target that decides the fate of the packet, such as ACCEPT, DROP, or REJECT). For example:sudo iptables -A INPUT -m state --state NEW -p tcp --dport 80 -j LOG --log-prefix "NEW_HTTP_CONN: "A request on port 80 from the local machine, then, would generate a log in dmesg that looks like this:
[4304885.870000] NEW_HTTP_CONN: IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=58288 DF PROTO=TCP SPT=53981 DPT=80 WINDOW=32767 RES=0x00 SYN URGP=0The above log will also appear in
/var/log/messages, /var/log/syslog, and /var/log/kern.log. This behavior can be modified by editing /etc/syslog.conf appropriately or by installing and configuring ulogd and using the ULOG target instead of LOG. The ulogd daemon is a userspace server that listens for logging instructions from the kernel specifically for firewalls, and can log to any file you like, or even to a PostgreSQL or MySQL database. Making sense of your firewall logs can be simplified by using a log analyzing tool such as fwanalog, fwlogwatch, or lire. SELinux
NOTE: Page not updated for Hardy. Upstart should work with selinux in Hardy and later.
Introduction
Security-enhanced Linux (SELinux) was originally developed as a research prototype of the Linux® kernel and a number of utilities with enhanced security functionality designed to demonstrate the value of mandatory access controls to the Linux community and how such controls could be added to Linux. Today SELinux is integrated into the mainline Linux 2.6 kernel series and several Linux distributions. The Security-enhanced Linux kernel contains new architectural components originally developed to improve the security of the Flask operating system. These architectural components provide general support for the enforcement of many kinds of mandatory access control policies, including those based on the concepts of Type Enforcement®, Role-based Access Control, and Multi-level Security.
Target Audience
This guide is designed for intermediate to advanced users of Ubuntu, and is not recommended for beginners. The changes SELinux can make to your Ubuntu system can potentially render parts of your system inoperative, or have other adverse affects. You should have a very good understanding of what will occur for every change you allow SELinux to make, and understand any potential ramifications which may arise later from those changes. The author of this guide, the creators of SELinux, and Ubuntu cannot be responsible for any adverse conditions with your Ubuntu system which may be caused by failure to understand what you are doing with SELinux. You have been warned.
Installation
Installing SELinux is easy..
1. sudo apt-get install selinux
2. Reboot!
Setting IP Address di UBUNTU
Pada intinya, setting network pada debian ditentukan oleh beberapa file yaitu:
- /etc/network/interfaces.
- /etc/network/options.
/etc/network/interfaces
File ini memuat konfigurasi IP yang akan digunakan oleh Network Interface yang terpasang pada suatu komputer. Selain alamat IP, file ini juga menyimpan informasi tentang routing. Di bawah ini adalah salah satu contoh isi file /etc/network/intefaces:
auto lo
iface lo inet loopback
iface lo inet loopback
auto eth0
iface eth0 inet static
address 192.168.30.10
network 192.168.30.0
netmask 255.255.255.0
broadcast 192.168.30.255
gateway 192.168.30.11
iface eth0 inet static
address 192.168.30.10
network 192.168.30.0
netmask 255.255.255.0
broadcast 192.168.30.255
gateway 192.168.30.11
Kata auto yang mendahului nama suatu interface menandakan bahwa interface tersebut akan dinyalakan secara otomatis pada saat booting. Interface lo tidak memiliki konfigurasi IP karena lo digunakan sebagai loopback sehingga memiliki IP yang pasti yakni 127.0.0.1. Alamat IP ini digunakan oleh komputer untuk berkomunikasi dengan dirinya sendiri.
Konfigurasi untuk eth0 harus diberikan karena interface ini dikonfigurasi menggunakan IP statis. Parameter-parameter yang harus disebutkan untuk jenis interface static adalah:
Konfigurasi untuk eth0 harus diberikan karena interface ini dikonfigurasi menggunakan IP statis. Parameter-parameter yang harus disebutkan untuk jenis interface static adalah:
- address: menentukan IP address yang digunakan suatu komputer.
- network: menentukan Network Address komputer.
- netmask: menentukan subnet mask network komputer.
- broadcast: menentukan alamat broadcast yang digunakan komputer untuk memperkenalkan diri pada jaringan.
- gateway: menentukan default gateway yang digunakan apabila komputer tersebut mengirimkan paket data ke luar jaringan anggotanya.
