Building IPCop Linux Firewall w Copfilter p2

8/16/2019 Building IPCop Linux Firewall w Copfilter p2

1/21

The Perfect Linux Firewall Part II -- IPCop & Copfilter

Author: Joseph Guarino - Evolutionary IT

Version 2.x

This document is the second segment in a series on installing I!op"ire#all. $e #ill %e creating a &'()& "or hosting your o#n #e% serveror mail server and the !op"ilter proxy "or "iltering your applicationlayer ingress and egress net#or* tra""ic. This is intended to %e a roughovervie# on creating a I!op "ire#all #ith !op"ilter and comes #ithout#arranty o" any *ind.

Using your IPCop for web hosting/mail hosting

Given the instructions "rom the previous article+ you should have a "ullinstallation o" I!op running. The current "ocus remains t#o-"old: toget your server in the ,range '() segment o" your I!op /et#or*and opening up the ports on your "ire#all to allo# #e% tra""ic to it.

http://www.evolutionaryit.com/http://www.evolutionaryit.com/


2/21

Additionally+ our second goal in this article #ill %e securing ourapplication layer #e% tra""ic+ email and personal privacy #ith a#onder"ul add-in+ called !op"ilter.

As #e detailed in part one+ I suggested the 012.03.04.x net#or* "or

our &,range& '() segment. In this part o" the net#or* I #ill placehosts that I #ant visi%le to the outside #orld. ort "or#arding #illpermit the "lo# o" tra""ic "rom external 5E' '6! inter"ace7net#or*to '() ,5A/GE net#or*.

range !etwor" #e$uirements

• Installed and con"igured server #ith the 'istro o" your choice#ith the email 8(T 9 , or I(A and #e%server o" yourchoice. ;ree 9 ,pen 8ource 8o"t#are ;,88 is all a%out choiceso pic* #hat "its your needs..

• This orange net#or* server must have a static I address andnot %e on '6!. ;or the sa*e o" this article+ #e are using thestatic I o" 012.03.04.2< "or our single internal ,5A/GEhosting server.

%ecure your range !etwor" osts

• 8ecurity is a process not any one tool or technology. 5ather+ it ismany tools+ technologies and processes. !onsider a holistic vie#.

• 5emem%er to consistently patch and monitor logs patches are an

important measure to mitigate *no#n vulnera%ilities.• (a*e sure you "ully patched+ secured and %ac*ed up any host

%e"ore you expose it to the Internet.• The %est security is a layered approach so consider using a 6I'

6ost Intrusion 'etection+ chroot+ xinetd and Tcp#rappers toname a "e#.

• 8hut do#n any unnecessary net#or* services on this node.• Join the mailing lists or 588 "eed "or the ;ree7,pen 8ource

applications you are using and general security mailing lists soyou are sure to %e a#are o" vulnera%ilities and issues that mightarise. Also chec* out !E5T "or a general mailing list or 588 "eedon security vulnera%ilities. http:77###.us-cert.gov7current7

%ecure your 'reen !etwor"

• 'on=t have a "alse sense o" security >ust %ecause you havestrong and extensive I!op7!op"ilter con"iguration. ?e sure tosecure A@@ o" your machines. !onsider a holistic vie# o" security.

http://en.wikipedia.org/wiki/Free_and_Open_Source_Softwarehttp://en.wikipedia.org/wiki/Host_based_intrusion_detection_systemhttp://en.wikipedia.org/wiki/Host_based_intrusion_detection_systemhttp://en.wikipedia.org/wiki/Chroothttp://en.wikipedia.org/wiki/Xinetdftp://ftp.porcupine.org/pub/security/index.htmlhttp://www.us-cert.gov/current/http://en.wikipedia.org/wiki/Free_and_Open_Source_Softwarehttp://en.wikipedia.org/wiki/Host_based_intrusion_detection_systemhttp://en.wikipedia.org/wiki/Host_based_intrusion_detection_systemhttp://en.wikipedia.org/wiki/Chroothttp://en.wikipedia.org/wiki/Xinetdftp://ftp.porcupine.org/pub/security/index.htmlhttp://www.us-cert.gov/current/


3/21

• !onsistently patch your internal green nodes• 6ave a Anti-Virus7(al#are 8canner and Anti-8py#are 'e"ense.

