Friday, December 25, 2009

Secure a server avoiding ARP Spoofing (ARP Poisoning)

Problem
We want to isolate our server in our local LAN, so any computer in our LAN couldn't connect to it meanwhile server MAC address is unknown.

Facts
Router IP: 192.168.1.1 MAC: 00:14:6c:4f:66:70
Server IP: 192.168.1.12 MAC: 00:0d:61:00:85:2f
Server OS: Debian 5.0

Server network configuration (/etc/network/interfaces)
We'll see two cases. In the first case we can configure the router ARP table, so in its ARP table exist Server IP and Server MAC. In the second case we can't configure router ARP table.

The first case is more secure, because we don't spread ARP Requests and Reply between router and server:

Case 1
Configure the router ARP table like that:
Server IP: 192.168.1.12 MAC: 00:0d:61:00:85:2f

Server network configuration:

auto lo eth0
iface lo inet loopback
iface eth0 inet static
address 192.168.1.12
netmask 255.255.255.0
network 192.168.1.0
# Disable the use of the ARP protocol on this interface.
# So eth0 will not create ARP packets.
# This hack works because ifup configure network like that:
# ifconfig ${DEVICE} ${IPADDR} \
# netmask ${NETMASK} broadcast \
# ${BROADCAST} ${ARP:+arp}
broadcast 192.168.1.255 -arp
gateway 192.168.1.1

# Trusted IP and ARP (In this case only the router)
up arp -s 192.168.1.1 00:14:6c:4f:66:70


Case 2

auto lo eth0
iface lo inet loopback
iface eth0 inet static
address 192.168.1.12
netmask 255.255.255.0
network 192.168.1.0
broadcast 192.168.1.255
gateway 192.168.1.1

up arptables -F
up arptables -P INPUT DROP
up arptables -P OUTPUT DROP
up arptables -P FORWARD DROP
# Trusted IP and ARP (In this case only the router)
# Only ACCEPT connections from trusted gateway.
up arptables -A INPUT -s 192.168.1.1 \
--source-mac 00:14:6c:4f:66:70 -j ACCEPT
# Send replies only to the trusted hosts.
up arptables -A OUTPUT -d 192.168.1.1 \
--destination-mac 00:14:6c:4f:66:70 -j ACCEPT
# Add static entry into the ARP table to link your trusted host to its own MAC.
up arp -s 192.168.1.1 00:14:6c:4f:66:70


Conclusion
The first configuration is more secure and we don't have to use arptables. However we have to configure statically router and server ARP tables. If in our LAN we trust another PC, we have to edit server configuration adding PC's MAC. In PC computer we have to add Server's MAC address statically too. Remember Server can't create ARP replies (we have disabled server ARP).

In the second configuration, we don't have to configure statically the router. Moreover, if we add a new trusted PC, we only have to edit Server configuration (add PC MAC in ARP table and append chaing in arptables). However we are spreading ARP Reply and Requests, so any computer can see them.


Sources:
http://www.experts-exchange.com/Networking/Linux_Networking/Q_21428737.html
https://bugzilla.redhat.com/show_bug.cgi?id=12111
http://abulmagd.blogspot.com/2008/08/arptables-and-arp-poisoningnetcut.html

Wednesday, December 23, 2009

autocd: invalid option name (bash)

It is posible to add some extra options to the bash like autocd option. This option allows us to change the actual directory without using cd command.

Without autocd 
pron@debian:~$ cd Desktop
pron@debian:~/Desktop$

With autocd
pron@debian:~$ Desktop
cd Desktop
pron@debian:~/Desktop$

To add this option to our bash:
$ shopt -s autocd
or
$ bash -O autocd (this last, we'll create new bash enviroment)

But in my Debian 5.0 /bin/bash version was 3.2.39 that didn't work autocd option. So when i tried to activate the autocd option i get this error:
$ shopt -s autocd
bash: shopt: autocd: invalid shell option name

The shopt command is a SHELL BUILTIN COMMAND. They are commands contained within the shell itself. I realized that my bash version did't support autocd option. So, i installed a new bash version (4.0.0) from GNU web page.

Once installed the new bash version, it's necessary to change your user default shell. My new version of shell was installed in /usr/local/bin/bash. So the first step was to edit (like root) /etc/shells to add the new shell location (/usr/local/bin/bash). After that, you could change your user bash using chsh command. It prompts for your user password, and then you type your shell location (in this case /usr/local/bin/bash). Finally, to set all changes, it was necessary to exit from you account. If you are in a gnome or KDE enviroment, logout from your user account and login again.

After done all this you can use the autocd option. To set it permanently, you can edit your ~/.bashr file and add 'shopt -s autocd' command.

Source:
http://www.linux-magazine.com/w3/issue/111/088-090_command.pdf
http://www.gnu.org/software/bash/manual/
http://linux.about.com/od/bgb_guide/a/gdebgb16t01.htm