Raspberry Pi IPv6 firewall tester installation

From timswiki
Revision as of 09:21, 17 September 2012 by Wikiadmin (talk | contribs)
Jump to navigation Jump to search

Suggested Reading

Before you begin please read the excellent Arch Linux Beginners' Guide.

Arch Linux Download and CF card creation

Fetch the Arch Linux download from RaspberryPi Downloads

If using win32 disk imager then please be aware that the image file needs to be extracted onto a local physical drive (e.g. C: ) rather than a network/remote drive.

Login, Change the root password and Create a plain user

Having logged in as root, then make sure you change the default password:

 # passwd

Then add a user: (follow the prompts)

 # adduser

Update your System and Install the Required Packages

Then update your system:

 # pacman -Syu

Which is likely to update pacman itself – just follow the prompts and once this is complete then re-attempt the complete upgrade:

 # pacman -Syu
 :: Synchronizing package databases...
  core is up to date
  extra is up to date
  community is up to date
  alarm is up to date
  aur is up to date
 :: Starting full system upgrade...
 resolving dependencies...
 looking for inter-conflicts...
 Proceed with installation? [Y/n]
 :: Retrieving packages from core...

Then install LAMP by following the excellent Arch Linux LAMP guide.

 # pacman -S apache php php-apache mysql
 # rc.d start mysqld 

Don't forget to add a MySQL password:

 # mysqladmin -u root password ‘password’
 # mysql -u root -p

Then Edit /etc/rc.conf (to start MySQL at boot):

  DAEMONS=(... mysqld ...)

Read and follow the Apache section - I suggest that you adjust the default DocumentRoot directory by inserting an additional directory level (e.g. htdocs) under /srv/http so that you can place other directories at this same level without them all being under the Document root:

           htdocs - for storage of your served web pages (e.g. index.php discussed below)
           cgi-bin6 - for the ipscan cgi executables

If you follow this suggestion then don't forget to modify the DocumentRoot setting in the apache configuration file! Having followed the php installation guide then you'll also need to update php's base directory to match Apache inside /etc/php/php.ini:

 open_basedir = /srv/http/htdocs:/home/:/tmp/:/usr/share/pear/

And also define the timezone appropriately for your system:

  ; Defines the default timezone used by the date functions
  ; http://php.net/date.timezone
  date.timezone = "Europe/London"

Once Apache and PHP start successfully:

 # rc.d start httpd

then edit /etc/rc.conf (to start Apache at boot):

 DAEMONS=(... httpd ...)

Then install the basic development tools (provides gcc, etc.)

 # pacman -S base-devel

And perl and the associated MySQL interface modules:

 # pacman -S perl-dbi perl-dbd-mysql

You may also wish to include spoken sound support:

 # pacman -S festival festival-english alsa-utils

And update your festivalrc file:

 # cat /root/.festivalrc
   (Parameter.set 'Audio_Command "/usr/bin/aplay -R1000 -q -c 1 -t raw -f s16 -r $SR $FILE")
   (Parameter.set 'Audio_Method 'Audio_Command)

And add a sound.conf file under /etc/modules-load.d to ensure the Broadcom sound module is loaded at boot. The file needs to contain a single statement shown below:

 # cat /etc/modules-load.d/sound.conf

Install git, download and build ipscan

Then install git and download the ipscan source:

 # pacman -S git

Then clone the ipscan source into a directory under your root user account:

 [[email protected] ~]# git clone https://github.com/timsgit/ipscan ipscan
 Cloning into 'ipscan'...
 remote: Counting objects: 221, done.
 remote: Compressing objects: 100% (200/200), done.
 remote: Total 221 (delta 156), reused 85 (delta 20)
 Receiving objects: 100% (221/221), 102.97 KiB, done.
 Resolving deltas: 100% (156/156), done.
 [[email protected] ~]# ls ipscan
 COPYING  ipscan.c  ipscan_checks.c  ipscan_db.c  ipscan.h  ipscan_portlist.h  ipscan_web.c  Makefile  README  sqltidy.pl
 [[email protected] ~]#

Now follow the instructions in the READ file within ipscan's github repository.

It's necessary to change the Makefile to reflect your Apache server's cgi-bin directory mapping:

Assuming your Apache configuration file (/etc/httpd/conf/httpd.conf) contains:

 DocumentRoot "/srv/http/htdocs"

and ...

 ScriptAlias /cgi-bin6/ "/srv/http/cgi-bin6/"

and ...

 <Directory "/srv/http/cgi-bin6">
   AllowOverride None
   Options +ExecCGI -Includes
   Order allow,deny
   Allow from all

then modify your ipscan Makefile to reflect this:

 # Install location for the CGI files
 # HTTP URI PATH by which external hosts will access the CGI files.
 # This may well be unrelated to the installation path if Apache is configured
 # to provide CGI access via an alias.
 # NB : the path should begin with a / but must NOT end with one ....