In my vie# that extends to A@@ ,perating 8ystems.• Ena%le a so"t#are "ire#all on your machines.

osting a ser(er on a )ynamic connection

As you are using a ca%le modem that gives your 5E' I!op net#or*inter"ace a dynamic '6! address+ you #ill need to set up 'ynamic'/8 services to resolve to this host via a human usa%le "orm+ otherthan I Address.

NOTE BC 8ome I8s %loc* T! port 34 6TT 004 , and 2<8(T. To navigate around this+ you can purchase port "or#ardingservices "rom some o" these dynamic '/8 providers+ run services ondi""erent non-%loc*ed ports or upgrade to another provider. ;or thesa*e o" this article #e assume you have no I8 %loc*ed ports.

%etting up *ynamic *!%

Along #ith your dynamically assigned I address 5E'+ you #ill #antto use a 'ynamic '/8 service to %e a%le to allo# external access toyour external #e%7mail. 8etting up 'ynamic '/8 #ith I!op is easilyachieved. 8imply pic* a 'ynamic '/8 provider listed in the I!op'D/'/8 settings.

• Go into your I!op settings in 8ervice ulldo#n -- %er(ices *ynamic *!% and under +)) a host. ic* one o" thesesupported 'D/'/8 providers.

• ,pen up your "avorite %ro#ser and go to the 'D/'/8 provideryou have chosen "rom the list a%ove and register #ith them.

• 5eturn to your I!op #e% administration GFI and add thein"ormation in to your I!op settings in 8ervice ulldo#n --%er(ices *ynamic *!%,

• /o# return to your I!op #e% administration GFI and "ill in thein"ormation as listed %elo# and then clic* +)). It #ill thendisplay under Bcurrent hostsBH.


4/21

hat is Copfilter

An amaing pro>ect %y open source developer (ar*us (adlener+ toextend his I!op=s capa%ilities to the application layer see ,8I(odel. !op"ilter greatly enhances the capa%ilities o" the alreadypo#er"ul I!op %y o""ering the >a# dropping and impressive large list

o" capa%ilities:

• PP./%TP %canning - via 8can and rox8(T #hich allo#"or scanning o" incoming and outgoing Email.

• TTP %canning - via 6AV #hich is a po#er"ul 6TT scanningengine "or scanning and securing your #e% tra""ic.

• FTP %canning - via "rox #hich allo#s "or proxying o" ;T tra""ic.• Pri(acy Protection - via rivoxy #hich is an extremely po#er"ul

6TT privacy protection "ilter #hich "ilters and or removescoo*ies+ #e% ads+ pop-ups and other annoying Internet >un*.

• +nti(irus %canning - via !lamAV or ;-rot #hich can %e used

to scan your tra""ic "or the ever prevalent mal#are. lease note;-rot is a commercial product and you have to acuire a licenseto use it. This article utilies the ;,88 email scanner !lamAV.

• +nti%pam - via 8pam Assassin+ Vipul=s 5aor+ '!!+ renattach+5ules'uJour #hich coupled together ma*e a very e""ective anti-spam de"ense.


5/21

• Process onitoring - via (onit #hich allo#s you to monitor allo" these processes and restart them as needed.

hy Copfilter0

Dou might as* yoursel"+ i" I have a I!op "ire#all #hy #ould I need!op"ilterH As a net#or* security mechanism+ the "ire#all hasundergone a serious metamorphosis "rom a simple pac*et "ilter thatonly understood little o" #hat it carried across the #ire+ to "ully state"ulinspection mechanisms that understand layer


6/21

!ommand @ine SCP

scp - 222 L!op"ilterpac*ageMversion.tar.grootNipcopMgreenMaddress:7root

!ommand @ine SSH

ssh -p 222 -l root ipcopMgreenMaddress

'raphical %CP/%% --6

I" you are #ary o" the command line or not interested+ alternatively+there are several GFI clients in almost every ,8. I #ill not addresseach and every one as they are so easy to use+ simply reuiring a dragand drop+ or point and clic* operation.

