Saturday, May 29, 2010

HOW-TO: Harden A Fresh CentOS 5.x Server

SkyHi @ Saturday, May 29, 2010
HOW-TO: Harden A Fresh CentOS 5.x Server


#!/bin/sh



set -ve



# Script to harden a fresh CentOS 4 or 5 base server install, which installs



# any updated packages plus a few useful extras, removes unnecessary



# services and setuid bits, and does a little performance tuning. Running it more than once shouldn't hurt anything.



#



# Run with:


Code:

wget -O- http://ftp.die.net/pub/harden-centos/harden-centos | sh

PATH=/bin:/usr/bin:/sbin:/usr/sbin



# Update rpm and yum if possible. (Limit dependencies.)


Code:

yum -y install rpm yum



# Installing useful packages


Code:

yum -y install joe tcpdump mtr postfix strace zsh gdb perl vixie-cron logrotate



# Removing unnecessary daemons and setuid binaries


Code:

yum -y remove squid krb5-workstation cups at rsh sudo isdn4k-utils sendmail \



slocate apmd irda-utils mt-st gpm samba-common sendmail-cf talk \



up2date ypbind yp-tools wvdial lockdev procmail xorg-x11-font-utils \



pam_ccreds gdm bluez-utils yum-updatesd



# Upgrading to latest packages


Code:

yum -y upgrade



# Removing unnecessary setuid bits


Code:

find / /usr -xdev -type f -perm +04000 | \



grep -vP '^(/bin/(su|ping|traceroute)|/usr/bin/(passwd|chsh|crontab)|/usr/libexec/openssh/ssh-keysign)$' | \



xargs -r chmod ug-s



# Removing unnecessary setgid bits


Code:

find / /usr -xdev -type f -perm +02000 | \



grep -vP '^(/usr/sbin/(utempter|postdrop|postqueue)|/usr/bin/ssh-agent)$' | \



xargs -r chmod g-s



# Setting nosuid,nodev on user partitions, noatime on ext2 and ext3


Code:

perl -i~ -p -e 's/(\sext[23]\s+)(defaults)(?=\s)/$1$2,noatime/;next if m#\s/(?:usr|bin)?\s#;next unless m#\s(ext[23]|tmpfs|auto)\s#;s/(?<=\s)(defaults(?:,noatime)?)(?=\s

)/$1,nosuid,nodev/' /etc/fstab



# Adding blackhole routes for bogons


Code:

[ -f /etc/sysconfig/network-scripts/route-lo ] || cat <<EOF > /etc/sysconfig/network-scripts/route-lo



blackhole 0.0.0.0/8



blackhole 10.0.0.0/8



blackhole 169.254.0.0/16



blackhole 172.16.0.0/12



blackhole 192.168.0.0/16



blackhole 198.18.0.0/15



EOF



# Add useful settings to /etc/sysctl.conf


Code:

grep -q kernel.panic /etc/sysctl.conf || cat<<EOF >> /etc/sysctl.conf



# Reboot a minute after an Oops


Code:

kernel.panic = 60



# Syncookies make SYN flood attacks ineffective


Code:

net.ipv4.tcp_syncookies = 1



# Ignore bad ICMP


Code:

net.ipv4.icmp_echo_ignore_broadcasts = 1



net.ipv4.icmp_ignore_bogus_error_responses = 1



# Reply to ARPs only from correct interface (required for DSR load-balancers)


Code:

net.ipv4.conf.all.arp_announce = 2



net.ipv4.conf.all.arp_ignore = 1



EOF



sysctl -p



# Allow any following commands to fail without stopping


Code:

set +e



# Shutting down unwanted services


Code:

for d in acpid rpcidmapd rpcgssd nfslock netfs portmap avahi-daemon avahi-dnsconfd pcscd bluetooth; do



chkconfig $d off



service $d stop



done



# Turn on cron-based auto-updates


Code:

yum -y install yum-cron



for d in crond yum yum-cron; do



chkconfig $d on



service $d start



done



# COMPLETED!



Thanks to webicero for creating this guides.

For more informations and guides about harndening and securing your server, you may also read the guides in SecureCentOS.com

REFERENCES
http://www.elevatedservers.net/forums/how-harden-fresh-centos-server-t-28.html

Installing suPHP on Centos 5

SkyHi @ Saturday, May 29, 2010
suPHP is a tool that allows PHP scripts to be executed with the permissions of their owners. By not running PHP script using web server’s user rights, suPHP increase the server security.

First install httpd-devel and compiler tools:

yum install httpd-devel gcc gcc-c++ make

Download suPHP source code and extract it

wget http://www.suphp.org/download/suphp-0.7.1.tar.gz
tar -xvzf suphp-0.7.1.tar.gz
cd suphp-0.7.1

Now we compile suPHP

./configure --with-apxs=/usr/sbin/apxs --with-apache-user=apache --with-logfile=/var/log/httpd/suphp_log --with-setid-mode=paranoid --sysconfdir=/etc --with-apr=/usr/bin/apr-1-config --with-php=/usr/bin/php-cgi --enable-SUPHP_USE_USERGROUP=yes

make
make install

Next create suphp.conf to configure Apache so it will call suPHP for interpreting PHP scripts

nano /etc/httpd/conf.d/suphp.conf

Add this configuration:

LoadModule suphp_module modules/mod_suphp.so
suPHP_Engine on
AddType application/x-httpd-php .php
&lt;Directory />
suPHP_AddHandler application/x-httpd-php
&lt;/Directory>

Save the file and the next step is to disable mod_php configuration as we are now using suPHP

mv /etc/httpd/conf.d/php.conf /etc/httpd/conf.d/php.conf.disabled

After we finished with Apache configuration, next we create suphp.conf file which contain suPHP configuration

nano /etc/suphp.conf

and copy this to the new file:

[global]
;Path to logfile
logfile=/var/log/suphp.log

;Loglevel
loglevel=info

;User Apache is running as
webserver_user=apache

;Path all scripts have to be in
docroot=/var/www:${HOME}/public_html

;Path to chroot() to before executing script
;chroot=/mychroot

; Security options
allow_file_group_writeable=false
allow_file_others_writeable=false
allow_directory_group_writeable=false
allow_directory_others_writeable=false

;Check wheter script is within DOCUMENT_ROOT
check_vhost_docroot=true

;Send minor error messages to browser
errors_to_browser=false

;PATH environment variable
env_path=/bin:/usr/bin

;Umask to set, specify in octal notation
umask=0077

; Minimum UID
min_uid=0

; Minimum GID

After Apache and suPHP is configured, we need to add suPHP_UserGroup option on each virtual hosting we hosted on the server. For example, the domain.com virtual host would look like:

&lt;VirtualHost 192.168.0.1:80>
DocumentRoot /home/user/public_html
&lt;Directory "/home/user/public_html">
allow from all
Options +Indexes
&lt;/Directory>
ServerName domain.com
ErrorLog /var/log/httpd/domain.com
LogLevel warn
suPHP_UserGroup user user
&lt;/VirtualHost>

"user" should be replaced with the real username on your server who own the PHP scripts. Make sure all file owned by the "user" username otherwise you’ll get 500 error code (Internal Server Error).

Now let's test the configuration

service httpd configtest

if everything is OK, restart the Apache server

service httpd restart

Bookmark and Share
Related Article
http://markus.revti.com/2010/03/installing-suphp-on-centos-5/

yum update script

SkyHi @ Saturday, May 29, 2010

So the other week I have been working on my dedicated box, just to make it a bit easier to work with in the future. One of the things I was trying to understand and learn was yum update and bash scripting. So why not combine the two? Right.. This blog entry is the result, hopefully also of some use to others.


I am on a CentOS 5 (5.2) 32bit Server, and I use yum to automatically update, delete, upgrade, and install packages. This way that’s a bit easier for me to run my server and keep it up to date. For example, when there’s one or more updates you can type yum update, or yum upgrade to get everything. Anyway, look into that if you’re interested. http://prefetch.net/articles/yum.html


So once in a while when you log into your box you can do yum upgrade and have it do it’s thing. This should help you fix known bugs, upgrade to newer releases, and fix known security issues. This doesn’t sound like a bad thing.


But when I log into SSH2 I am not a root user, and I am there for other tasks, so it is really easy to forget. And because I don’t trust to have a crontab entry auto upgrade and overwrite config files, etc .. I prefer to actually “be there” when it happens and have the choice to y/n to questions.


