linux machine as firewall

data1986 · 02-08-2010, 06:39 AM

i have a linux server runnig oracle applications.
i need to access this server from putty using ssh through internet.
i did by registering my static ip with the dnydns.org and i am able to connect to the server.
but now there is no security to authenticate any user as any one knowing the password can login to it.
i thought of configuring the firewall of linux server but the client ip`s are not static and they change continiously.
so thought of keeping one more pc between the server and the router which will do the work of authenticating. but i am confuse as how to configure it to allow the packets coming from the internet after authenticating and to by pass the packets generated from internal LAN?

i have heared abut freeradius package but i am not sure will it work in my case?

thanx in advance

kbp · 02-08-2010, 06:33 PM

If you're accessing it from the one location or from a laptop, you could set up key based authentication then disable password auth on the target sshd :

Code:

PasswordAuthentication no
PubkeyAuthentication yes

cheers

data1986 · 02-08-2010, 11:19 PM

i am trying to access from internet and will be accessed by many people from their respective machines!!!!

kbp · 02-09-2010, 12:32 AM

I don't see the point in adding an extra pc in the way... were you thinking of using 2-factor authentication ?

data1986 · 02-09-2010, 07:37 AM

what is using 2-factor authentication? if that suites then i can use that!

kbp · 02-09-2010, 04:06 PM

2-factor authentication is basically requiring 'something you have' and 'something you know' to authenticate. It is commonly implemented by using a one-time-password generating token or fob and combining the number it provides with a pin that you remember.

eg:
pin=1234
token=987654
password=[pin]+[number_from_token] == 1234987654

In this case I'd suggest that it could be overkill for your needs. Probably the simplest way to secure your server would be to enforce password complexity, password aging and password history. You will need to educate the users of the system and emphasise the importance of not writing down their passwords etc.

cheers

nuxrl · 02-09-2010, 04:20 PM

You may want to take a look at knockd, port knock server,

http://linux.die.net/man/1/knockd

data1986 · 02-11-2010, 01:59 AM

Thank you all for helping
thanks nuxrl
i got the solution for my problem its port knocking
http://www.zeroflux.org/projects/knock

jefro · 02-11-2010, 09:00 PM

I'd either setup a VM or real system running something like Untangle or another pre-made distro. That is if I wanted a second system.