OS X Clients -->

Cyber)uc"

http:77cy%erduc*.ch7

Fugu

http:77rsug.itd.umich.edu7so"t#are7"ugu7

Windows -->

in%CP - %CP Client

http:77###.#inscp.net7

Putty 789 %% Client

http:77###.putty.nl7

pen%% for in)ows

http:77ssh#indo#s.source"orge.net7

*NIX -->

gFtp

http://gftp,seul,org/

http://cyberduck.ch/http://rsug.itd.umich.edu/software/fugu/http://www.winscp.net/http://www.putty.nl/http://sshwindows.sourceforge.net/http://gftp.seul.org/http://cyberduck.ch/http://rsug.itd.umich.edu/software/fugu/http://www.winscp.net/http://www.putty.nl/http://sshwindows.sourceforge.net/http://gftp.seul.org/


7/21

Installing Copfilter

A"ter you have 8! copied the !op"ilter-x.x.tg "ile to 7root on yourI!op as detailed a%ove you are no# ready to install it.

886 into your I!op #ith #hatever client you possess on yourrespective ,perating 8ystem.

*-hat0

Ta*es an ('< to assure that the code you do#nloaded is not alteredor corrupted %y an external source. 'oing this is a simple stepveri"ying that #hat you have the original+ legitimate %inary.

Linux/U!I4 *;

(d


8/21

Go to !op"ilter - 1mail and con"igure your email address+ 8(Tserver and then save those settings. The email address is your root oradministrator email address and it #ill %e used to noti"y you o"updates and other important !op"ilter messages.

I(,5TA/T - It is strongly recommended that you 5EA' the !op"ilterdocumentation to have an in-depth understanding o" the con"igurationoptions that you choose to implement. 5T;( %e"ore you design andde"initely %e"ore you deploy.

onit - onitoring Copfilter

This service ena%les you to monitor the core services o" the !op"ilterapplication. It provides you some resilience %y automatically restartingapplications should they "ail.


9/21

Copfilter Configuration ptions

In controlling the three net#or* services #e are going to have ingressingoing and egress outgoing control o" in our I!op7!op"iltercon"iguration #e have many granular options. !op"ilter is going to %e

"iltering our 6TT tra""ic+ ,+ and 8(T tra""ic. The #onder o" the!op"ilter add-on is the plethora o" options one can chose to deploy ourcon"iguration is o" course only one o" the many.

Copfilter - PP. configuration - P.%can

The ost ,""ice rotocol Version is the industry standard "or receivingemail. The goal o" our con"iguration is to %loc* spam7mal#are "rom%eing received via our email clients.

To access these setting go to Copfilter PP. configuration

P.%can Configuration

The "ollo#ing options detail those to %e turned ,/ and all others #ill%e le"t in the de"ault ,;; con"iguration.


10/21

o Ena%le scan on incoming tra""ic on Green ,/o Ena%le scan on incoming tra""ic on ,range ,/o Add !op"ilter !omment to Email 6eadero Ouarantine 8pam i" ... PPP ,;;o Tag 8pam in Emails and modi"y the su%>ect ,/o 8top Virus email and send virus noti"ication instead ,/o 8end a copy o" virus noti"ication to Email address ,/o Ouarantine virus in"ected emails ,/o 5emove emails in uarantine i" older than in days Ko Then clic* on 8ave settings and restart service

The net e""ect o" this con"iguration #ill %e an aggressive stance onscanning+ dropping and noti"ying you o" the spam7mal#are+ %e"ore itreaches your internal net#or*.

Copfilter - %TP configuration - Prox%TP

8imple mail trans"er protocol is the standard "or email transmission onthe the Internet today. $ith the po#er o" !op"ilter one can get verygranular on controlling the "lo# o" mail message to and "rom ournet#or*. The goal o" our con"iguration is to %loc* spam7mal#are "rom%eing sent7received via our email clients.

To access these setting go to Copfilter %TP configuration

The "ollo#ing options are to %e turned ,/ and all others #ill %e le"t in

the de"ault ,;; con"iguration.