What I can do is install a crontab entry that runs a script daily. This script can check if there are updates, and emails me if that’s the case. This way I don’t have to think about it really and it just goes to my Gmail “server” label.


In my crontab I put the following:


0 0 * * * /etc/scripts/checkyum


And the checkyum script looks like this:


#!/bin/sh

#

# Program: E-mail available yum updates <checkyum>

#

# Original Author: Matty < matty91 at gmail dot com >

# Updated by Floris for personal use.

#

# Current Version: 1.2.Floris

#

# License:

#   This program is distributed in the hope that it will be useful,

#   but WITHOUT ANY WARRANTY; without even the implied warranty of

#   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

#


PATH=/bin:/usr/bin:/sbin:/usr/sbin

export PATH


# Locations of binaries

GREP=”/bin/grep”

HOST=`hostname`

MAIL=”/bin/mail”

MKTEMP=”/bin/mktemp”

YUM=”/usr/bin/yum”


# Who to E-mail with new updates

ADMIN=”YOUR@EMAIL”


if [ ! -f ${YUM} ]

then

echo “Cannot find ${YUM}”

exit 1

fi


if [ ! -f ${MKTEMP} ]

then

echo “Cannot find ${MKTEMP}”

exit 1

fi


if [ ! -f ${MAIL} ]

then

echo “Cannot find ${MAIL}”

exit 1

fi


if [ ! -f ${GREP} ]

then

echo “Cannot find ${GREP}”

exit 1

fi


# Dump the yum results to a safe working file

WORK=`${MKTEMP} /tmp/yum.results.XXXXXX`


${YUM} -e0 -d0 check-update > ${WORK}


# If there are updates available, E-mail them

if [ -s ${WORK} ]

then

REPORT=`${MKTEMP} /tmp/yum.report.XXXXXX`

echo “==== The following updates are available for ${HOST} ===” > ${REPORT}

cat ${WORK} >> ${REPORT}

cat ${REPORT} | mail YOUR@EMAIL

fi


# Cleanup temporary files

rm ${REPORT} ${WORK}


There’s nothing else to it, and every so often you get an email that looks like this:


==== The following updates are available for YOUR_SERVER ===

nss_ldap.i386                            253-13.el5_2.1         updates


Which you can ignore, or you can go into the box, and run yum upgrade to process it.


Hm, I likey!


REFERENCES

http://mrfloris.com/blogs/yum-update-script/

mitigate (D)DoS attacks

SkyHi @ Saturday, May 29, 2010
(D)DoS Deflate is a lightweight bash shell script designed to assist in the process of blocking a denial of service attack. It utilizes the command below to create a list of IP addresses connected to the server, along with their total number of connections. It is one of the simplest and easiest to install solutions at the software level.

netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

IP addresses with over a pre-configured number of connections are automatically blocked in the server's firewall, which can be direct iptables or Advanced Policy Firewall (APF). (We highly recommend that you use APF on your server in general, but deflate will work without it.)
Notable Features

It is possible to whitelist IP addresses, via /usr/local/ddos/ignore.ip.list.
Simple configuration file: /usr/local/ddos/ddos.conf
IP addresses are automatically unblocked after a preconfigured time limit (default: 600 seconds)
The script can run at a chosen frequency via the configuration file (default: 1 minute)
You can receive email alerts when IP addresses are blocked.

Installation

wget http://www.inetbase.com/scripts/ddos/install.sh
chmod 0700 install.sh
./install.sh


#!/bin/sh
if [ -d '/usr/local/ddos' ]; then
 echo; echo; echo "Please un-install the previous version first"
 exit 0
else
 mkdir /usr/local/ddos
fi
clear
echo; echo 'Installing DOS-Deflate 0.6'; echo
echo; echo -n 'Downloading source files...'
wget -q -O /usr/local/ddos/ddos.conf http://www.inetbase.com/scripts/ddos/ddos.conf
echo -n '.'
wget -q -O /usr/local/ddos/LICENSE http://www.inetbase.com/scripts/ddos/LICENSE
echo -n '.'
wget -q -O /usr/local/ddos/ignore.ip.list http://www.inetbase.com/scripts/ddos/ignore.ip.list
echo -n '.'
wget -q -O /usr/local/ddos/ddos.sh http://www.inetbase.com/scripts/ddos/ddos.sh
chmod 0755 /usr/local/ddos/ddos.sh
cp -s /usr/local/ddos/ddos.sh /usr/local/sbin/ddos
echo '...done'

echo; echo -n 'Creating cron to run script every minute.....(Default setting)'
/usr/local/ddos/ddos.sh --cron > /dev/null 2>&1
echo '.....done'
echo; echo 'Installation has completed.'
echo 'Config file is at /usr/local/ddos/ddos.conf'
echo 'Please send in your comments and/or suggestions to zaf@vsnl.com'
echo
cat /usr/local/ddos/LICENSE | less

