Creating a Stealth Firewall to Secure a Solaris Computer from Hackers.
Dr. David Kirkby, Ph.D.Version 1.1 21/08/2000
Abstract
Any computer that works may be hacked, even if not connected to internet, as insiders are often a source of hacking. However, whenever a computer is connected to the internet, the number of potential hackers increases considerably. The probability of the machine being hacked from the internet can be dramatically reduced by making it difficult for someone to find it. This document describes how a Sun SPARCstation 20 running Solaris 8 was secured using the packet filtering package called IP filter. After IP filter was installed and configured, the machine could access the internet and browse the web from the console, could be accessed by ssh and sftp (secure replacements for ftp and telnet) remotely from some specific IP addresses, yet was practically invisible to the rest of the world's computers. To anyone else, the SPARCstation would not respond to attempts to contact the machine by ssh, sftp, ftp, telnet, or even ping.This document is aimed at home uses, or any application where the utmost in security is not required. It should stop the average hacker running a package to hack your machine. It is not intended to be the last word on high security firewalls, nor is it intended for use when the highest security is necessary. The information is provided free in the hope it will be of use, but no warranty is given. Anyone sniffing the internet connection between your computer and the web could detect the presence of your computer, even if it was not responding to attempts to make connections in the normal way. Posts to newsgroups indicate your presence. There are also some sophisticated techniques, that are not covered here, that would enable detection of the computer.
In this document, the machine with the firewall is called parrot and it has an IP address of 62.255.98.185. A pair of machines from which parrot will accept connections are called friend and family. A machine from which any form of access will always be denied is called stranger. These names are fictitious and the IP address was dynamically allocated by my ISP, so is not likely to be my current IP address.
Introduction
There are several excellent articles on computer security
on the web. The following are predominantly specific to Solaris, although
the general principles apply to any operating system.
Building
a Solaris Host
Look under security at Sun
Blueprints
Stokely
Consulting has a good set of links.
Solaris
security FAQ
Armoring
Solaris
Most suggest a set of procedures than includes:
- Remove it from the internet.
- Put physical security measures in place, so for example an insider can't just put a CD in and boot to have root access.
- Install the bare minimum of a system on a blank disk - don't upgrade an operating system, as the system might already be compromised.
- Install the latest patches for the operating system.
- Disable any unnecessary daemons started in /etc/rc2.d and /etc/rc3.d.
- Disable any services that are unneeded from /etc/inet/inetd.conf
- Make changes to the OS that might be appropriate - for example preventing the execution of the stack of programmes, network changes.
- Install the firewall software, then test the firewall.
- Install other security software (e.g. Tripwire )
Only then should the machine be connected back to the internet. This article assumes that several of the above articles have been read. Security is always a compromise with usability, so not every suggestion is appropriate in every case.
TCP wrappers
tcp_wrappers is a software solution to limit access to
a machine. It works by creating small wrapper programmes for services called
by /etc/inet/inetd.conf. You can specify which IP addresses are allowed
to connect to which services. While useful, it has 2 main problems.
- It only works with services started from /etc/inet/inetd.conf. This excludes many that may be used as an entry point into a computer.
- When a remote computer is denied access, the protected computer rejects the packet. By doing this, the remote computer is aware the port exists, but is closed. That leaves the possibility of access by other means - such as finding problems with the operating system.
IP filter is much more powerful, although it is is more complex to set up. However, that complexity is rewarded by increased security.
Installing IP filter
The computer was first set up to use the modem to connect
to the internet, as described in Mike
Mann's Solaris Resources In this case the connection to
the internet is through the ipdptp0 interface.
Next, IP filter, available at http://cheops.anu.edu.au/~avalon/ip-filter.html
was installed. The instructions need to be read, as it's not quite as simple
as the normal configure; make; make install. For some reason, it does not
work with gnu make, but it worked fine with the /usr/ccs/bin/make on my
Solaris machine. On a Solaris machine, one has to make a package then install
using pkgadd. Mike Mann's excellent web pages on Solaris have a section
under construction on using IP filter for network
address translation and routing. This gives some more detailed instructions.
