Creating a Stealth Firewall to Secure a Solaris Computer from Hackers.

Dr. David Kirkby, Ph.D.

Version 1.1    21/08/2000

Abstract

Any computer that works may be hacked, even if not connected to internet, as insiders are often a source of hacking. However, whenever a computer is connected to the internet, the number of potential hackers increases considerably.  The probability of the machine being hacked from the internet can be dramatically reduced by making it difficult for someone to find it. This document describes how a Sun SPARCstation 20 running Solaris 8 was secured using the packet filtering package called IP filter.  After IP filter was installed and configured, the machine could access the internet and browse the web from the console, could be accessed by ssh and sftp (secure replacements for ftp and telnet) remotely from some specific IP addresses, yet was practically invisible to the rest of the world's computers. To anyone else, the SPARCstation would not respond to attempts to contact the machine by ssh, sftp, ftp, telnet, or even ping.
    This document is aimed at home uses, or any application where the utmost in security is not required.  It should stop the average hacker running a package to hack your machine. It is not intended to be the last word on high security firewalls, nor is it intended for use when the highest security is necessary. The information is provided free in the hope it will be of use, but no warranty is given. Anyone sniffing the internet connection between your computer and the web could detect the presence of your computer, even if it was not responding to attempts to make connections in the normal way. Posts to newsgroups indicate your presence. There are also some sophisticated techniques, that are not covered here, that would enable detection of the computer.
    In this document, the machine with the firewall is called parrot and it has an IP  address of 62.255.98.185. A pair of machines from which parrot will accept connections are called friend and family. A machine from which any form of access will always be denied is  called stranger. These names are fictitious and the IP address was dynamically allocated by my ISP, so is not likely to be my current IP address.

Introduction


There are several excellent articles on computer security on the web. The following are predominantly specific to Solaris, although the general principles apply to any operating system.
 

Building a Solaris Host
Look under security at Sun Blueprints
Stokely Consulting has a good set of links.
Solaris security FAQ
Armoring Solaris

Most suggest a set of procedures than includes:

Only then should the machine be connected back to the internet. This article assumes that several of the above articles have been read. Security is always a compromise with usability, so not every suggestion is appropriate in every case.

TCP wrappers

tcp_wrappers is a software solution to limit access to a machine. It works by creating small wrapper programmes for services called by /etc/inet/inetd.conf. You can specify which IP addresses are allowed to connect to which services. While useful, it has 2 main problems.
 

IP filter is much more powerful, although it is is more complex to set up. However, that complexity is rewarded by increased security.

Installing IP filter

The computer was first set up to use the modem to connect to the internet, as described in Mike Mann's Solaris Resources   In this case the connection to the internet is through the ipdptp0 interface.
   Next, IP filter, available at http://cheops.anu.edu.au/~avalon/ip-filter.html was installed. The instructions need to be read, as it's not quite as simple as the normal configure; make; make install. For some reason, it does not work with gnu make, but it worked fine with the /usr/ccs/bin/make on my Solaris machine. On a Solaris machine, one has to make a package then install using pkgadd. Mike Mann's excellent web pages on Solaris have a section under construction on using IP filter for network address translation and routing. This gives some more detailed instructions.

#  gzip -d  ip-fil3.4.8.tar.gz
#  tar xvf  ip-fil3.4.8.tar
#  cd ip_fil3.4.8
#  /usr/ccs/bin/make solaris
#  cd SunOS5
#  /usr/ccs/bin/make package

This installs  binaries - ipfstat,  ipftest,  ipmon, ipnat,  ipresend, iptest and mkfilers, which is an executable perl script. The script mkfilters is designed to produce a set of rules for a firewall, although it did not meet my needs of making the computer stealth.

IP filter is started automatically at boot with the file /etc/rc2.d/S65ipfboot, which is installed with the package.

