HOWTO protecting your NetKernel server

Poster

Content

Tom Geudens

nk4um User

Posts: 129

<div>Greetings all,<br/><br/>Sometimes you prefer that your applications can be reached without adding the extra port indication. Like http://yourserver/yourapplication/ instead of http://yourserver:8080/yourapplication/. But since the default http-port is 80 and only root (on most Linux systems) can run a service on a port below 1000, you seem to be stuck. Not so. Our trusted iptables comes to the rescue once more. We keep our NetKernel frontend running at port 8080 ... and route the requests to port 80 there (bit like the mountain coming to Mozes ... or was that the other way around ?).<br/><br/><i>Step 1 - Free port 80</i><br/><br/>Those webhosting-services today are really good. I remember when you had to pay for a - very restricted - Unix shell account. These days you get root on your own host that has Apache and if you are lucky MySQL running already.<br/><br/>Nice, but that Apache is bound to be running - as root - on port 80. Check if your host has a httpd process running and if it does, stop it :<br/><table align="center" border="0" cellpadding="3" cellspacing="1" width="90%"><tr><td><div class="forum-code"><pre>chkconfig httpd off<br/>service httpd stop</pre></div></td></tr></table><br/>That will take care of that ...<br/><br/><i>Step 2 - Revised iptables script</i><br/><br/><table align="center" border="0" cellpadding="3" cellspacing="1" width="90%"><tr><td><div class="forum-code"><pre>SERVER_IP=&lt;your fixed server ip&gt;<br/>iptables -F<br/>iptables -X<br/>iptables -P INPUT DROP<br/>iptables -P OUTPUT DROP<br/>iptables -P FORWARD DROP<br/>iptables -A INPUT -i lo -j ACCEPT<br/>iptables -A OUTPUT -o lo -j ACCEPT<br/>iptables -A INPUT -p tcp -s 0/0 -d $SERVER_IP --sport 513:65535 --dport 3022 -m state --state NEW,ESTABLISHED -j ACCEPT<br/>iptables -A INPUT -p tcp -s 0/0 -d $SERVER_IP --sport 513:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT<br/>iptables -A INPUT -p tcp -s 0/0 -d $SERVER_IP --sport 513:65535 --dport 8080 -m state --state NEW,ESTABLISHED -j ACCEPT<br/>iptables -A OUTPUT -p tcp -s $SERVER_IP -d 0/0 --sport 3022 --dport 513:65535 -m state --state NEW,ESTABLISHED -j ACCEPT<br/>iptables -A OUTPUT -p tcp -s $SERVER_IP -d 0/0 --sport 80 --dport 513:65535 -m state --state NEW,ESTABLISHED -j ACCEPT<br/>iptables -A OUTPUT -p tcp -s $SERVER_IP -d 0/0 --sport 8080 --dport 513:65535 -m state --state NEW,ESTABLISHED -j ACCEPT<br/>iptables -A PREROUTING -t nat -p tcp --dport 80 -j REDIRECT --to-port 8080<br/>iptables -A PREROUTING -t mangle -p tcp --dport 8080 -j DROP<br/>iptables -A INPUT -j DROP<br/>iptables -A OUTPUT -j DROP</pre></div></td></tr></table><br/><br/>What has changed ?<br/>1) Port 80 was added to the ''allowed ports''<br/>2) A PREROUTING rule was added for a NAT translation from port 80 to port 8080.<br/><br/>Actually 1) and 2) do the trick ... however, since we like a secure host, there''s a 3)<br/><br/>3) A PREROUTING rule was added to DROP all external traffic going directly to port 8080.<br/>We can''t just drop port 8080 from the allowed ports by the way, for the NAT rule would also not work in that case.<br/><br/><i>Step 3 Test the result</i><br/><br/>You should now be able to reach http://yourserver/yourapplication/<br/>You should no longer be able (if you did 3) to reach http://yourserver:8080/yourapplication/<br/><br/>Enjoy,<br/>Tom<br/><br/>P.S. Linux is like a Wigwam. It has no windows and an Apache inside ...<br/></div>

July 19, 2009 19:31port 80 instead of 8080

Greetings all,

Sometimes you prefer that your applications can be reached without adding the extra port indication. Like http://yourserver/yourapplication/ instead of http://yourserver:8080/yourapplication/. But since the default http-port is 80 and only root (on most Linux systems) can run a service on a port below 1000, you seem to be stuck. Not so. Our trusted iptables comes to the rescue once more. We keep our NetKernel frontend running at port 8080 ... and route the requests to port 80 there (bit like the mountain coming to Mozes ... or was that the other way around ?).

