LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices


Reply
  Search this Thread
Old 08-19-2019, 05:29 PM   #31
upnort
Senior Member
 
Registered: Oct 2014
Distribution: Slackware, Proxmox, Debian, CentOS, Ubuntu
Posts: 1,212

Original Poster
Rep: Reputation: Disabled

To help settle some dust here, when I tinker with this project I plan a minimal install. Didier Spaier will be disappointed I am not running fortune.

The configuration will start with nothing open on the WAN side.

That soon would change because I want OpenVPN and SSH access. For the latter I will use security by obscurity and not use port 22. Not really helpful against determined retards, but does tend to reduce firewall log spew. I only use SSH keys. I passphrase-protect my private keys. My current OpenVPN requires a passphrase in addition to the certs.

Whatever I decide with VLANs and a wireless AP involves the LAN side and not the WAN.

I might copy my current router configuration with keeping open only the WAN side SSH port. Through that access I would toggle the OpenVPN portal.

My approach might protect me and might not. But methinks the system will be as secure as can be reasonably expected.

When I pursue this project I plan to document everything online. Possibly by the end I could create some tag files to expedite the installation by other users.

I asked what others are doing and appreciate the many replies. I'm not as fearless as the honeybadger, but I plan to make this project fun as well as useful.
 
1 members found this post helpful.
Old 08-19-2019, 06:48 PM   #32
abga
Senior Member
 
Registered: Jul 2017
Location: EU
Distribution: Slackware
Posts: 1,211

Rep: Reputation: 640Reputation: 640Reputation: 640Reputation: 640Reputation: 640Reputation: 640
I'd suggest to keep all the ports closed and use a port knocking service to open the OpenVPN port, like:
https://github.com/mrash/fwknop
http://slackbuilds.org/repository/14.2/network/fwknop/
Client on Android:
https://play.google.com/store/apps/d...knop2&hl=en_US
Then direct OpenSSH to listen on the tunnel interface and not on the WAN.

Those "determined retards" are not human anymore, instead there are automated armies of bots scanning entire IP classes. Once they find something, they record it and probe it repeatedly. And they're not necessarily trying to hack the authentication, but exploit potential bugs in the listening service (easier).

If you're on a fixed public IP, then I'd suggest to use SNAT instead of MASQUERADE to do your NAT, the latter is not appropriate, you'll loose some control over the flows and it'll put some more load on the CPU.
Other suggestion for your firewall design, DROP packets you don't want and don't bother wasting resources to respond, well, unless there is a need. Additionally, I favor the "hard way" to design a firewall, meaning, block everything and only allow the traffic that is needed.
A short iptables trick out of my bag of dirty tricks that you might find useful - it's sized for a 100Mbit interface, feel free to adapt:
Code:
# Smurf & PING Flood protection
/usr/sbin/iptables -A INPUT -p tcp -m tcp --tcp-flags RST RST -m limit --limit 2/second --limit-burst 2 -j ACCEPT
/usr/sbin/iptables -A INPUT -p icmp -m icmp --icmp-type address-mask-request -j DROP
/usr/sbin/iptables -A INPUT -p icmp -m icmp --icmp-type timestamp-request -j DROP
/usr/sbin/iptables -A INPUT -p icmp -m icmp --icmp-type echo-request -m limit --limit 2/second -j ACCEPT
# SYN Floods
/usr/sbin/iptables -N syn_flood
/usr/sbin/iptables -A INPUT -p tcp --syn -j syn_flood
/usr/sbin/iptables -A syn_flood -m limit --limit 10/s --limit-burst 50 -j RETURN
/usr/sbin/iptables -A syn_flood -j DROP
# Port Scans
# Anyone who tried to portscan gets locked out for an entire day
/usr/sbin/iptables -A INPUT   -m recent --name portscan --rcheck --seconds 86400 -j DROP
/usr/sbin/iptables -A FORWARD -m recent --name portscan --rcheck --seconds 86400 -j DROP
# Once the day has passed, remove them from the portscan list
/usr/sbin/iptables -A INPUT   -m recent --name portscan --remove
/usr/sbin/iptables -A FORWARD -m recent --name portscan --remove
On documentation about gateways/access points on Slackware, there is already a pretty extensive How-To in place, written by louigi600, that you can use as inspiration:
https://docs.slackware.com/howtos:ne..._slackware_box
Some other docs you might find useful:
https://docs.slackware.com/howtos:ne...services:start

There you go, let the dust settle.

Last edited by abga; 08-19-2019 at 06:52 PM. Reason: removed commented lines from the snippet
 
3 members found this post helpful.
Old 08-19-2019, 07:39 PM   #33
upnort
Senior Member
 
Registered: Oct 2014
Distribution: Slackware, Proxmox, Debian, CentOS, Ubuntu
Posts: 1,212

Original Poster
Rep: Reputation: Disabled
Quote:
I'd suggest to keep all the ports closed and use a port knocking service to open the OpenVPN port
I am aware of the technique. Not well supported in DD-WRT and I never pursued the idea. With a full-fledged operating system at the helm, I should look into the idea.

Quote:
Those "determined retards" are not human anymore, instead there are automated armies of bots scanning entire IP classes.
Yeah, I know most of the retards have automated these days. If such people were to suffer from lead poisoning I would not shed tears.

Quote:
If you're on a fixed public IP, then I'd suggest to use SNAT instead of MASQUERADE to do your NAT
I am on a static IP. Yay for me and thanks for the tips!

Quote:
Other suggestion for your firewall design, DROP packets you don't want and don't bother wasting resources to respond, well, unless there is a need.
I am not planning to log much in the firewall logs.
 
Old 08-19-2019, 08:03 PM   #34
abga
Senior Member
 
Registered: Jul 2017
Location: EU
Distribution: Slackware
Posts: 1,211

Rep: Reputation: 640Reputation: 640Reputation: 640Reputation: 640Reputation: 640Reputation: 640
OpenWRT adopted fwknop
https://openwrt.org/docs/guide-user/services/fwknop

You can split the "determined retards" into a few groups and believe me it's serious.
- farming botnets employed lucratively to get more hosts in order to "help" with paid clicks - fraudulent Digital Marketing
https://www.vice.com/en_us/article/d...e-a-phone-farm
- hacker groups that need to extend their botnets and launch attacks (and make some money like the group above)
- state sponsored "groups" that share the same scope as the ones above
https://www.businessinsider.com/nort...program-2019-8
- universities doing their research, scanning after vulnerable services, you'll end up in the statistics they publish in their research papers

Sorry, I wasn't clear about dropping the packets you don't want instead of replying:
http://www.linux-admins.net/2013/07/...ct-packet.html
- always use DROP instead of REJECT (unless a REJECT is really needed)
 
2 members found this post helpful.
Old 08-20-2019, 11:27 AM   #35
abga
Senior Member
 
Registered: Jul 2017
Location: EU
Distribution: Slackware
Posts: 1,211

Rep: Reputation: 640Reputation: 640Reputation: 640Reputation: 640Reputation: 640Reputation: 640
@upnort

Check this on webmin:
https://pentest.com.tr/exploits/DEFC...Execution.html
https://www.reddit.com/r/netsec/comm...on_for_webmin/
 
Old 08-20-2019, 03:16 PM   #36
upnort
Senior Member
 
Registered: Oct 2014
Distribution: Slackware, Proxmox, Debian, CentOS, Ubuntu
Posts: 1,212

Original Poster
Rep: Reputation: Disabled
Quote:
Check this on webmin:
Thanks and good catch.

We use webmin at work on a few systems. We updated to 1.930 a few days ago.
 
Old 08-21-2019, 05:22 PM   #37
TristanT
LQ Newbie
 
Registered: Jul 2018
Distribution: Slackware, Debian
Posts: 4

Rep: Reputation: 16
I've been wanting to replace pfSense on my PC Engines apu2 with a Slackware install lately. Mainly because I don't know my way around a FreeBSD system enough to debug network issues if they arise and pfSense's web interface can't solve them.

I'm setting up a number of Slackware VMs in VirtualBox to get an environment that looks a bit like my home network. When I get the network connections working, I'll do the installation on my apu2 router.

When I'm done I'll post my experiences, but until that time I'm closely monitoring this thread.
 
1 members found this post helpful.
Old 08-21-2019, 07:06 PM   #38
upnort
Senior Member
 
Registered: Oct 2014
Distribution: Slackware, Proxmox, Debian, CentOS, Ubuntu
Posts: 1,212

Original Poster
Rep: Reputation: Disabled
Quote:
When I get the network connections working, I'll do the installation on my apu2 router.
I'm too lazy and tired to look, but is the apu2 a normal main board with a normal BIOS or more like a off-the-shelf consumer router?

Edit: Ah, never mind. I am so tired I did not see your link. Comes with CoreBoot.

Last edited by upnort; 08-21-2019 at 07:07 PM.
 
Old 08-21-2019, 08:49 PM   #39
abga
Senior Member
 
Registered: Jul 2017
Location: EU
Distribution: Slackware
Posts: 1,211

Rep: Reputation: 640Reputation: 640Reputation: 640Reputation: 640Reputation: 640Reputation: 640
Quote:
Originally Posted by TristanT View Post
I've been wanting to replace pfSense on my PC Engines apu2 with a Slackware install lately.
That's an interesting board - AMD Embedded G series GX-412TC, 1 GHz quad Jaguar core with 64 bit and AES-NI support.
VPN performance looks also pretty good:
https://www.firewallhardware.it/en/apu2-2nic/
I'll maybe consider it for personal use if I'll ever switch to Gigabit. Actually I have FTTH but set only at 100Mbit(default), don't need more, 1Gbit costs 8 times what I'm paying now and real bandwidth is around 300-500Mbps.
 