Setelah selesai melakukan perubahan pada file ini anda dapat mengaktifkan setting ini dengan menjalankan perintah:
debian:~# /etc/init.d/networking start
Untuk memeriksa apakah setting ini sudah benar, ketikkan ifconfig di terminal dan jika muncul :
eth0 Link encap:Ethernet HWaddr 00:10:83:01:18:41
inet addr:192.168.30.10 Bcast:192.168.30.255 Mask:255.255.255.0
inet6 addr: fe80::210:83ff:fe01:1841/64 Scope:Link
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
RX packets:116392026 errors:0 dropped:0 overruns:0 frame:0
TX packets:172631398 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1681468257 (1.5 GiB) TX bytes:3669393927 (3.4 GiB)
Interrupt:9 Base address:0xece0
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0….
inet addr:192.168.30.10 Bcast:192.168.30.255 Mask:255.255.255.0
inet6 addr: fe80::210:83ff:fe01:1841/64 Scope:Link
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
RX packets:116392026 errors:0 dropped:0 overruns:0 frame:0
TX packets:172631398 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1681468257 (1.5 GiB) TX bytes:3669393927 (3.4 GiB)
Interrupt:9 Base address:0xece0
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0….
settingan dah bener! test coba ping ke kompie sebelah..
/etc/network/options
File ini memuat beberapa pilihan yang dapat dijalankan bersamaan dengan aktifasi alamat IP pada bagian di atas. Secara default, file ini mengandung 3 baris. Isi file ini kurang lebih seperti di bawah ini.
ip_forward=no
spoofprotect=yes
syncookies=no
spoofprotect=yes
syncookies=no
Baris pertama menunjukkan bahwa komputer ini tidak digunakan untuk memforward paket data yang diterimanya ke komputer lain. ip_forward harus diset yes bila memang komputer ini dibangun untuk bertindak sebagai router atau bridge. Baris kedua menunjukkan bahwa perlindungan ipspoof aktif. Ada baiknya pilihan ini selalu yes untuk menghindari terjadinya spoofing alamat IP kita oleh orang lain. Baris ketiga menyatakan bahwa syncookies tidak diaktifkan. Pilihan ini bertujuan untuk membatasi jumlah usaha membuat koneksi baru dari komputer lain ke komputer kita. Bila komputer kita menerima semua request secara serentak dengan jumlah banyak, besar kemungkinan bahwa komputer kita akan hang dalam waktu singkat.
Membuat FTP Server di Ubuntu Hardy dengan Vsftpd
Vsftpd adalah salah satu pilihan aplikasi untuk menjalankan FTP server. Vsftpd memberikan kombinasi yang serasi antara performa dan keamanan. Tutorial ini akan menjelaskan bagaimana cara menginstal vsftpd di Ubuntu Hardy.Instalasi
Instalasi vsftpd semudah menginstal aplikasi lain dari repositori Ubuntu.sudo apt-get install vsftpdUntuk menjalankan service vsftpd
sudo /etc/init.d/vsftpd startUntuk mematikan service vsftpd
sudo /etc/init.d/vsftpd stop
Konfigurasi FTP Anonim
FTP anonim artinya user bisa masuk ke ftp server tanpa harus memasukkan login dan password. Biasanya digunakan oleh ftp server yang menyediakan berkas untuk umum, seperti mirror aplikasi atau server penyedia repositori distro linux.Secara default konfigurasi vsftpd di Ubuntu sudah membolehkan akses ftp anonim. Dan lokasi home direktori untuk user ftp ada di /home/ftp, dan ini adalah tempat menyimpan berkas yang akan diberikan melalui ftp.
Jika Anda berniat untuk memindahkan lokasi tempat menyimpan berkas untuk ftp anonim tadi, Anda tinggal mengganti lokasi home direktori untuk user ftp.
Misal, kita akan pindahkan ke /data/ftp.
sudo mkdir /data/ftp
sudo usermod -d /data/ftp ftpSetelah itu, restart service vsftpd
sudo /etc/init.d/vsftpd restart
Konfigurasi FTP untuk User
Jika Anda ingin membolehkan user yang ada di linux server untuk login melalui ftp dan user-user tadi bisa mengupload berkas ke server, buat konfigurasi seperti berikut.Berkas yang harus Anda sunting adalah
/etc/vsftpd.conflocal_enable=YES
write_enable=YESSetelah itu restart service vsftpd
sudo /etc/init.d/vsftpd restart
Membatasi User di Home Direktori
Secara default user yang bisa masuk melalui ftp, bisa mengakses semua berkas yang ada di server (tentunya dengan hak akses yang sesuai dengan user tersebut). Jika Anda ingin membatasi user yang login melalui ftp hanya bisa mengakses berkas-berkas yang ada di home direktorinya saja, gunakan konfigurasi berikut.Sunting berkas
/etc/vsftpd.confchroot_local_user=YESAtau jika Anda hanya ingin membatasi user tertentu saja, gunakan konfigurasi seperti di bawah ini
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd.chroot_listKemudian Anda masukkan user yang ingin dibatasi ke dalam berkas
/etc/vsftpd.chroot_list.Dan jangan lupa, untuk menerapkan konfigurasi tadi, Anda harus merestart service vsftpd.
sudo /etc/init.d/vsftpd restart
No comments:
Post a Comment