LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   configuring linux machine as a firewall (https://www.linuxquestions.org/questions/linux-newbie-8/configuring-linux-machine-as-a-firewall-787732/)

data1986 02-08-2010 06:00 AM

configuring linux machine as a firewall
 
i have a linux server runnig oracle applications.
i need to access this server from putty using ssh through internet.
i did by registering my static ip with the dnydns.org and i am able to connect to the server.
but now there is no security to authenticate any user as any one knowing the password can login to it.
i thought of configuring the firewall of linux server but the client ip`s are not static and they change continiously.
so thought of keeping one more pc between the server and the router which will do the work of authenticating. but i am confuse as how to configure it to allow the packets coming from the internet after authenticating and to by pass the packets generated from internal LAN?

i have heared abut freeradius package but i am not sure will it work in my case?

thanx in advance

onebuck 02-08-2010 09:11 AM

Hi,

Welcome to LQ!

'DenyHosts' is a script intended to be run by Linux system administrators to help thwart SSH server attacks (also known as dictionary based attacks and brute force attacks).

Look at the 'Network' Firewall section of 'Slackware-Links'. You could use 'Easy Firewall Generator' to create a firewall.

:hattip:
The above links and others can be found at 'Slackware-Links'. More than just SlackwareŽ links!

r3sistance 02-08-2010 10:49 AM

Hi,

I am confused by when you say you have a static IP, is that the server or the machine you are connecting from? If it's the machine you are connecting from the following lines should be able to do this for you

iptables -I RH-Firewall-1-INPUT -s xxx.xxx.xxx.xxx -p tcp --dport 22 -j ACCEPT
iptables -A RH-Firewall-1-INPUT -p tcp --dport 22 -j REJECT

please note you should substitute xxx.xxx.xxx.xxx for your IP. There is an alternative method to this but this is more expandable, this will only work if you are connecting in from a single external IP, there are ways to do ranges too but this is just for a single static IP. Also you say other people have passwords to this server? are these user accounts or oracle accounts? Oracle accounts shouldn't have SSH access. There might be more to be done with these accounts then just blocking SSH access....

Really this should be in the Security Forum not the Newbie forum, heh.

Tinkster 02-08-2010 11:31 AM

Introducing an extra firewalling layer won't help you much if
the authentication stays the same. Another option would be to
just use an ssh-passphrase for you local machine, and use
passwordless ssh connections to the box, denying password authentication
all together. Just got to make sure your putty data (your windows
profile) is safe from others.



Cheers,
Tink

jschiwal 02-08-2010 12:35 PM

I would also recommend using a strong passphrase for your private key. If you load your private key into putty's keygen program, it will print out an openssh compatible public key. Also consider using a non standard port for ssh. It will reduce the noise level of brute force attacks from script kiddies and compromised computers.

data1986 02-09-2010 12:56 AM

i am using a linux server. i am using putty to accesss it from my local lan. i have registered my ip on dyns and able to access it from internet from any machine.
so now problem is that any one having the username and password of the users can access it. i want a package so that it will allow extra authentication for the users trying to access it from the internet. for this i will be be implementing an extra linux machine in between the server and the router. i cannot implement any software installation on the client. whenever he logins from putty he should be asked extra authentication and then only his packets must be forwarded to the servers 22 port.

can u suggest me some package or idea to implement this????

r3sistance 02-09-2010 09:00 AM

Read what people have said, you have received a few answers already here including SSH Encrypted Private Keys.

If this isn't answering your question then perhaps you need to phase your question better.

data1986 02-09-2010 11:41 PM

i am posting again my question in more detail

i have a linux enterprise server running oracle apps and other services. i have opened a port in the router in such a way that i am able to access my server remotely from internet.

now i want a package or settings that would grant access to people who i want by giving them additional password and usernames as i cannot track their ip`s as they keep changing dynamically as they log in from datacards nor i can use mac based configuration of firewall.

so now i need a system that would be common for all the users using any software like putty or toad or any package to acess my server. it should use basically some authentication technique.

i thought of using private and public key but it will work only with putty and not with toad..

i have heared about freeradius but i am not able to use it as i am not getting any proper notes or documentation which i can follow...

Tinkster 02-10-2010 12:32 AM

If they *need* to use TOAD set up a VPN. Putting something like the Oracle
listener on an internet facing machine is madness.

Alternatively you could still use ssh and see whether you
can tunnel the relevant ports through the ssh connection.

data1986 02-11-2010 01:58 AM

Thank you all for helping
i got the solution for my problem its port knocking
http://www.zeroflux.org/projects/knock


All times are GMT -5. The time now is 03:41 PM.