LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 02-08-2010, 05:00 AM   #1
data1986
LQ Newbie
 
Registered: Feb 2010
Posts: 12

Rep: Reputation: 0
configuring linux machine as a firewall


i have a linux server runnig oracle applications.
i need to access this server from putty using ssh through internet.
i did by registering my static ip with the dnydns.org and i am able to connect to the server.
but now there is no security to authenticate any user as any one knowing the password can login to it.
i thought of configuring the firewall of linux server but the client ip`s are not static and they change continiously.
so thought of keeping one more pc between the server and the router which will do the work of authenticating. but i am confuse as how to configure it to allow the packets coming from the internet after authenticating and to by pass the packets generated from internal LAN?

i have heared abut freeradius package but i am not sure will it work in my case?

thanx in advance

Last edited by data1986; 02-08-2010 at 05:02 AM.
 
Old 02-08-2010, 08:11 AM   #2
onebuck
Moderator
 
Registered: Jan 2005
Location: Midwest USA, Central Illinois
Distribution: SlackwareŽ
Posts: 12,716
Blog Entries: 27

Rep: Reputation: 2058Reputation: 2058Reputation: 2058Reputation: 2058Reputation: 2058Reputation: 2058Reputation: 2058Reputation: 2058Reputation: 2058Reputation: 2058Reputation: 2058
Hi,

Welcome to LQ!

'DenyHosts' is a script intended to be run by Linux system administrators to help thwart SSH server attacks (also known as dictionary based attacks and brute force attacks).

Look at the 'Network' Firewall section of 'Slackware-Links'. You could use 'Easy Firewall Generator' to create a firewall.


The above links and others can be found at 'Slackware-Links'. More than just SlackwareŽ links!
 
Old 02-08-2010, 09:49 AM   #3
r3sistance
Senior Member
 
Registered: Mar 2004
Location: UK
Distribution: CentOS 6/7
Posts: 1,375

Rep: Reputation: 216Reputation: 216Reputation: 216
Hi,

I am confused by when you say you have a static IP, is that the server or the machine you are connecting from? If it's the machine you are connecting from the following lines should be able to do this for you

iptables -I RH-Firewall-1-INPUT -s xxx.xxx.xxx.xxx -p tcp --dport 22 -j ACCEPT
iptables -A RH-Firewall-1-INPUT -p tcp --dport 22 -j REJECT

please note you should substitute xxx.xxx.xxx.xxx for your IP. There is an alternative method to this but this is more expandable, this will only work if you are connecting in from a single external IP, there are ways to do ranges too but this is just for a single static IP. Also you say other people have passwords to this server? are these user accounts or oracle accounts? Oracle accounts shouldn't have SSH access. There might be more to be done with these accounts then just blocking SSH access....

Really this should be in the Security Forum not the Newbie forum, heh.

Last edited by r3sistance; 02-08-2010 at 09:50 AM. Reason: Security
 
Old 02-08-2010, 10:31 AM   #4
Tinkster
Moderator
 
Registered: Apr 2002
Location: in a fallen world
Distribution: slackware by choice, others too :} ... android.
Posts: 23,067
Blog Entries: 11

Rep: Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910
Introducing an extra firewalling layer won't help you much if
the authentication stays the same. Another option would be to
just use an ssh-passphrase for you local machine, and use
passwordless ssh connections to the box, denying password authentication
all together. Just got to make sure your putty data (your windows
profile) is safe from others.



Cheers,
Tink
 
Old 02-08-2010, 11:35 AM   #5
jschiwal
LQ Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 671Reputation: 671Reputation: 671Reputation: 671Reputation: 671Reputation: 671
I would also recommend using a strong passphrase for your private key. If you load your private key into putty's keygen program, it will print out an openssh compatible public key. Also consider using a non standard port for ssh. It will reduce the noise level of brute force attacks from script kiddies and compromised computers.
 
Old 02-08-2010, 11:56 PM   #6
data1986
LQ Newbie
 
Registered: Feb 2010
Posts: 12

Original Poster
Rep: Reputation: 0
i am using a linux server. i am using putty to accesss it from my local lan. i have registered my ip on dyns and able to access it from internet from any machine.
so now problem is that any one having the username and password of the users can access it. i want a package so that it will allow extra authentication for the users trying to access it from the internet. for this i will be be implementing an extra linux machine in between the server and the router. i cannot implement any software installation on the client. whenever he logins from putty he should be asked extra authentication and then only his packets must be forwarded to the servers 22 port.

can u suggest me some package or idea to implement this????
 
Old 02-09-2010, 08:00 AM   #7
r3sistance
Senior Member
 
Registered: Mar 2004
Location: UK
Distribution: CentOS 6/7
Posts: 1,375

Rep: Reputation: 216Reputation: 216Reputation: 216
Read what people have said, you have received a few answers already here including SSH Encrypted Private Keys.

If this isn't answering your question then perhaps you need to phase your question better.
 
Old 02-09-2010, 10:41 PM   #8
data1986
LQ Newbie
 
Registered: Feb 2010
Posts: 12

Original Poster
Rep: Reputation: 0
i am posting again my question in more detail

i have a linux enterprise server running oracle apps and other services. i have opened a port in the router in such a way that i am able to access my server remotely from internet.

now i want a package or settings that would grant access to people who i want by giving them additional password and usernames as i cannot track their ip`s as they keep changing dynamically as they log in from datacards nor i can use mac based configuration of firewall.

so now i need a system that would be common for all the users using any software like putty or toad or any package to acess my server. it should use basically some authentication technique.

i thought of using private and public key but it will work only with putty and not with toad..

i have heared about freeradius but i am not able to use it as i am not getting any proper notes or documentation which i can follow...
 
Old 02-09-2010, 11:32 PM   #9
Tinkster
Moderator
 
Registered: Apr 2002
Location: in a fallen world
Distribution: slackware by choice, others too :} ... android.
Posts: 23,067
Blog Entries: 11

Rep: Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910
If they *need* to use TOAD set up a VPN. Putting something like the Oracle
listener on an internet facing machine is madness.

Alternatively you could still use ssh and see whether you
can tunnel the relevant ports through the ssh connection.

Last edited by Tinkster; 02-09-2010 at 11:33 PM.
 
Old 02-11-2010, 12:58 AM   #10
data1986
LQ Newbie
 
Registered: Feb 2010
Posts: 12

Original Poster
Rep: Reputation: 0
Thank you all for helping
i got the solution for my problem its port knocking
http://www.zeroflux.org/projects/knock
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off




All times are GMT -5. The time now is 02:50 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration