SlackwareThis Forum is for the discussion of Slackware Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
To help settle some dust here, when I tinker with this project I plan a minimal install. Didier Spaier will be disappointed I am not running fortune.
The configuration will start with nothing open on the WAN side.
That soon would change because I want OpenVPN and SSH access. For the latter I will use security by obscurity and not use port 22. Not really helpful against determined retards, but does tend to reduce firewall log spew. I only use SSH keys. I passphrase-protect my private keys. My current OpenVPN requires a passphrase in addition to the certs.
Whatever I decide with VLANs and a wireless AP involves the LAN side and not the WAN.
I might copy my current router configuration with keeping open only the WAN side SSH port. Through that access I would toggle the OpenVPN portal.
My approach might protect me and might not. But methinks the system will be as secure as can be reasonably expected.
When I pursue this project I plan to document everything online. Possibly by the end I could create some tag files to expedite the installation by other users.
I asked what others are doing and appreciate the many replies. I'm not as fearless as the honeybadger, but I plan to make this project fun as well as useful.
Those "determined retards" are not human anymore, instead there are automated armies of bots scanning entire IP classes. Once they find something, they record it and probe it repeatedly. And they're not necessarily trying to hack the authentication, but exploit potential bugs in the listening service (easier).
If you're on a fixed public IP, then I'd suggest to use SNAT instead of MASQUERADE to do your NAT, the latter is not appropriate, you'll loose some control over the flows and it'll put some more load on the CPU.
Other suggestion for your firewall design, DROP packets you don't want and don't bother wasting resources to respond, well, unless there is a need. Additionally, I favor the "hard way" to design a firewall, meaning, block everything and only allow the traffic that is needed.
A short iptables trick out of my bag of dirty tricks that you might find useful - it's sized for a 100Mbit interface, feel free to adapt:
Code:
# Smurf & PING Flood protection
/usr/sbin/iptables -A INPUT -p tcp -m tcp --tcp-flags RST RST -m limit --limit 2/second --limit-burst 2 -j ACCEPT
/usr/sbin/iptables -A INPUT -p icmp -m icmp --icmp-type address-mask-request -j DROP
/usr/sbin/iptables -A INPUT -p icmp -m icmp --icmp-type timestamp-request -j DROP
/usr/sbin/iptables -A INPUT -p icmp -m icmp --icmp-type echo-request -m limit --limit 2/second -j ACCEPT
# SYN Floods
/usr/sbin/iptables -N syn_flood
/usr/sbin/iptables -A INPUT -p tcp --syn -j syn_flood
/usr/sbin/iptables -A syn_flood -m limit --limit 10/s --limit-burst 50 -j RETURN
/usr/sbin/iptables -A syn_flood -j DROP
# Port Scans
# Anyone who tried to portscan gets locked out for an entire day
/usr/sbin/iptables -A INPUT -m recent --name portscan --rcheck --seconds 86400 -j DROP
/usr/sbin/iptables -A FORWARD -m recent --name portscan --rcheck --seconds 86400 -j DROP
# Once the day has passed, remove them from the portscan list
/usr/sbin/iptables -A INPUT -m recent --name portscan --remove
/usr/sbin/iptables -A FORWARD -m recent --name portscan --remove
I'd suggest to keep all the ports closed and use a port knocking service to open the OpenVPN port
I am aware of the technique. Not well supported in DD-WRT and I never pursued the idea. With a full-fledged operating system at the helm, I should look into the idea.
Quote:
Those "determined retards" are not human anymore, instead there are automated armies of bots scanning entire IP classes.
Yeah, I know most of the retards have automated these days. If such people were to suffer from lead poisoning I would not shed tears.
Quote:
If you're on a fixed public IP, then I'd suggest to use SNAT instead of MASQUERADE to do your NAT
I am on a static IP. Yay for me and thanks for the tips!
Quote:
Other suggestion for your firewall design, DROP packets you don't want and don't bother wasting resources to respond, well, unless there is a need.
I am not planning to log much in the firewall logs.
You can split the "determined retards" into a few groups and believe me it's serious.
- farming botnets employed lucratively to get more hosts in order to "help" with paid clicks - fraudulent Digital Marketing https://www.vice.com/en_us/article/d...e-a-phone-farm
- hacker groups that need to extend their botnets and launch attacks (and make some money like the group above)
- state sponsored "groups" that share the same scope as the ones above https://www.businessinsider.com/nort...program-2019-8
- universities doing their research, scanning after vulnerable services, you'll end up in the statistics they publish in their research papers
I've been wanting to replace pfSense on my PC Engines apu2 with a Slackware install lately. Mainly because I don't know my way around a FreeBSD system enough to debug network issues if they arise and pfSense's web interface can't solve them.
I'm setting up a number of Slackware VMs in VirtualBox to get an environment that looks a bit like my home network. When I get the network connections working, I'll do the installation on my apu2 router.
When I'm done I'll post my experiences, but until that time I'm closely monitoring this thread.
I've been wanting to replace pfSense on my PC Engines apu2 with a Slackware install lately.
That's an interesting board - AMD Embedded G series GX-412TC, 1 GHz quad Jaguar core with 64 bit and AES-NI support.
VPN performance looks also pretty good: https://www.firewallhardware.it/en/apu2-2nic/
I'll maybe consider it for personal use if I'll ever switch to Gigabit. Actually I have FTTH but set only at 100Mbit(default), don't need more, 1Gbit costs 8 times what I'm paying now and real bandwidth is around 300-500Mbps.
When I'm done I'll post my experiences, but until that time I'm closely monitoring this thread.
I haven't dug into this project, but in the computer junk pile I found a Gigabyte AirCruiser G PCI Adapter. Still in the original box, never opened. With lspci the card appears as Network controller: Ralink corp. RT2561/RT61 802.11g PCI. Not great but the card supports AP/VLAN and AP/mesh point. For my prototyping looks like I have an AP card to tinker with hostapd.
Once you're done with the setup, don't yet celebrate. Go for some performance&quality testing with iperf.
Both iperf2 (multi-threaded) and iperf3 (single-threaded) are available at slackbuilds.org and online you can find plenty of tutorials on how to run different tests with them. I'd focus more on the WiFi connection and on the firewall & network stack "tuning".
#Enable broadcast echo protection
if [ -e /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts ] ; then
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
fi
# no source routing
for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
echo 0 > $f
done
# TCP SYN cookies protection
if [ -f /proc/sys/net/ipv4/tcp_syncookies ]; then
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
fi
#...
#etc
Or do it without conditional checking and issue:
Code:
/sbin/sysctl -e -p /etc/sysctl.conf
Then put your tuning parameters inside /etc/sysctl.conf
One element of the project I am puzzled is configuring some usage graphs or data pages. I want at least total bandwidth usage, but some data per client computer might be nice.
I have used vnstat for years and that might suffice for total usage. Probably I need to configure a web server on the LAN side to grab and display the stats.
And if you like to get your fingers dirty, you could use MRTG. I used it pretty extensively decades ago - there are plenty of configuration/scripting examples on the net: https://oss.oetiker.ch/mrtg/
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