Step 1 - Free port 80

Those webhosting-services today are really good. I remember when you had to pay for a - very restricted - Unix shell account. These days you get root on your own host that has Apache and if you are lucky MySQL running already.

Nice, but that Apache is bound to be running - as root - on port 80. Check if your host has a httpd process running and if it does, stop it :

chkconfig httpd off
service httpd stop

That will take care of that ...

Step 2 - Revised iptables script

SERVER_IP=<your fixed server ip>
iptables -F
iptables -X
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 -d $SERVER_IP --sport 513:65535 --dport 3022 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 -d $SERVER_IP --sport 513:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 -d $SERVER_IP --sport 513:65535 --dport 8080 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -s $SERVER_IP -d 0/0 --sport 3022 --dport 513:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -s $SERVER_IP -d 0/0 --sport 80 --dport 513:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -s $SERVER_IP -d 0/0 --sport 8080 --dport 513:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A PREROUTING -t nat -p tcp --dport 80 -j REDIRECT --to-port 8080
iptables -A PREROUTING -t mangle -p tcp --dport 8080 -j DROP
iptables -A INPUT -j DROP
iptables -A OUTPUT -j DROP

What has changed ?
1) Port 80 was added to the ''allowed ports''
2) A PREROUTING rule was added for a NAT translation from port 80 to port 8080.

Actually 1) and 2) do the trick ... however, since we like a secure host, there''s a 3)

3) A PREROUTING rule was added to DROP all external traffic going directly to port 8080.
We can''t just drop port 8080 from the allowed ports by the way, for the NAT rule would also not work in that case.

Step 3 Test the result

You should now be able to reach http://yourserver/yourapplication/
You should no longer be able (if you did 3) to reach http://yourserver:8080/yourapplication/

Enjoy,
Tom

P.S. Linux is like a Wigwam. It has no windows and an Apache inside ...