11/21

%TP Filtering Configuration

o Ena%le rox8(T to "ilter outgoing tra""ic on G5EE/ ,/o Ena%le rox8(T to "ilter outgoing tra""ic on ,5A/GE ,/o Add !op"ilter !omment to Email 6eader ,/o Ena%le rox8(T to "ilter incoming tra""ic on 5E'o Email 8erver is located in net#or* ,5A/GEo Email 8erver I Address 012.03.04.2<o 5ed I Alias Ethernet Inter"ace - eth2:0o Tag 8pam in emails and modi"y the su%>ect ,/o 8top virus emails and opt. 8end virus noti"ication instead

,/o 8end user a virus noti"ication ,/o Fse !op"ilter $hitelist and ?lac*list ,/o 5emove emails in uarantine i" older than in days Ko Then clic* on 8ave settings and restart service

NOTE - !hoices o" the rox8(T on 5E' inter"ace entails 2 options:


12/21

o #1* scanning ! - !op"ilter manages the creation o"Ipta%les rules so these are not needed to %e createdmanually through I!op.

o #1* scanning FF - !op"ilter #ith port"or#arding rule toorange mail server #ith scanning done at the server. I.e.

you could do your ingress smtp scanning on the Emailserver itsel" 9 not #ith !op"ilter.

This con"iguration #ill %e an proactive stance on the capturing+uarantining and deleting mal#are %e"ore it in"ect our trustedmachines in the G5EE/ net#or*. $ith uarantining ,/ it isrecommended that an administrator %e very responsive to the systems#arnings a%out uarantine 8pam+ and process consistently+ or it #ill%e deleted on a #ee*ly %asis. I #ould not recommend *eeping a 8pamOuarantine setup i" you are short on dis* space and or #ant to

increase this interval %eyond one #ee*. I" you do you run the ris* o""illing up your dis*. Also as #hitelisting and %lac*listing has %eenturned on remem%er to add in your #hitelisted domains trusted emailsources and %lac*listed domains you do not trust or #ant spam"rom.

TTP %canning - +=P/Pri(oxy

6yperText Trans"er rotocol is the protocol #e use #hen #e aresur"ing the Internet. 6AV 6TT Antivirus roxy is a proxy server#ith the !lamAV anti-virus scanner. This #ill %e crucial in your

con"iguration to scan incoming 6TT tra""ic and *eep mal#are o"" yourmachines.

To access these setting go to Copfilter TTP Filter


13/21

TTP Configuration

The "ollo#ing options are to %e turned ,/ and all others #ill %e le"t inthe de"ault ,;; con"iguration.

o 'eny access to 6TT tra""ic ,/o Ena%le Transparent mode ,/o ;ilter 6TT tra""ic "or Internet Jun* ,/o Then clic* on 8ave settings and restart service

This con"iguration #ill allo# "or mal#are to %e "iltered out at our I!op%ox+ such as %ro#ser exploits+ phishing attempts and viruses.

Additionally+ ads+ %anners and other Internet advertising >un* #ithrivoxy.

$ith #e% %anners and such that are %loc*ed you #ill either see theitem la%eled &Advertisement& or an image o" a chec*ered patternindicating it has %een %loc*ed. I" you hate ads as much as do I you canget an add-on "or ;ire"ox called Ad%loc* that #ill allo# client side%loc*ing as #ell. Ad%loc*


14/21

+nti%pam - %pam+ssassin an) #ules *u >our

8pam Assassin #ill help your email server identi"y and "ilter 8pam

%e"ore it reaches your email client in%ox. 8pamAssassin uses ?ayesian"iltering+ '/8 %loc*list+ header and text analysis and colla%orative"iltering data%ases to *eep your 8pam at a minimum. lease note thatthe more "iltering you do %e"ore delivering to the client the higher theload on the server.

o #ules *u >our is a simple %ac* script #hich #ill do#nloadne# versions o" 8pam Assassin rules. This is very help"ul in*eeping your anti-spam de"ense in optimal shape.

o #a?or is a distri%uted+ colla%orative spam detection and"iltering net#or*.

o *CC or 'istri%uted !hec*sum !learinghouse is an anti-spam content "ilter.

o *!%3L are '/8 ?lac*lists or %an lists %ased upon '/8entries o" *no#n spammers or *no#n nodes7net#or*s thatonce emanated 8pam.

