I'm writing this checklist as I setup a new router for the home office to remind me of the modifications I need to make to get a fresh deployment "just right" the first time. ClearOS is a CentOS-based router distribution that lets one rapidly and easily deploy and manage routers and miscellaneous network services. CentOS itself is a de-branded flavour of Red Hat Enterprise Linux. Back when ClearOS flew under the ClarkConnect label if one wanted certain parts of the product one had to either pay for an Office or Enterprise license or use well crafted google queries to find the ftp credentials for Enterprise repositories, grab the RPMs, rpm2tgz/rpm2cpio them and overlay them on the filesystem (and don't forget to fix the permissions!) to avoid unresolvable dependencies.
Fortunately with the morph to ClearOS the Clear Foundation folks stopped charging for commodity software (i.e. web configuration modules for DMZ and Multi-WAN (load balancing/failover)) and started focusing on services you can live without. I warn against paying just for the tech support, you're much better off in the community forum - sparse though the posts are. From my experience (last dating in 2008 mind you) their Level 1 cuts off at putting the cd in the drive and may flat out refuse to support their product if you reveal it's being used in any setting more complex than a small office. If you're an intermediate *nix user and you can't figure out the problem on your own or with google chances are tech support can't (or won't) help you anyway; drop by the users forum.
Most of the routers I make these days are virtual machines and that goes beyond the scope of this checklist, however I plan to cover my process in a future article. The machine this checklist will be based on is an AthlonXP 2500+ 1.83GHz with 384MB DDR266 and an 8GB CompactFlash card plugged into a CF-IDE adapter, which you can get on eBay for about $1CAD. The machine has an onboard NIC and two PCI NICs as well as a wifi card so it can be turned into an access point. I like to use CF cards instead of hard drives on my physical routers because - although the cheap ones can be quite slow - you don't have to worry about them up and dying on you for several years. The cards are worn out with repeated write cycles (though often in the high thousands) so if you choose to use them you should try to minimize the amount of data written to disk during day-to-day operation. A remote syslogd might be of great help.
We're going to assume you've already downloaded and burned the installation ISO to disc. At the time of writing the current version is 5.1 SP1, the instructions below may not apply to future versions. Once you've booted you'll eventually be asked if you would like to let the installer automatically partition your hard drive or if you'd like to manually configure the partitioning. It's usually fine to let the installer do its thing but if you're working in confined spaces like our 8GB flash card or have plenty of ram the oft-defaulted swap partition size of 1GB is a tad generous. Also choose to manually configure the partitioning if you would like to use software RAID. If you choose to RAID your drives use anything but level 0; there is no need which I could conceive for high performance storage on a router (almost everything needed is loaded into ram on startup) and reliability is priority one on mission-critical systems like these.
Chances are if you want to do anything with the storage on your router you want to outsource that operation to another machine. Your router is the gatekeeper for the network and if it becomes compromised the consequences could be worse than with any single workstation. The simplest way to reduce the risk of a service being exploited is to not run it, so your router shouldn't run anything it doesn't need for management or to route and protect the network (firewall, IPS, IDS etc). In following with that notion keep the number of users on the system to an absolute minimum. If you're the only person who should have access to the box you should be the only person with a user account. ClearOS allows root logins via SSH by default so you should create at least one user account for yourself in order to separate privileges.
Once you've completed the installation and rebooted you can connect to the management interface at https://lan-ip:81 and log in as root. You'll be asked to fill in a number of details to complete the installation process. Once that's completed register your router with ClearSDN. If you have not made an account with them yet you should do so at the ClearSDN portal first. I generally disable "send diagnostic reports" when I register the routers but you may be less paranoid and more helpful. Once your router has been registered go to Software Updates. You can enable or disable automatic updates. They are enabled by default and I don't like that one bit: what if one of the repositories gets hacked? What if a new RPM breaks something critical and I'm not around to fix it?
Don't waste your time with all the checkboxes, shell into your router and run the following:
- yum update
- Updates all packages currently installed
- yum install screen
- Screen is a handy tool for multitasking shells
- yum install lynx
- There's already a version of lynx that comes as part of the ClearOS text console and you can use it by symlinking it to /usr/bin and its config file to /etc but that's messy.
- yum install links
- You don't need this if you have lynx, I just like to install them both so I can type either. Depends on my mood.
- yum install nmap
- nmap is an invaluable network diagnostic and analysis tool.
- yum groupinstall "Development Tools"
- Install this on systems where you expect to be compiling third-party software. Wherever possible use RHEL/CentOS RPMs for the corresponding version of ClearOS. You probably don't want to install this on space-restricted systems. If you have space to kill it never hurts to be prepared.
- yum install ncurses-devel
- yum install kernel-devel
- Install these on systems where you expect to be modifying the kernel, you will need the Development Tools group to compile the kernel or modules.
- yum install net-snmp
- Install this so you can monitor system statistics remotely. (i.e. with Cacti)
- yum install wpa-supplicant
- You need this if you want to run an access point, ClearOS is only configured for WEP by default and can't be set up through the web config.
The ClearOS web config has an embedded MRTG package that graphs system vitals, but if you plan on remotely monitoring your router's statistics (load average, network traffic, etc.) you will probably want to install net-snmp. Depending on your configuration you may need open port 161UDP. Here's a very short configuration sample that you can drop into /etc/snmp/snmpd.conf:
rouser public rocommunity public localhost syslocation "Server Room" syscontact [email protected] com2sec local 127.0.0.1/32 public com2sec local 192.168.0.0/24 public group MyROGroup v1 local group MyROGroup v2c local group MyROGroup usm local view all included .1 80 access MyROGroup "" any noauth exact all none none
Replace 192.168.0.0/24 with the subnet or IP that should have access to SNMP data.
ClearOS is one of the few distributions that enable syncookies by default. You probably don't need to add these lines since syncookies override tcp_max_syn_backlog. I like to do it anyway just in case something fails on bootup. Per my previous article Defending Against the SYN Flood add these lines to /etc/rc.d/rc.firewall.local:
echo 3096 > /proc/sys/net/ipv4/tcp_max_syn_backlog echo 2 > /proc/sys/net/ipv4/tcp_syn_retries echo 1 > /proc/sys/net/ipv4/tcp_synack_retries echo 1 > /proc/sys/net/ipv4/tcp_syncookies
Or not. It won't kill you either way.
ClearOS comes with a special rule that snort will use to detect local SSH brute force attempts but as we covered in my previous article Stifling Brute Force Attacks with fail2ban fail2ban is highly extensible and can perform any operation that can be executed from the command line in response to any pattern match found in a given log file. Fail2ban is not available in the default ClearOS repositories but we can use the RHEL 5 rpm available at http://dag.wieers.com/rpm/packages/fail2ban/. After installing the packages listed above the RPM should have only one dependency: gamin-python. Install fail2ban thus:
# yum install gamin-python
# wget http://rpmforge.sw.be/redhat/el5/en/i386/rpmforge/RPMS/fail2ban-0.8.1-1.el5.rf.noarch.rpm
# rpm -iv fail2ban-0.8.1-1.el5.rf.noarch.rpm
Return to the webconfig and make sure you have installed all the components and third party applications listed that you need, like the Advanced Firewall Module which is not installed by default. Configure your firewall, DHCP and VPN(s). Back at the command line let's clean out all the packages we just downloaded:
# yum clean all
At the command line run chkconfig --list:
acpid 0:off 1:off 2:on 3:on 4:on 5:on 6:off avahi-daemon 0:off 1:off 2:off 3:on 4:on 5:on 6:off avahi-dnsconfd 0:off 1:off 2:off 3:off 4:off 5:off 6:off clamd 0:off 1:off 2:off 3:off 4:off 5:off 6:off cpuspeed 0:off 1:on 2:on 3:on 4:on 5:on 6:off crond 0:off 1:off 2:on 3:on 4:on 5:on 6:off cups 0:off 1:off 2:off 3:off 4:off 5:off 6:off dansguardian-av 0:off 1:off 2:off 3:off 4:off 5:off 6:off dnsmasq 0:off 1:off 2:on 3:on 4:on 5:on 6:off fail2ban 0:off 1:off 2:off 3:on 4:on 5:on 6:off firewall 0:off 1:off 2:on 3:on 4:on 5:on 6:off freshclam 0:off 1:off 2:off 3:off 4:off 5:off 6:off haldaemon 0:off 1:off 2:off 3:on 4:on 5:on 6:off httpd 0:off 1:off 2:off 3:off 4:off 5:off 6:off ipsec 0:off 1:off 2:off 3:off 4:off 5:off 6:off iscsi 0:off 1:off 2:off 3:off 4:off 5:off 6:off iscsid 0:off 1:off 2:on 3:on 4:on 5:on 6:off kudzu 0:off 1:off 2:off 3:on 4:on 5:on 6:off l7-filter 0:off 1:off 2:off 3:off 4:off 5:off 6:off ldap 0:off 1:off 2:off 3:on 4:on 5:on 6:off ldapsync 0:off 1:off 2:off 3:on 4:on 5:on 6:off lm_sensors 0:off 1:off 2:on 3:on 4:on 5:on 6:off lvm2-monitor 0:off 1:on 2:on 3:on 4:on 5:on 6:off mcstrans 0:off 1:off 2:off 3:off 4:off 5:off 6:off mdmonitor 0:off 1:off 2:off 3:off 4:off 5:off 6:off mdmpd 0:off 1:off 2:off 3:off 4:off 5:off 6:off messagebus 0:off 1:off 2:off 3:on 4:on 5:on 6:off multipathd 0:off 1:off 2:off 3:off 4:off 5:off 6:off mysqld 0:off 1:off 2:off 3:off 4:off 5:off 6:off netconsole 0:off 1:off 2:off 3:off 4:off 5:off 6:off netfs 0:off 1:off 2:off 3:on 4:on 5:on 6:off netplugd 0:off 1:off 2:off 3:off 4:off 5:off 6:off network 0:off 1:off 2:on 3:on 4:on 5:on 6:off nmb 0:off 1:off 2:off 3:off 4:off 5:off 6:off nscd 0:off 1:off 2:off 3:off 4:off 5:off 6:off ntpd 0:off 1:off 2:off 3:off 4:off 5:off 6:off openvpn 0:off 1:off 2:off 3:off 4:off 5:off 6:off pptpd 0:off 1:off 2:off 3:off 4:off 5:off 6:off rdisc 0:off 1:off 2:off 3:off 4:off 5:off 6:off restorecond 0:off 1:off 2:on 3:on 4:on 5:on 6:off saslauthd 0:off 1:off 2:off 3:on 4:on 5:on 6:off smb 0:off 1:off 2:off 3:off 4:off 5:off 6:off snmpd 0:off 1:off 2:off 3:off 4:off 5:off 6:off snmptrapd 0:off 1:off 2:off 3:off 4:off 5:off 6:off snort 0:off 1:off 2:off 3:off 4:off 5:off 6:off snortsam 0:off 1:off 2:off 3:off 4:off 5:off 6:off squid 0:off 1:off 2:off 3:off 4:off 5:off 6:off sshd 0:off 1:off 2:on 3:on 4:on 5:on 6:off suvad 0:off 1:off 2:on 3:on 4:on 5:on 6:off syslog 0:off 1:off 2:on 3:on 4:on 5:on 6:off system-mysqld 0:off 1:off 2:on 3:on 4:on 5:on 6:off syswatch 0:off 1:off 2:on 3:on 4:on 5:on 6:off vpnwatchd 0:off 1:off 2:off 3:off 4:off 5:off 6:off webconfig 0:off 1:off 2:on 3:on 4:on 5:on 6:off winbind 0:off 1:off 2:off 3:off 4:off 5:off 6:off wpa_supplicant 0:off 1:off 2:off 3:off 4:off 5:off 6:off
We want to turn off anything that starts in runlevels 2.3.4 or 5 that we don't need. This will make the router boot faster and use less ram, which is particularly important if you're building a virtual machine. A fast power-cycle has obvious advantages for any connectivity device and one can comfortably fit a low-traffic ClearOS router into 96MB of RAM with room to breathe by disabling the right services. Based on the defaults shown here, these are some services you probably want to turn off - your mileage of course may vary:
- Zeroconf stuff. You only want it if you know what that means, and probably not even then.