# gzip -d ip-fil3.4.8.tar.gz
# tar xvf ip-fil3.4.8.tar
# cd ip_fil3.4.8
# /usr/ccs/bin/make solaris
# cd SunOS5
# /usr/ccs/bin/make package
This installs binaries - ipfstat, ipftest, ipmon, ipnat, ipresend, iptest and mkfilers, which is an executable perl script. The script mkfilters is designed to produce a set of rules for a firewall, although it did not meet my needs of making the computer stealth.
IP filter is started automatically at boot with the file /etc/rc2.d/S65ipfboot, which is installed with the package.
IP filter is configured with a configuration file. I called the file /usr/local/etc/ipf/firewall.conf . I wrote a script /etc/rc3.d/S98Firewall to load the firewall software at boot time.
parrot # cat /etc/rc3.d/S98Firewall
#!/bin/sh
/sbin/ipf -f /usr/local/etc/ipf/firewall.conf
The firewall logs some of the refusals. The logging is started at boot by a script /etc/rc3.d/S99LogFirewall
parrot # cat /etc/rc3.d/S99LogFirewall
#!/bin/sh
pkill -9 ipmon
/opt/ipf/bin/ipmon -n > /var/log/ipf/ipf.$$.log
&
A third script, /usr/loca/bin/restartfirewall, is executed whenever the file /usr/local/etc/ipf/firewall.conf is changed. This uses tail -f to constantly look at the log of refused connections.
parrot # cat /usr/local/bin/restartfirewall
#!/bin/sh
/sbin/ipf -Fa
/etc/rc3.d/S98Firewall
/etc/rc3.d/S99LogFirewall
LOGFILENAME=`ls -lrt /var/log/ipf
| awk '{print $9}' | tail -1`
echo $LOGFILENAME
tail -f /var/log/ipf/$LOGFILENAME
The contents of the configuration file determine what
the IP filter package does with each filter. A full discussion of how to
set the configuration file may be found at this IP
Filter How-To
One important point to note is that if there are several
rules that match an incoming or outgoing packet, the last is followed and
all previous one ignored. The following configuration file assumes the
main internet connection is through ipdptp0, which is for my case is the
modem.
parrot # cat /usr/local/etc/ipf/firewall.conf
#First, block everything coming
down the modem.
block in log on ipdptp0 all
# Anything with options gets thrown
out, as these can be used to hack.
block in log quick from any to
any with ipopts
# Get rid of all short TCP/IP fragments
(too small for valid comparison)
# as these can be used for hacking.
block in log quick proto tcp from
any to any with short
# Block all the private routable
addresses, as these should never come down the modem.
block in quick on ipdptp0 from
192.168.0.0/16 to any
block in quick on ipdptp0 from
172.16.0.0/12 to any
block in quick on ipdptp0 from
10.0.0.0/8 to any
# Block any packet going out, that
is intended for one of the private address ranges.
# There is no reason to send anything
to such an IP address.
block out quick on ipdptp0 from
any to 192.168.0.0/16
block out quick on ipdptp0 from
any to 172.16.0.0/12
block out quick on ipdptp0 from
any to 10.0.0.0/8
# Much software communicates with
itself on 127.0.0.1 so
# blocking it from an external
source is a good idea.
block in quick on ipdptp0 from 127.0.0.0/8
to any
# Allow any responses from remote
sites to come back - ping, web sites etc.
# This means any port will be opened,
if needed.
pass out quick on ipdptp0 proto
tcp from any to any keep state
pass out quick on ipdptp0 proto
udp from any to any keep state
pass out quick on ipdptp0 proto
icmp from any to any keep state
# Allow anything from selected friendly
computers. These computers are trusted.
pass in quick on ipdptp0 from friend
to any
pass in quick on ipdptp0 from family
to any
For further information on configuring IP filter for a firewall, see the The IP Filter Based Firewalls HOWTO This is very comprehensive, but somewhat complex in places.
Results
parrot /export/home/davek % ping www.sun.com
www.sun.com is alive
I'll now log into a machine friend and ping the
host parrot which has the firewall
friend /home/users/davek % /usr/sbin/ping 62.255.98.185
62.255.98.185 is alive
From another host, I'll attempt to ftp to the machine.
family /home/users/davek % telnet 62.255.98.185
Trying 62.255.98.185...
Connected to 62.255.98.185.
Escape character is '^]'.
Vax VMS 6.2
login:
(The system is configured to reports its operating system
is VMS 6.2, as a simple, and probably not very useful, attempt to fool
hackers)
This is now repeated from a computer stranger,
that is not on the list of machines from which connections will be accepted.
stranger /home/users/davek % /usr/sbin/ping 62.255.98.185
no answer from 62.255.98.185
Hence parrot, which has been secured with the firewall, can't even be pinged from a remote computer stranger. Port scanners will not be able to find any evidence of the computer's existence.
Testing the security of your system.
There are many security tools that can be used to test the security of your system. Unfortunately, these same packages are often used by hackers.
nmap is a port scanner that you can run yourself. It is best to run it on a remote, untrusted computer, to see what what ports appear to be open on your computer. Ideally you need root access on the machine from which you wish to test, as some of the tests need it.
The Shields
Up site at https://grc.com/x/ne.dll?bh0bkyd2 is a web based
port scanner that reports on whether a few selected ports are open (accepting
connections), closed (refusing connections) or stealth (not acknowledging
their presence). It can not test as many ports as programmes like nmap,
but it is none the less useful. Here is a screen dump of a run collected
with the firewall in place, we can see it is secure.
If the firewall is now disabled, we see it is far less so, with many ports being open or closed, but not stealth.
without the firewall.
Disabling telnet and ftp.
So far, the computer parrot is difficult to detect from
an arbitrary remote host on the internet. However, whenever a telnet or
ftp connection is made, the passwords are sent in plain text. It is better
to add OpenSSH, which is a secure shell,
that provides secure replacements for rsh, rlogin, rcp, telnet, rexec,
rcp and ftp. Once OpenSSH is installed, it will be impossible to obtain any
passwords by sniffing the internet connection.
Other useful security software
The following software packages may be useful
ssh is a replacement for replacement for rsh, rlogin, rcp, telnet, rexec, rcp and ftp. It avoids needing to pass plain text passwords over the internet.
Tripwire
is a programme, available in both open source and commercial versions,
that allow one to detect if a system has been hacked, as long as you can
be 100% sure the system has not been hacked at the time of the installation
of tripwire.
Protecting other networked computers.
The computer parrot was configured to act as a router and perform network address translation as described here. A windows NT machine was connected to the 100baseT connection (hme0) on the Sun SPARCstation's network card. The Windows machine was also hidden from the effects of hackers. It too, showed up as Stealthon the Shields Up site.
Limitations
With a firewall configured as discussed here, the computer parrot will be very hard to find on the internet by someone at an arbitrary site. However, if the hacker can intercept the connection between parrot and the sites to which you contact, they will know of your presence. If you access parrot remotely using standard ftp or telnet from friend the passwords can be intercepted. Hence it is advisable to only connect from a remote site using a secure shell and to disable ftp and telnet access.
Stealth Port scanning is technique that could be used to find a computer that does not respond to ping requests using a tool such as hping2 The technique is not 100% accurate, and is difficult to use.
The computer parrot runs X-windows, has several compilers on its 3 hard disks and has many services running. As such, it will always be less secure than a machine that is dedicated to the job of a firewall and is not a general purpose multi-user computer. The Coyote Linux Project is a cut down version of linux that performs network address translation and runs from a floppy disk that may be write protected. A firewall running on this would in principle be more secure than one on a general purpose UNIX computer in multi-user mode with its read/write hard drives. I have in the past used a PC as a firewall/router, but decided to take the less secure route of the main computer performing the firewall function too. This decision was based on the desire to reduce the number of computers generating heat and noise - the reduction is security was acceptable to me.
Acknowledgements
The author would like to Mike Mann for help with my earlier attempts at using a Solaris computer to perform network address translation and to Ean Kingston ean@korax.net for helpful comments on an earlier copy of this article.
About the author David Kirkby is a scientist, with a Ph.D degree in Medical Physics. He is not, nor has ever been, a professional UNIX systems administrator. He administers his own personal Sun SPARCstation 20s, Ultra 60 and Ultra 80. Hence you may feel happier ignoring all of the above.
Any comments ?