Uninstallation

wget http://www.inetbase.com/scripts/ddos/uninstall.ddos
chmod 0700 uninstall.ddos
./uninstall.ddos


REFERENCES
http://deflate.medialayer.com/

CentOS patching --exclude=kernel,kernel-headers

SkyHi @ Saturday, May 29, 2010
In my normal everyday job, I am tasked with managing and maintaining about 30-40 production CentOS servers. Being a security guy, I maintain a pretty rigorous patching routine. However, because these servers are customer production servers, one very important caveat is that I need to do everything I can to minimize customer downtime.

Normally when I patch a server, my routine is:

yum check-update (check what updates are available)

yum -y update (update everything)

And if the list produced by check-update shows the kernel or kernel-headers packages in the list, I promptly reboot the server. This translates into about 5 minutes of downtime for the customer as the server reboots.

So that got me thinking. Is every kernel update critical or can they easily be delayed? So then I stumbled across this excellent plug-in for yum.

yum-changelog-1.1.10-9.el5.centos

Name : yum-changelog
Arch : noarch
Version: 1.1.10
Release: 9.el5.centos
Size : 12 k
Repo : installed
Summary: Yum plugin for viewing package changelogs before/after updating
Description:
This plugin adds a command line option to allow viewing package changelog
deltas before or after updating packages.

Perfect! That will allow me to see exactly what is changing with each new version of the kernel. So I install that with:

yum install yum-changelog

Now we can use yum to show us the change log for certain packages. So, if I want to see the change log for the kernel related package, I could run something like:

yum update kernel kernel-headers --changelog

This will produce output similiar to:

Changes in packages about to be updated:

kernel-headers - 2.6.18-92.1.22.el5.x86_64
* Wed Dec 17 06:00:00 2008 Karanbir Singh [2.6.18-92.1.22.el5.centos]
- Roll in CentOS Branding

* Sat Dec 6 06:00:00 2008 Jiri Pirko [2.6.18-92.1.22.el5]
- [misc] hugepages: ia64 stack overflow and corrupt memory (Larry Woodman ) [474347 472802]
- [misc] allow hugepage allocation to use most of memory (Larry Woodman ) [474760 438889]


Ah, ha. As I suspected. Two memory related bugfixes and CentOS branding. Because we are currently not expirencing any memory related issues, this patch does NOT rate as critical and warrent immediate customer downtime. This can be delayed.

So now I can apply the other patches and exclude the kernel upgrades with:

yum update --exclude=kernel,kernel-headers

Now, I have a script that runs nightly on all my CentOS servers. This script gathers nightly statistics, logs entries, etc from my servers and emails it to me. This is pretty much jsut a CentOS port of my old Gentoo Update Script, with some CentOS speficic changes and additional features. The other thing it does, is generate a list (via yum check-update) of all the updates required. So the question now is, now can I get this interactive command to run via an automated script? The easiest way I could come up with is:

echo n | yum update kernel kernel-headers --changelog

Probably not the cleanest way, but does the job very well.

REFERENCE
http://monkey-house-org.blogspot.com/2009/02/centos-patching.html

Yum Check or Install Updates Script

SkyHi @ Saturday, May 29, 2010
Here's a quick script that will check yum updates and email you when there are new updates available.

Split into two sections, one script is for all package updates, and the other script is for letting us know if we need to reboot when a new kernel package has been installed.