IP filter is configured with a configuration file. I called the file /usr/local/etc/ipf/firewall.conf .  I wrote a script  /etc/rc3.d/S98Firewall to load the firewall software at boot time.

parrot # cat /etc/rc3.d/S98Firewall
#!/bin/sh
/sbin/ipf -f /usr/local/etc/ipf/firewall.conf

The firewall logs some of the refusals. The logging is started at boot by a script /etc/rc3.d/S99LogFirewall

parrot  # cat /etc/rc3.d/S99LogFirewall
#!/bin/sh
pkill -9 ipmon
/opt/ipf/bin/ipmon -n > /var/log/ipf/ipf.$$.log &

A third script, /usr/loca/bin/restartfirewall, is executed whenever the file /usr/local/etc/ipf/firewall.conf is changed. This uses tail -f to constantly look at the log of refused connections.

parrot # cat /usr/local/bin/restartfirewall
#!/bin/sh
/sbin/ipf -Fa
/etc/rc3.d/S98Firewall
/etc/rc3.d/S99LogFirewall
LOGFILENAME=`ls -lrt /var/log/ipf | awk '{print $9}' | tail -1`
echo $LOGFILENAME
tail -f /var/log/ipf/$LOGFILENAME

The contents of the configuration file determine what the IP filter package does with each filter. A full discussion of how to set the configuration file may be found at this IP Filter How-To
One important point to note is that if there are several rules that match an incoming or outgoing packet, the last is followed and all previous one ignored. The following configuration file assumes the main internet connection is through ipdptp0, which is for my case is the modem.

parrot  # cat  /usr/local/etc/ipf/firewall.conf

#First, block everything coming down the modem.
block in log on ipdptp0 all

# Anything with options gets thrown out, as these can be used to hack.
block in log quick from any to any with ipopts

# Get rid of all short TCP/IP fragments (too small for valid comparison)
# as these can be used for hacking.
block in log quick proto tcp from any to any with short

# Block all the private routable addresses, as these should never come down the modem.
block in quick on ipdptp0 from 192.168.0.0/16 to any
block in quick on ipdptp0 from 172.16.0.0/12 to any
block in quick on ipdptp0 from 10.0.0.0/8 to any

# Block any packet going out, that is intended for one of the private address ranges.
# There is no reason to send anything to such an IP address.

block out quick on ipdptp0 from any to 192.168.0.0/16
block out quick on ipdptp0 from any to 172.16.0.0/12
block out quick on ipdptp0 from any to 10.0.0.0/8

# Much software communicates with itself on 127.0.0.1 so
# blocking it from an external source is a good idea.

block in quick on ipdptp0 from 127.0.0.0/8 to any
 

# Allow any responses from remote sites to come back - ping, web sites etc.
# This means any port will be opened, if needed.
pass out quick on ipdptp0 proto tcp from any to any keep state
pass out quick on ipdptp0 proto udp from any to any keep state
pass out quick on ipdptp0 proto icmp from any to any keep state

# Allow anything from selected friendly computers. These computers are trusted.
pass in quick on ipdptp0 from friend to any
pass in quick on ipdptp0 from family to any

For further information on configuring IP filter for a firewall, see the  The IP Filter Based Firewalls HOWTO  This is very comprehensive, but somewhat complex in places.

Results

parrot /export/home/davek % ping www.sun.com
www.sun.com is alive

I'll now log into a machine friend and ping the host parrot which has the firewall
friend /home/users/davek % /usr/sbin/ping 62.255.98.185
62.255.98.185 is alive

From another host, I'll attempt to ftp to the machine.
family /home/users/davek % telnet 62.255.98.185
Trying 62.255.98.185...
Connected to 62.255.98.185.
Escape character is '^]'.
Vax VMS 6.2
login:

(The system is configured to reports its operating system is VMS 6.2, as a simple, and probably not very useful, attempt to fool hackers)
 
This is now repeated from a  computer stranger, that is not on the list of machines from which connections will be accepted.

stranger  /home/users/davek % /usr/sbin/ping 62.255.98.185
no answer from 62.255.98.185

Hence parrot, which has  been secured with the firewall, can't even be pinged from a remote computer stranger. Port scanners will not be able to find any evidence of the computer's existence.