- Practically unused by anything but X
- Obviously you want these if you really are using iSCSI.
- Checks for new hardware and can interrupt boot process, can be run from the command line anyway
- You only want this if you're using LVM
- Same with HALD
- Leave this on if you're doing anything with NFS
Services you may want to disable include:
- Talks to ClearSDN, disabling interferes with updates and ClearSDN services but it can be started on demand
- There's no hardware to monitor on a xen virtual machine
Use the following syntax to remove init scripts from these runlevels:
# chkconfig --level 2345 iscsid off
And enable anything that should be turned on:
# chkconfig --level 2345 snmpd on
Be sure not to touch any of the numerous LDAP services, ClearOS uses that internally to manage the user accounts. If you don't know what a service does be sure to look it up before you disable it.
If your router includes a wireless card that requires firmware do not forget to download it to /lib/firmware.
Updatedb indexes the files on your mounted partitions for fast searching with the locate or slocate tool. You should run it once now that you have most of the files installed. By default, cron runs updatedb every night. This causes high I/O load and can be disabled by disabling its cron script's execute bit:
# chmod -x /etc/cron.daily/mlocate.cron
While the web config makes ClearOS what it is, I don't like the console configuration (slow, featureless and requires two logins...) - and I really don't like the graphical one (wtf?). These are a severe obstacle on Xen installations where it's difficult to navigate serial-based (no ptys to alt+Fx to) xenconsole out of the bottomless ncurses pit. Rather than loop-mount the image and configure the networking and reboot the VMs and shell in I prefer to disable that rubbish altogether. Edit /etc/inittab to reflect:
# Run gettys in standard runlevels #1:2345:respawn:/sbin/mingetty --autologin=clearconsole tty1 1:2345:respawn:/sbin/mingetty tty1 2:2345:respawn:/sbin/mingetty tty2
If this router is going to be in a high traffic environment you may find that snortreport.sh progressively uses more and more resources to compile the webconfig-accessible IPS/IDS reports until it starts overlapping with itself, causing extreme load. You can delete it, move it, or remove its execute bit:
# chmod -x /usr/sbin/snortreport.sh
ClarkConnect used to come with some fairly dangerous default snort rules, particularly if your router is intended to be the firewall for a public network. Things look a lot better now, the two rules I could remember always having to comment out now come commented by default; as things run I'll keep a list of false-positive generating rules here.
NOTE: That list can be found here: Bad Snort Rules
Snort rules take the form of lines in files located in /var/lib/suva/services/intrusion-protection/rules/ (formerly /var/lib/suva/services/snort/rules/). Disabling a rule is as simple as prefixing it with a hash mark (#) and restarting snort:
# /etc/init.d/snort restart
Check your Intrusion Prevention reports in the web config regularly when you first deploy your new firewall. Investigate any rule that appears multiple times to determine if your particular environment is triggering false positives. This is critical if you are protecting a public network, say a farm of web servers. One rule (that is now commented by default) would block an IP that sent or received a string of ascii 'a's, like: 'aaaaaaaaaaaaaaaaaaaaaaaaaaaaa' because a long string of 'a's is one signature of a certain buffer overflow attack. One day one of my users said "Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaah!" in a web-based chat room when I had a freshly deployed router out and he and everyone who saw it were swiftly blocked from the network. One can either live without IPS (I wouldn't recommend it) or one can mitigate the downtime through careful monitoring.
You may wish to lock down SSH by following my article on key-exchange. While by default (in gateway mode) ssh is not accessible on the external addresses one should never discount the possibility of attack from within. Any machine behind your firewall that can be compromised will be in a unique position to compromise other machines if attention is not paid to internal network security. There is no such thing as a trusted network, only more trustworthy.