Make sure you have created the /srv/http/cgi-bin6 directory (or whatever you have chosen) before attempting to build ipscan. Then make sure your MySQL database is created following the instructions in the github repository. You will need to login to mysql using the root password you previously defined (above):

 # mysql -u root -p
 mysql> create database ipscan;
      Query OK, 1 row affected (0.00 sec)
 mysql> create user 'ipscan-user'@'localhost' identified by 'ipscan-passwd';
      Query OK, 0 rows affected (0.01 sec)
 mysql> grant all privileges on ipscan.* to 'ipscan-user'@'localhost' identified by 'ipscan-passwd';
      Query OK, 0 rows affected (0.01 sec)
 mysql> exit

Modify the ipscan-user and ipscan-passwd entries to use your preferences (different to the ones that you chose for root!) and enter the same credentials into the ipscan.h include file:

 // MySQL database-related globals
 #define MYSQL_HOST "localhost"
 #define MYSQL_USER "ipscan-user"
 #define MYSQL_PASSWD "ipscan-passwd"
 #define MYSQL_DBNAME "ipscan"
 #define MYSQL_TBLNAME "results"

Then you should be able to make ipscan as root user and perform the install to transfer the necessary cgi files into your preferred cgi-bin directory:

 # make && make install

Prior to running the ipscan tester it is advisable to add a cron job which will execute the sqltidy.pl script to remove the completed scan results to protect your users' security and minimise the size of your database:

First install the necessary perl mysql data base interface modules:

 # pacman -S perl-dbi-mysql perl-mysql  

Then ensure that the script runs standalone without any perl errors:

 # /root/ipscan/sqltidy.pl

And finally edit the root cron job to insert the line shown below (modified to reflect your ipscan source directory):

 # crontab -e

You may wish to move sqltidy.pl to another location, but ensure it's permissions prevent ordinary users from reading or executing the file:

 */5 * * * * /root/ipscan/sqltidy.pl 2>&1

Check your Services and IPv6 address allocation

Now it is suggested that you check your Apache service is running using lsof:

 # pacman -S lsof
 # lsof -i -n -P |grep http
 httpd     712     root    4u  IPv6   1457      0t0  TCP *:80 (LISTEN)
 httpd   16107     http    4u  IPv6   1457      0t0  TCP *:80 (LISTEN)

And for MySQL:

 # ps -ef |grep -i mysql
 root       392     1  0 Aug25 ?        00:00:00 /bin/sh /usr/bin/mysqld_safe --user=mysql
 mysql      688   392  0 Aug25 ?        01:47:48 /usr/bin/mysqld --basedir=/usr --datadir=/var/lib/mysql --plugin-dir=/usr/lib/mysql/plugin 
                                                 --user=mysql --log-error=/var/lib/mysql/alarmpi.err --pid-file=/var/lib/mysql/alarmpi.pid 
                                                 --socket=/var/run/mysqld/mysqld.sock --port=3306

It is now worth checking that your Raspberry Pi has been correctly allocated an IPv6 address, using ifconfig:

 # ifconfig eth0
 eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
       inet AA.BB.C.DD  netmask  broadcast AA.BB.C.255
       inet6 2001:470:971f:3:ba27:ebff:fecc:dc7c  prefixlen 64  scopeid 0x0<global>
       inet6 fe80::ba27:ebff:fecc:dc7c  prefixlen 64  scopeid 0x20<link>
       ether b8:27:eb:cc:dc:7c  txqueuelen 1000  (Ethernet)
       RX packets 721789  bytes 103366589 (98.5 MiB)
       RX errors 0  dropped 48  overruns 0  frame 0
       TX packets 231210  bytes 130480722 (124.4 MiB)
       TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

Assuming that your Raspberry Pi has a valid IPv6 address and that your Apache and MySQL services are correctly running then you should be able to point a web browser to your cgi file:

e.g. towards http://[2001:470:971f:3:ba27:ebff:fecc:dc7c]/cgi-bin6/ipscan-txt.cgi

Restrict SSH Logins

In general it is recommended that you apply all the standard SSH hardening approaches. You can also restrict logins to your newly created plain user (above) with the addition of the following line to your ssh configuration file (/etc/ssh/sshd_config). I'd also recommend that you choose an username which isn't a simple shortening of your own name:

 AllowUsers plnusr456

Simplistic IPv6 Firewall

As a general starting point please read the ArchLinux IPtables documentation.

Complete details coming soon ...

Needs to include:

  • firewall
  • php landing page example

This website publishes a Privacy Policy. Continued use of this website implies your consent to the storage of data outlined in the policy.