Testing the security of your system.

There are many security tools  that can be used to test the security of your system. Unfortunately, these same packages are often used by hackers.

nmap is a port scanner that you can run yourself. It is best to run it on a remote, untrusted computer, to see what what ports appear to be open on your computer. Ideally you need root access on the machine from which you wish to test, as some of the tests need it.

The Shields Up site at  https://grc.com/x/ne.dll?bh0bkyd2  is a web based port scanner that reports on whether a few selected ports are open (accepting connections), closed (refusing connections) or stealth (not acknowledging their presence). It can not test as many ports as programmes like nmap, but it is none the less useful. Here is a screen dump of a run collected with the firewall in place, we can see it is secure. fireall in place

If the firewall is now disabled, we see it is far less so, with many ports being open or closed, but not stealth.

no firewall in place without the firewall.

Disabling telnet and ftp.
So far, the computer parrot is difficult to detect from an arbitrary remote host on the internet. However, whenever a telnet or ftp connection is made, the passwords are sent in plain text. It is better to add OpenSSH, which is a secure shell, that provides secure replacements for  rsh, rlogin, rcp, telnet, rexec, rcp and ftp. Once OpenSSH is installed, it will be impossible to obtain any passwords by sniffing the internet connection.

Other useful security software

The following software packages may be useful

ssh is a replacement for replacement for rsh, rlogin, rcp, telnet, rexec, rcp and ftp. It avoids needing to  pass plain text passwords over the internet.

Tripwire is a programme, available in both open source and commercial versions, that allow one to detect if a system has been hacked, as long as you can be 100% sure the system has not been hacked at the time of the installation of tripwire.
 

Protecting other networked computers.

The computer parrot was configured to act as a router and perform network address translation as described here. A windows NT machine was connected to the 100baseT connection (hme0) on the Sun SPARCstation's network card. The Windows machine was also hidden from the effects of hackers. It too, showed up as Stealthon the Shields Up site.

Limitations

With a firewall configured as discussed here, the computer parrot will be very hard to find on the internet by someone at an arbitrary site. However, if the hacker can intercept the connection between parrot and the sites to which you contact, they will know of your presence. If you access parrot remotely using standard ftp or telnet from friend the passwords can be intercepted. Hence it is advisable to only connect from a remote site using a secure shell and to disable ftp and telnet access.

Stealth Port scanning is technique that could be used to find a computer that does not respond to ping requests using a  tool such as hping2  The technique  is not 100% accurate, and is difficult to use.

The computer parrot runs X-windows, has several compilers on its 3 hard disks and has many services running. As such, it will always be less secure than a machine that is dedicated to the job of a firewall and is not a general purpose multi-user computer. The Coyote Linux Project is a cut down version of linux that performs network address translation and runs from a floppy disk that may be write protected. A firewall running on this would in principle be more secure than one on a general purpose UNIX computer in multi-user mode with its read/write hard drives. I have in the past used a PC as a firewall/router, but decided to take the less secure route of the main computer performing the firewall function too. This decision was based on the desire to reduce the number of computers generating heat and noise - the reduction is security was acceptable to me.

Acknowledgements

The author would like to Mike Mann for help with my earlier attempts at using a Solaris computer to perform network address translation and to Ean Kingston ean@korax.net for helpful comments on an earlier copy of this article.

About the author David Kirkby is a scientist, with a Ph.D degree in Medical Physics. He is not, nor has ever been, a professional UNIX systems administrator. He administers his own personal Sun SPARCstation 20s, Ultra 60 and Ultra 80. Hence you may feel happier ignoring all of the above.

Any comments ?