To access these setting go to Copfilter +nti%pam con"iguration


15/21

+nti%pam Configuration

The "ollo#ing options are to %e turned ,/ and all others #ill %e le"t inthe de"ault ,;; con"iguration.

o Ena%le 8pamassasin ,/o 8core reuired to identi"y email as spam o 8end daily spam digest ,/o 5aor+ '!!+ '/8?@ ,/o 5ules 'u Jour - ,/

o Automatic Fpdate Ena%le every 0 dayso Then clic* on 8ave settings and restart service

+nti=irus - Clam+=

!lamAV is an amaing ;,88 pro>ect virus scanner. $ithin !op"ilter thisis used to virus scan email and #e% tra""ic "or mal#are.


16/21

To access these settings go to !op"ilter Antivirus

Copfilter - +nti(irus Configuration

o !lamAV ,/o Automatic Fpdate - Ena%le every 2Q hourso Then clic* on 8ave settings and restart service

The e""ect o" these settings is that !lamAV is going to update its virusde"initions on its o#n and %e availa%le "or scanning your 8(T7,and 6TT tra""ic.

+llowing traffic between *ifferent !etwor"s

lease note that there are certain de"ault rules that I!op implementson your net#or* and %e a#are o" the implications. 8ee the "ollo#inglin* "or "urther details.

?y de"ault the con"iguration uses the 7etc7rc.d7rc."ire#all.local andchanges can %e made through #e% GFI or via 886. Any good "ire#all


17/21

%y de"ault setup to deny any external connections %ehind its trustednet#or*s. In I!op spea* that means that there is no ingressincoming access %y de"ault "rom the 5E' inter"ace7net#or* to anyother /et#or*. ?y de"ault access "rom ,5A/GE to 5E' is ,pen sothere is no need "or any special con"iguration in this example. I" you

"or #hatever reason need access "rom your ,range &'()& to InternalG5EE/ you can de"ine rules via '() inholes.

IPCop Port Forwar)ing - TTP

As detailed a%ove 8(T and , rules are created %y !op"ilter areautomatically created. As "or 6TT 5E' to ,5A/GE it is /,T so youhave to create it in ort ;or#arding as %elo#. I" you #ould li*e to openother ports to external access ex. ;T+ 886 please %e a#are theservices should %e hardened and security as much as possi%le seelayered approach I detail a%ove.

Copfilter Test & Log

The most o%vious #ay is via sur" the #e%. 8end and receive a testemail. The !op"ilter Test 9 @og page can help you ascertain i" yourcon"iguration is proper. The tests listed are very sel"-explanatory in


18/21

that you can examine your Email78pam de"ense %y clic*ing on the%uttons in the Test , 9 8(T 8canning section. ?elo# is the Test6TT 9 ;T 8canning section #hich you can clic* on to veri"y the"unctionality o" your 6AV 6TT virus scanner %y clic*ing on the lin* tothe Eicar &test& virus. This page #ill come up %loc*ed #ith the de"ault

6AV message to sho# you that your 6TT is no# secured "romcommon mal#are+ phishing attempts+ and other threats.

8ending and testing the variety o" email options on the test page #illallo# you to veri"y your 8(T7, con"iguration. I" you can send andreceive your emails and see the "ollo#ing in your email headers -- youare all set.

X-Filtered-With-Copfilter: Version !"# $Pro%S&TP '!(!)'

X-Copfilter-Vir+s-S,nned: Cl./V !""0'#)' - Th+ Fe1 '2 #':'3:) #2

Copfilter Test an) Logs %creen

@astly+ your log "iles are to the right %ottom o" your !op"ilter Test 9@og page #here you can see all the details o" your !op"iltercon"iguration.


19/21

?ravoR Dou are good to goR S /o# you can en>oy the "act you aremuch more secure than #hen you %egan this articleR

I" you li*e #hat you see+ I #elcome you to >oin our ;,88 community.;ree and ,pen 8o"t#are ;,88 does not sustain on developers alone

%ut %y the #or* o" all sorts in technical #riting+ support+ mar*eting+graphics+ #e% developers and a multitude o" other supporters li*e youR;,88 is %uilt upon community+ so >oin us and ta*e part in reinventingcomputing in the positive directions "rom #hich #e all collectively%ene"it.

In spea*ing #ith (ar*us I #as a%le to as* him #hy he #as motivatedto create !op"ilter and he ans#ered+ he said: &I ,reted Copfilter tohelp prote,t the ,o.p+ters of .4 friends nd f.il4 nd the 5reter

Internet ,o..+nit4 .& (ar*us I don=t thin* there is a %etter #ay todescri%e the spirit o" ;,88. (uch than*s to (ar*us and the entireI!op Team and all the other pro>ects that made this possi%leR

::Chec" out the F%% community Pro@ects relate) to this article

I!op 6omepage --http:77###.ipcop.org

!op"ilter 6omepage -- http:77###.cop"ilter.org

!op"ilter ;orum -- http:77cop"ilter.endlich-mail.de7

+))itional #elate) Lin"s

http:77###.ipcop.org70.Q.47en7admin7html7services.htmlservicesMdyndns

http:77en.#i*ipedia.org7#i*i7(al#are

http:77###.linuxdocs.org7sln7pops7

http:77en.#i*ipedia.org7#i*i7op

http:77en.#i*ipedia.org7#i*i78mtp

http:77en.#i*ipedia.org7#i*i76ttp

http:77en.#i*ipedia.org7#i*i7,siMmodel

http://www.ipcop.org/http://www.copfilter.org/http://copfilter.endlich-mail.de/http://www.ipcop.org/1.4.0/en/admin/html/services.html#services_dyndnshttp://www.ipcop.org/1.4.0/en/admin/html/services.html#services_dyndnshttp://en.wikipedia.org/wiki/Malwarehttp://www.linuxdocs.org/sln/pop3s/http://en.wikipedia.org/wiki/Pop3http://en.wikipedia.org/wiki/Smtphttp://en.wikipedia.org/wiki/Httphttp://en.wikipedia.org/wiki/Osi_modelhttp://www.ipcop.org/http://www.copfilter.org/http://copfilter.endlich-mail.de/http://www.ipcop.org/1.4.0/en/admin/html/services.html#services_dyndnshttp://www.ipcop.org/1.4.0/en/admin/html/services.html#services_dyndnshttp://en.wikipedia.org/wiki/Malwarehttp://www.linuxdocs.org/sln/pop3s/http://en.wikipedia.org/wiki/Pop3http://en.wikipedia.org/wiki/Smtphttp://en.wikipedia.org/wiki/Httphttp://en.wikipedia.org/wiki/Osi_model


20/21

http:77en.#i*ipedia.org7#i*i7ortM"or#arding

http:77en.#i*ipedia.org7#i*i7(d<

http:77###.tildeslash.com7monit

http:77pscan.source"orge.net7

http:77mem%er#e%s.com7nielsen7so"t#are7proxsmtp

http:77havp.source"orge.net7

http:77###.privoxy.org7

http:77"rox.source"orge.net7

http:77spamassassin.apache.org7

http:77clamav.source"orge.net7

http:77###.pc-tools.net7unix7renattach

http:77###.exit4.us7index.phpHpagenameS5ules'uJour

http:77pscan.source"orge.net7ppmail

http:77#i*i.apache.org7spamassassin7'ns?loc*lists

http:77#xchec*sums.source"orge.net7mainpageMen.html

http:77###.md


21/21

Evolutionary IT is an independent provider o" systems+ net#or* andsecurity solutions. lease do "eel "ree to email comments orsuggestions. http:77###.evolutionaryit.com7 (any than*s "or the helpo" my amaing sister Antonina in editing this article.

ABB License) un)er Creati(e Commons +ttribution-!onCommercialD%hare+li"e A,;

Joseph Guarino -- Evolutionary IT -- ###.evolutionaryit.com
http://www.evolutionaryit.com/http://www.evolutionaryit.com/http://www.antoninawrites.com/http://www.evolutionaryit.com/http://www.evolutionaryit.com/http://www.evolutionaryit.com/http://www.antoninawrites.com/http://www.evolutionaryit.com/

Date post:	05-Jul-2018
Category:	Documents
Upload:	soyjoaquin
View:	227 times
Download:	0 times

Building IPCop Linux Firewall w Copfilter p2

Documents