is it possible to do other security type stuff w/ IPCop?
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
is it possible to do other security type stuff w/ IPCop?
I want to start playing with security, stuff like IDS, honeypots, etc. I'll be setting up an IPCop server shortly for my family, but I guess my question is, can I do this kind of stuff on IPCop? or should I set up my own private network, and play there? What's a basic "networked environment" that I'd need to recreate? What kind of stuff should I read?
Install 3 network cards in the IPCop box, and put the test systems on the DMZ (orange) network. IPCop has snort (IDS) built in, but since you want to learn about various technologies, manually setting up IDS on a seperate box would be more educational. Really all you need is one box on the DMZ, you should be able to experiment with that alone. You don't want to put theses systems on your internal network, if they do get hacked, your entire network could be compromised. Check out the security section on sourceforge.net, I just browse there every once in a while to see what new ideas and software people have come up with. As for reading, you may want to browse through the security forums here on linuxquestions.org.
Is IPCop very easy? I'm sure I could use it, because I'm used to linux, but could my parent's use it once I leave for college? What about having a completely internal network for the security stuff, and just play w/ it internally, never having access to the outside?
IPCop is very simple, after the initial install everything is managed via a web interface. I've set IPCop up as the firewall at my folks house (as well as my house, and the main firewall at work). Really all you'll probably ever do after the initial install is apply the updates and check the logs...both are done via the web interface.
As for setting up the test systems on an internal network..sure. You mentioned honeypots earlier, honeypots are systems you set out to attract hackers...traps if you will. On a network not connected to the internet you obviously won't get any of this. I'm just recommending, if you do setup a honeypot, or run any publicily accessible services (apache, ssh, bind, etc..) it should not be on the same network as production systems. Some people will allow ssh into their main network, I personally will not. The only connection I allow into my main network is VPN, which in my case, requires the client to supply a certificate for the initial connection to be established, followed by another user certificate, and the users username/password. Yes, I'm paranoid
No no, paranoid is good. I think first I'm gonna play w/ iptables, authentication, and stuff like that. I've looked through the security forums here, but I'm not fully sure what I'm reading. Is there any "beginner's intro to security" type document? The whole security thing is extremely daunting, so many facets of it, all w/out very much "newbie" documentation. It's like starting linux all over again.
Where would you recommend someone just getting into security and stuff start?
I found this with a quick google. http://www.puschitz.com/SecuringLinux.shtml
It looks like it may be worthwile reading over. Iptables is probably as good a place to start as any. You should be able to find docs on that at netfilter.org. You already seem to understand one concept that many don't, that there is no one-stop security solution. Anyway, I don't claim to be a guru, but if you run into any specific problems during your testing, feel free to send me an email (I think it's available to registered users) and I'll help any way I can.
The other thing is, how does one go about testing their security? I am by no means a hacker/cracker/whatever you want to call it, and I have no aspirations to be. I just want to be able to know that what I've set up is actually secure.
There are various tools available to help with security testing. Check out http://www.nessus.org/, it's probably a pretty good place to start. A very common attack is brute force attack against ssh. Script kiddies run scripts that check for a listening ssh server, when one is found it just bombards it with random usernames and passwords. I'm sure if you look hard enough you could find one of these scripts to use against yourself. Since I'm on the subject I'll tell you what security steps I use against this type of attack. First, I have password requirements for my users. Passwords must be at least 8 characters long, must contain at least one uppercase, and one lowercase character, as well as 1 number, and one non alphanumeric character. After all that's done it's then passed to cracklib which checks to verify there are no common words or repeating sequences (i.e. aB1!aB1!). Users are also required to change their password no less then every 180 days and not more often then every 7 days. I also use a program called fail2ban, it constantly checks the ssh and apache log files, and if it detects more then 5 failed login attempts from the same IP in less then a 5 minute period, it creates an iptables rule that blocks the IP for 1 hour. I used to get 10,000+ failed attempts a day, with fail2ban I get around 30.