Tom Geudens

nk4um User

Posts: 129

<div>These days having your own (virtual) server connected to the internet is within the reach of many. There is power in being able to show the world what you can do. However, with (great) power comes (great) responsibility. And while no single server can withstand a coordinated attack, there''s no need to ''hand over'' your paid-for server to the first script-kiddie that comes along either. This HOWTO explains how to :-) keep your server ... yours.<br/> <br/>In the discussion below this is the setup :<br/>- You have an your home desktop which runs Windows XP. It has an internet connection with a dynamic IP. We will call this machine CLIENT.<br/>- You have a (virtual) server, hosted somewhere. It has an internet connection with a fixed IP. It runs Linux. We will call this machine SERVER. You have SSH access to this SERVER.<br/><br/>This is not a random chosen setup. It is the most common setup. Netkernel does however allow any setup and if you require more information on your specific setup, you can contact me.<br/><br/><br/><b>Protecting your CLIENT</b><br/>- Keep your Windows XP updated.<br/>- Use a good virusscanner. The best ones are commercial. Pay for it. This is an investment that will pay off.<br/>- Use a good firewall (no, the one included in Windows XP will not do). There are several free ones available.<br/>Honestly, you might consider switching to a Linux CLIENT. Try Ubuntu if you want to take it slow :-).<br/> <br/>Before we move on to the SERVER, you are going to need SSH client software on the CLIENT. Ideal for this is PuTTY. You''ll find this software at http://www.chiark.greenend.org.uk/~sgtatham/putty/. If you are feeling a bit more experimental, get Cygwin which you''ll find at http://www.cygwin.com Install it and make sure you get the openssh-package (it is under the Net Category).<br/> <br/> <br/><b>Protecting your SERVER</b><br/>The idea is simple. NetKernel has two fulcrums, one on port 8080 which we want to show to the world and one on port 1060 which we want to be able to reach from our CLIENT, but which nobody else is allowed to reach.<br/> <br/>In big lines this is the situation we want to achieve :<br/>- We lock down all access to the server with the iptables (basic firewall on Linux) tool.<br/>- We open up port 8080 only. Again iptables will do the job.<br/>- We can NOT open up port 1060, instead we will allow SSH access to the SERVER and tunnel port 1060 through SSH to our CLIENT.<br/><br/><i>Step 1. Move SSH access to a non-known port</i>.<br/>Everybody knows SSH is normally on port 22. This opens you up for attack if you are going to use SSH (which we are). So we are going to move it to a different port. In file /etc/ssh/sshd_config you change the line :<br/><table align="center" border="0" cellpadding="3" cellspacing="1" width="90%"><tr><td><div class="forum-code"><pre>Port 22</pre></div></td></tr></table><br/>to for example (make your own choice, in the rest of this document I''ll work with the portnumber mentioned below) :<br/><table align="center" border="0" cellpadding="3" cellspacing="1" width="90%"><tr><td><div class="forum-code"><pre>Port 3022</pre></div></td></tr></table><br/>and you restart the sshd service<br/><table align="center" border="0" cellpadding="3" cellspacing="1" width="90%"><tr><td><div class="forum-code"><pre> service sshd restart</pre></div></td></tr></table><br/>  <br/>This is what we call security through obscurity :-).<br/>Make sure to test that you can reach your SERVER through the new port.<br/><br/><i>Step 2. Install NetKernel</i><br/>This is known stuff. One important point. NetKernel should not, I repeat NOT run under de superuser (root). Create a normal user (for example dexter with userid 1060) and run NetKernel with that user.<br/>  <br/>Make sure to test that you can reach both fulcrums. At the moment you are open to attack, but not for long.<br/> <br/><i>Step 3. Lockdown</i><br/>Before you do the following, make absolutely sure that you have tools to reach the console of your SERVER. It is not impossible that you will lock yourself out if you make a mistake and you want to be able to ammend that.<br/>  <br/>Enter and execute the following script on your server :<br/><table align="center" border="0" cellpadding="3" cellspacing="1" width="90%"><tr><td><div class="forum-code"><pre>SERVER_IP=&lt;your fixed SERVER ip&gt;<br/>iptables -F<br/>iptables -X<br/>iptables -P INPUT DROP<br/>iptables -P OUTPUT DROP<br/>iptables -P FORWARD DROP<br/>iptables -A INPUT -i lo -j ACCEPT<br/>iptables -A OUTPUT -o lo -j ACCEPT<br/># In the next line replace 3022 with your choice for the SSH port<br/>iptables -A INPUT -p tcp -s 0/0 -d $SERVER_IP --sport 513:65535 --dport 3022 -m state --state NEW,ESTABLISHED -j ACCEPT<br/>iptables -A INPUT -p tcp -s 0/0 -d $SERVER_IP --sport 513:65535 --dport 8080 -m state --state NEW,ESTABLISHED -j ACCEPT<br/># In the next line replace 3022 with your choice for the SSH port<br/>iptables -A OUTPUT -p tcp -s $SERVER_IP -d 0/0 --sport 3022 --dport 513:65535 -m state --state NEW,ESTABLISHED -j ACCEPT<br/>iptables -A OUTPUT -p tcp -s $SERVER_IP -d 0/0 --sport 8080 --dport 513:65535 -m state --state NEW,ESTABLISHED -j ACCEPT<br/>iptables -A INPUT -j DROP<br/>iptables -A OUTPUT -j DROP</pre></div></td></tr></table><br/><br/>Make sure to test that you can still SSH to your SERVER.<br/>Make sure to test that you can still reach the frontend fulcrum (8080) of your SERVER.<br/>Make sure to test that you can no longer reach the backend fulcrum (1060) of your SERVER.<br/><br/><i>Step 4. Reaching the backend</i><br/>We''ve made things quite secure now, but of course you want to be able to reach the backend fulcrum yourself. That is where ssh tunneling comes in.<br/>  <br/><u>With Putty on your CLIENT:</u><br/>Before connecting to your SERVER (on the port you chose) you add a new port to forward (under Connection, SSH, tunneling). The source port is 1060, the destination port is localhost:1060. Open the connection ... and as long as that connection is open you will be able to browse to http://localhost:1060<br/>    <br/><u>With Cygwin on your CLIENT:</u><br/>Connect to the SERVER with the following command<br/><table align="center" border="0" cellpadding="3" cellspacing="1" width="90%"><tr><td><div class="forum-code"><pre>SSH -L 1060:&lt;SERVER&gt;:1060 root@&lt;SERVER&gt; -p &lt;SSH PORT&gt;</pre></div></td></tr></table><br/>Again, as long as that connection is open you will be able to browse to http://localhost:1060<br/><br/><br/><b>Closing words</b><br/>The above method has been tested and it works for me on NK3. I haven''t been able to test it with NK4 apposite updates yet, that may require some extra stuff. I''ll post an update if it does.<br/> <br/>As is usually in these kind of HOWTO''s I have to mention that it is provided AS IS and that I take no resposibility if the above method does not work for you, locks you out of your server or causes you any other kind of trouble.</div>

June 21, 2009 20:26HOWTO protecting your NetKernel server

These days having your own (virtual) server connected to the internet is within the reach of many. There is power in being able to show the world what you can do. However, with (great) power comes (great) responsibility. And while no single server can withstand a coordinated attack, there''s no need to ''hand over'' your paid-for server to the first script-kiddie that comes along either. This HOWTO explains how to :-) keep your server ... yours.

In the discussion below this is the setup :
- You have an your home desktop which runs Windows XP. It has an internet connection with a dynamic IP. We will call this machine CLIENT.
- You have a (virtual) server, hosted somewhere. It has an internet connection with a fixed IP. It runs Linux. We will call this machine SERVER. You have SSH access to this SERVER.

This is not a random chosen setup. It is the most common setup. Netkernel does however allow any setup and if you require more information on your specific setup, you can contact me.

Protecting your CLIENT
- Keep your Windows XP updated.
- Use a good virusscanner. The best ones are commercial. Pay for it. This is an investment that will pay off.
- Use a good firewall (no, the one included in Windows XP will not do). There are several free ones available.
Honestly, you might consider switching to a Linux CLIENT. Try Ubuntu if you want to take it slow :-).

Before we move on to the SERVER, you are going to need SSH client software on the CLIENT. Ideal for this is PuTTY. You''ll find this software at http://www.chiark.greenend.org.uk/~sgtatham/putty/. If you are feeling a bit more experimental, get Cygwin which you''ll find at http://www.cygwin.com Install it and make sure you get the openssh-package (it is under the Net Category).

Protecting your SERVER
The idea is simple. NetKernel has two fulcrums, one on port 8080 which we want to show to the world and one on port 1060 which we want to be able to reach from our CLIENT, but which nobody else is allowed to reach.

In big lines this is the situation we want to achieve :
- We lock down all access to the server with the iptables (basic firewall on Linux) tool.
- We open up port 8080 only. Again iptables will do the job.
- We can NOT open up port 1060, instead we will allow SSH access to the SERVER and tunnel port 1060 through SSH to our CLIENT.

Step 1. Move SSH access to a non-known port.
Everybody knows SSH is normally on port 22. This opens you up for attack if you are going to use SSH (which we are). So we are going to move it to a different port. In file /etc/ssh/sshd_config you change the line :

Port 22

to for example (make your own choice, in the rest of this document I''ll work with the portnumber mentioned below) :

Port 3022

and you restart the sshd service

 service sshd restart

This is what we call security through obscurity :-).
Make sure to test that you can reach your SERVER through the new port.

Step 2. Install NetKernel
This is known stuff. One important point. NetKernel should not, I repeat NOT run under de superuser (root). Create a normal user (for example dexter with userid 1060) and run NetKernel with that user.

Make sure to test that you can reach both fulcrums. At the moment you are open to attack, but not for long.

Step 3. Lockdown
Before you do the following, make absolutely sure that you have tools to reach the console of your SERVER. It is not impossible that you will lock yourself out if you make a mistake and you want to be able to ammend that.

Enter and execute the following script on your server :

SERVER_IP=<your fixed SERVER ip>
iptables -F
iptables -X
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# In the next line replace 3022 with your choice for the SSH port
iptables -A INPUT -p tcp -s 0/0 -d $SERVER_IP --sport 513:65535 --dport 3022 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 -d $SERVER_IP --sport 513:65535 --dport 8080 -m state --state NEW,ESTABLISHED -j ACCEPT
# In the next line replace 3022 with your choice for the SSH port
iptables -A OUTPUT -p tcp -s $SERVER_IP -d 0/0 --sport 3022 --dport 513:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -s $SERVER_IP -d 0/0 --sport 8080 --dport 513:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -j DROP
iptables -A OUTPUT -j DROP

Make sure to test that you can still SSH to your SERVER.
Make sure to test that you can still reach the frontend fulcrum (8080) of your SERVER.
Make sure to test that you can no longer reach the backend fulcrum (1060) of your SERVER.

Step 4. Reaching the backend
We''ve made things quite secure now, but of course you want to be able to reach the backend fulcrum yourself. That is where ssh tunneling comes in.

With Putty on your CLIENT:
Before connecting to your SERVER (on the port you chose) you add a new port to forward (under Connection, SSH, tunneling). The source port is 1060, the destination port is localhost:1060. Open the connection ... and as long as that connection is open you will be able to browse to http://localhost:1060

With Cygwin on your CLIENT:
Connect to the SERVER with the following command

SSH -L 1060:<SERVER>:1060 root@<SERVER> -p <SSH PORT>

Again, as long as that connection is open you will be able to browse to http://localhost:1060

Closing words
The above method has been tested and it works for me on NK3. I haven''t been able to test it with NK4 apposite updates yet, that may require some extra stuff. I''ll post an update if it does.

As is usually in these kind of HOWTO''s I have to mention that it is provided AS IS and that I take no resposibility if the above method does not work for you, locks you out of your server or causes you any other kind of trouble.