Old 09-01-2019, 12:24 PM   #40
upnort
Senior Member
 
Registered: Oct 2014
Distribution: Slackware, Proxmox, Debian, CentOS, Ubuntu
Posts: 1,212

Original Poster
Rep: Reputation: Disabled
Quote:
When I'm done I'll post my experiences, but until that time I'm closely monitoring this thread.
I haven't dug into this project, but in the computer junk pile I found a Gigabyte AirCruiser G PCI Adapter. Still in the original box, never opened. With lspci the card appears as Network controller: Ralink corp. RT2561/RT61 802.11g PCI. Not great but the card supports AP/VLAN and AP/mesh point. For my prototyping looks like I have an AP card to tinker with hostapd.
 
1 members found this post helpful.
Old 09-01-2019, 05:45 PM   #41
abga
Senior Member
 
Registered: Jul 2017
Location: EU
Distribution: Slackware
Posts: 1,211

Rep: Reputation: 640Reputation: 640Reputation: 640Reputation: 640Reputation: 640Reputation: 640
Once you're done with the setup, don't yet celebrate. Go for some performance&quality testing with iperf.
Both iperf2 (multi-threaded) and iperf3 (single-threaded) are available at slackbuilds.org and online you can find plenty of tutorials on how to run different tests with them. I'd focus more on the WiFi connection and on the firewall & network stack "tuning".

P.S. Forgot to mention also the network stack tuning.
- some good docs:
https://wiki.archlinux.org/index.php/sysctl
https://www.frozentux.net/ipsysctl-t...-tutorial.html
- on Slackware you can either use your /etc/rc.d/rc.firewall header and add the parameters as:
Code:
#Enable broadcast echo protection
if [ -e /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts ] ; then
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
fi
# no source routing
for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
echo 0 > $f
done
# TCP SYN cookies protection
if [ -f /proc/sys/net/ipv4/tcp_syncookies ]; then
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
fi
#...
#etc
Or do it without conditional checking and issue:
Code:
/sbin/sysctl -e -p /etc/sysctl.conf
Then put your tuning parameters inside /etc/sysctl.conf
Code:
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.tcp_syncookies = 1
#...
#etc

Last edited by abga; 09-01-2019 at 06:16 PM. Reason: P.S.
 
Old 09-01-2019, 06:34 PM   #42
upnort
Senior Member
 
Registered: Oct 2014
Distribution: Slackware, Proxmox, Debian, CentOS, Ubuntu
Posts: 1,212

Original Poster
Rep: Reputation: Disabled
Quote:
Go for some performance&quality testing with iperf.
For once I am ahead of the curve on that one. I have been using iperf in the home LAN for several years.

Thanks for the additional links.

The way the schedule is looking is I might not get to this project until late fall or winter.
 
Old 09-02-2019, 12:47 PM   #43
upnort
Senior Member
 
Registered: Oct 2014
Distribution: Slackware, Proxmox, Debian, CentOS, Ubuntu
Posts: 1,212

Original Poster
Rep: Reputation: Disabled
One element of the project I am puzzled is configuring some usage graphs or data pages. I want at least total bandwidth usage, but some data per client computer might be nice.

I have used vnstat for years and that might suffice for total usage. Probably I need to configure a web server on the LAN side to grab and display the stats.
 
Old 09-02-2019, 01:18 PM   #44
ponce
LQ Guru
 
Registered: Aug 2004
Location: Pisa, Italy
Distribution: Slackware
Posts: 5,007

Rep: Reputation: Disabled
for that you can have a look at this

https://github.com/ntop/ntopng/
 
1 members found this post helpful.
Old 09-02-2019, 01:42 PM   #45
abga
Senior Member
 
Registered: Jul 2017
Location: EU
Distribution: Slackware
Posts: 1,211

Rep: Reputation: 640Reputation: 640Reputation: 640Reputation: 640Reputation: 640Reputation: 640
@upnort
While I was preparing my reply, ponce already provided one of the easiest solutions for your per IP graph requirements.
http://www.slackbuilds.org/repositor.../network/ntop/

Cacti could also qualify:
https://www.cacti.net/

And if you like to get your fingers dirty, you could use MRTG. I used it pretty extensively decades ago - there are plenty of configuration/scripting examples on the net:
https://oss.oetiker.ch/mrtg/
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
My gateway desktop will not load windows it stops after the gateway logo Jcayton General 5 06-07-2012 07:04 AM
normal default gateway reapperas with openvpn redirect-gateway jonnytabpni Linux - Networking 2 04-23-2009 02:11 PM
lm10.0 gateway is set but when I reboot I have to set the gateway rharvey32 Mandriva 8 02-13-2006 01:35 PM
What is a gateway? can I have more than one gateway on a vlan? abefroman Linux - Networking 3 09-06-2005 10:43 AM
Odd problem: Gateway unreachable after certain amount of time (Win XP Gateway) SocialEngineer Linux - Networking 2 08-13-2004 12:54 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware

All times are GMT -5. The time now is 03:39 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration