Changes

Jump to navigation Jump to search

Raspberry Pi IPv6 firewall tester installation (view source)

Revision as of 21:13, 16 September 2012

7,440 bytes added ,  21:13, 16 September 2012
no edit summary
Line 1: Line 1:    −
Before you begin please read the excellent [https://wiki.archlinux.org/index.php/Beginners%27_Guide Arch Linux Beginners' Guide].
+
=== Suggested Reading ===
 +
 
 +
Before you begin please read the excellent [https://wiki.archlinux.org/index.php/Beginners%27_Guide Arch Linux Beginners' Guide] and spend time browsing the [https://wiki.archlinux.org/index.php/Beginners%27_Guide Arch Linux Beginners Guide].
 +
 
 +
 
 +
=== Arch Linux Download and CF card creation ===
    
Fetch the Arch Linux download from [http://www.raspberrypi.org/downloads RaspberryPi Downloads]
 
Fetch the Arch Linux download from [http://www.raspberrypi.org/downloads RaspberryPi Downloads]
Line 6: Line 11:  
If using [http://www.softpedia.com/get/CD-DVD-Tools/Data-CD-DVD-Burning/Win32-Disk-Imager.shtml win32 disk imager] then please be aware that the image file needs to be extracted onto a local physical drive (e.g. C: ) rather than a network/remote drive.
 
If using [http://www.softpedia.com/get/CD-DVD-Tools/Data-CD-DVD-Burning/Win32-Disk-Imager.shtml win32 disk imager] then please be aware that the image file needs to be extracted onto a local physical drive (e.g. C: ) rather than a network/remote drive.
   −
Please spend time browsing the [https://wiki.archlinux.org/index.php/Beginners%27_Guide Arch Linux Beginners Guide].
+
 
 +
=== Login, Change the root password and Create a plain user ===
    
Having logged in as root, then make sure you change the default password:
 
Having logged in as root, then make sure you change the default password:
Line 15: Line 21:  
    
 
    
 
   # adduser
 
   # adduser
 +
 +
 +
=== Update your System and Install the Required Packages ===
 
    
 
    
 
Then update your system:
 
Then update your system:
Line 105: Line 114:     
   snd_bcm2835
 
   snd_bcm2835
 +
 +
 +
=== Install git, download and build ipscan ===
 +
 +
Then install git and download the ipscan source:
 +
 +
  # pacman -S git
 +
  resolving dependencies...
 +
  looking for inter-conflicts...
 +
 
 +
  Targets (2): perl-error-0.17018-1  git-1.7.12-1
 +
 
 +
  Total Download Size:    2.73 MiB
 +
  Total Installed Size:  15.50 MiB
 +
 
 +
  Proceed with installation? [Y/n]
 +
  :: Retrieving packages from extra...
 +
  perl-error-0.17018-1-any                                  17.5 KiB  87.2K/s 00:00 [###############################################] 100%
 +
  git-1.7.12-1-arm                                          2.7 MiB  414K/s 00:07 [###############################################] 100%
 +
  (2/2) checking package integrity                                                  [###############################################] 100%
 +
  (2/2) loading package files                                                        [###############################################] 100%
 +
  (2/2) checking for file conflicts                                                  [###############################################] 100%
 +
  (2/2) checking available disk space                                                [###############################################] 100%
 +
  (1/2) installing perl-error                                                        [###############################################] 100%
 +
  (2/2) installing git                                                              [###############################################] 100%
 +
  Optional dependencies for git
 +
      tk: gitk and git gui
 +
      perl-libwww: git svn
 +
      perl-term-readkey: git svn
 +
      perl-mime-tools: git send-email
 +
      perl-net-smtp-ssl: git send-email TLS support
 +
      perl-authen-sasl: git send-email TLS support
 +
      python2: various helper scripts
 +
      subversion: git svn
 +
      cvsps: git cvsimport
 +
 +
Then clone the ipscan source into a directory under your root user account:
 +
 +
  [root@alarmpi ~]# git clone https://github.com/timsgit/ipscan ipscan
 +
  Cloning into 'ipscan'...
 +
  remote: Counting objects: 221, done.
 +
  remote: Compressing objects: 100% (200/200), done.
 +
  remote: Total 221 (delta 156), reused 85 (delta 20)
 +
  Receiving objects: 100% (221/221), 102.97 KiB, done.
 +
  Resolving deltas: 100% (156/156), done.
 +
  [root@alarmpi ~]# ls ipscan
 +
  COPYING  ipscan.c  ipscan_checks.c  ipscan_db.c  ipscan.h  ipscan_portlist.h  ipscan_web.c  Makefile  README  sqltidy.pl
 +
  [root@alarmpi ~]#
 +
 
 +
Now follow the instructions in the [https://github.com/timsgit/ipscan/blob/master/README READ file] within ipscan's github repository.
 +
 +
It's necessary to change the Makefile to reflect your Apache server's  cgi-bin directory mapping:
 +
 +
Assuming your Apache configuration file (/etc/httpd/conf/httpd.conf) contains:
 +
 +
  DocumentRoot "/srv/http/htdocs"
 +
 +
and ...
 +
 
 +
  ScriptAlias /cgi-bin6/ "/srv/http/cgi-bin6/"
 +
 +
and ...
 +
 +
  <Directory "/srv/http/cgi-bin6">
 +
    AllowOverride None
 +
    Options +ExecCGI -Includes
 +
    Order allow,deny
 +
    Allow from all
 +
  </Directory>
 +
 +
then modify your ipscan Makefile to reflect this:
 +
 +
  # Install location for the CGI files
 +
  TARGETDIR=/srv/http/cgi-bin6
 +
 +
  # HTTP URI PATH by which external hosts will access the CGI files.
 +
  # This may well be unrelated to the installation path if Apache is configured
 +
  # to provide CGI access via an alias.
 +
  # NB : the path should begin with a / but must NOT end with one ....
 +
  URIPATH=/cgi-bin6
 +
 +
Make sure you have created the /srv/http/cgi-bin6 directory (or whatever you have chosen) before attempting to build ipscan. Then make sure your MySQL database is created following the instructions in the github repository. You will need to login to mysql using the root password you previously defined (above):
 +
 +
  # mysql -u root -p
 +
 
 +
  mysql> create database ipscan;
 +
      Query OK, 1 row affected (0.00 sec)
 +
 +
      Note: it is unnecessary to re-create the user if upgrading from a previous version.
 +
     
 +
  mysql> create user 'ipscan-user'@'localhost' identified by 'ipscan-passwd';
 +
      Query OK, 0 rows affected (0.01 sec)
 +
 +
  mysql> grant all privileges on ipscan.* to 'ipscan-user'@'localhost' identified by 'ipscan-passwd';
 +
      Query OK, 0 rows affected (0.01 sec)
 +
 +
  mysql> exit
 +
 +
Modify the ipscan-user and ipscan-passwd entries to use your preferences (different to the ones that you chose for root!) and enter the same credentials into the ipscan.h include file:
 +
 +
  // MySQL database-related globals
 +
 
 +
  #define MYSQL_HOST "localhost"
 +
  #define MYSQL_USER "ipscan-user"
 +
  #define MYSQL_PASSWD "ipscan-passwd"
 +
  #define MYSQL_DBNAME "ipscan"
 +
  #define MYSQL_TBLNAME "results"
 +
 +
Then you should be able to make ipscan as root user and perform the install to transfer the necessary cgi files into your preferred cgi-bin directory:
 +
 +
  # make && make install
 +
 +
Prior to running the ipscan tester it is advisable to add a cron job which will execute the sqltidy.pl script to remove the completed scan results to protect your users' security and minimise the size of your database:
 +
 +
First install the necessary perl mysql data base interface modules:
 +
 +
  # pacman -S perl-dbi-mysql perl-mysql 
 +
 
 +
Then ensure that the script runs standalone without any perl errors:
 +
 +
  # /root/ipscan/sqltidy.pl
 +
 
 +
And finally edit the root cron job to insert the line shown below (modified to reflect your ipscan source directory):
 +
 +
  # crontab -e
 +
 
 +
You may wish to move sqltidy.pl to another location, but ensure it's permissions prevent ordinary users from reading or executing the file:
 +
 +
  */5 * * * * /root/ipscan/sqltidy.pl 2>&1
 +
 +
=== Check your Services and IPv6 address allocation ===
 +
 
 +
Now it is suggested that you check your Apache service is running using lsof:
 +
 +
  # pacman -S lsof
 +
 
 +
  # lsof -i -n -P |grep http
 +
  httpd    712    root    4u  IPv6  1457      0t0  TCP *:80 (LISTEN)
 +
  httpd  16107    http    4u  IPv6  1457      0t0  TCP *:80 (LISTEN)
 +
  ...
 +
 +
And for MySQL:
 +
 +
  # ps -ef |grep -i mysql
 +
  root      392    1  0 Aug25 ?        00:00:00 /bin/sh /usr/bin/mysqld_safe --user=mysql
 +
  mysql      688  392  0 Aug25 ?        01:47:48 /usr/bin/mysqld --basedir=/usr --datadir=/var/lib/mysql --plugin-dir=/usr/lib/mysql/plugin --user=mysql --log-error=/var/lib/mysql/alarmpi.err --pid-file=/var/lib/mysql/alarmpi.pid --socket=/var/run/mysqld/mysqld.sock --port=3306
 +
 +
It is now worth checking that your Raspberry Pi has been correctly allocated an IPv6 address, using ifconfig:
 +
 +
  # ifconfig
 +
  eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
 +
        inet AA.BB.C.DD  netmask 255.255.255.0  broadcast AA.BB.C.255
 +
        inet6 2001:470:971f:3:ba27:ebff:fecc:dc7c  prefixlen 64  scopeid 0x0<global>
 +
        inet6 fe80::ba27:ebff:fecc:dc7c  prefixlen 64  scopeid 0x20<link>
 +
        ether b8:27:eb:cc:dc:7c  txqueuelen 1000  (Ethernet)
 +
        RX packets 721789  bytes 103366589 (98.5 MiB)
 +
        RX errors 0  dropped 48  overruns 0  frame 0
 +
        TX packets 231210  bytes 130480722 (124.4 MiB)
 +
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
 +
 +
 +
Assuming that your Raspberry Pi has a valid IPv6 address and that your Apache and MySQL services are correctly running then you should be able to point a web browser to your cgi file:
 +
 +
e.g. towards http://[2001:470:971f:3:ba27:ebff:fecc:dc7c]/cgi-bin6/ipscan-txt.cgi
      Line 111: Line 284:  
Needs to include:
 
Needs to include:
   −
* git
  −
* installing ipscan
   
* locking down ssh
 
* locking down ssh
 
* firewall
 
* firewall
* cron jobs
   
* php landing page example
 
* php landing page example
  
Retrieved from ‘https://wiki.chappell-family.com/wiki/index.php?title=Special:MobileDiff/163

Navigation menu