Script to check for updates:

check-yum-updates.sh

#!/bin/bash
#
# check-yum-updates.sh
#
# checks for yum updates and emails if there are any available
#
#
# Eric Thern
# Zoidial Incorporated
# http://www.zoidial.com
#
# last update:
# Dec 30, 2008
#

#
# change this to your email
#
email="youremail@youremail.com"

#
# no need to change anything below here
#

yumtmp="/tmp/yum-check-update.$$"
yum="/usr/bin/yum"

$yum check-update >& $yumtmp

yumstatus="$?"

hostname=$(/bin/hostname)

case $yumstatus in
0)
# no updates!
exit 0
;;
*)
date=$(date)
number=$(cat $yumtmp | egrep '(.i386|.x86_64|.noarch|.src)' | wc -l)
updates=$(cat $yumtmp | egrep '(.i386|.x86_64|.noarch|.src)')
echo "
There are $number updates available on host $hostname at $date

The available updates are:
$updates
" | /bin/mail -s "UPDATE: $number updates available for $hostname" $email
;;
esac

# clean up

rm -f /tmp/yum-check-update.*

Script to check kernel (here we use 'ovzkernel' since we're running with an openvz kernel, if you have a stock centos kernel, change this to 'kernel')

check-yum-kernel.sh

#!/bin/bash
email=youremail@youremail.com
latestkernel=$(rpm -q ovzkernel |tail -n1|sed -e 's/kernel-//')

echo "$latestkernel"

if uname -a | grep -qv "$latestkernel"; then
echo "Running Kernel is" `uname -r` "but latest installed rpm is ${latestkernel}" |\
mail -s "UPDATE: ${HOSTNAME} reboot required" $email
fi;

Crontab entries:

30 21 * * * /root/bin/check-yum-updates.sh >/dev/null 2>&1
30 21 * * * /root/bin/check-yum-kernel.sh >/dev/null 2>&1

Run at 9:30 every night. Change times and paths to suit.

REFERENCES
http://thern.org/linux-and-freebsd/yum-update-check-script-runs-via-crontab-and-emails-when-new-updates-are-available/

CentOS / RHEL Configure Yum Automatic Update Retrieval and Installation

SkyHi @ Saturday, May 29, 2010

The yum command line tool is used to install and update software packages under RHEL / CentOS Linux server. I know how to apply updates using yum update command line, but I'd like to use cron to manually update packages where appropriate. How do I configure yum to install software patches / updates automatically with cron?

You can use yum-updatesd service provided with CentOS / RHEL servers. However, this service provides a few overheads. You can create daily or weekly updates with the following shell script. Create

  • /etc/cron.daily/yumupdate.sh to apply updates one a day.
  • /etc/cron.weekly/yumupdate.sh to apply updates once a week.

Sample shell script to update system

A shell script that instructs yum to update any packages it finds via cron:

#!/bin/bash
YUM=/usr/bin/yum
$YUM -y -R 120 -d 0 -e 0 update yum
$YUM -y -R 10 -e 0 -d 0 update

(Code listing -01: /etc/cron.daily/yumupdate.sh)

Where,

  1. First command will update yum itself and next will apply system updates.
  2. -R 120 : Sets the maximum amount of time yum will wait before performing a command
  3. -e 0 : Sets the error level to 0 (range 0 - 10). 0 means print only critical errors about which you must be told.
  4. -d 0 : Sets the debugging level to 0 - turns up or down the amount of things that are printed. (range: 0 - 10).
  5. -y : Assume yes; assume that the answer to any question which would be asked is yes.

Make sure you setup executable permission:
# chmod +x /etc/cron.daily/yumupdate.sh


REFERENCES

http://www.cyberciti.biz/faq/fedora-automatic-update-retrieval-installation-with-cron/

Thursday, May 27, 2010

Quickly - how to download a file to the ESX 3.x service console?

SkyHi @ Thursday, May 27, 2010
The VMware ESX 3.x is missing wget package so you can't use wget command to download anything from the Internet as you wish. In spite of wget, the service console provides lwp-* tools which are simple perl scripts based on LWP and URI perl modules and which allow to do some basic tasks around the HTTP protocol.

The tools are part of perl-libwww-perl package. The package is installed by default. The most important tool is lwp-download which you can use for downloading files. Let's check the steps how to download something:
  1. esxcfg-firewall --allowOutgoing
    • allow outgoing connections from service console
  2. lwp-download http://dfn.dl..../apcupsd-3.14.4-1.el3.i386.rpm
    • download apcupsd package
  3. esxcfg-firewall --blockOutgoing
    • return firewall to the initial state
Beside this, the perl-libwww-perl package contains other tools like lwp-mirror, lwp-request and lwp-rget. Check their man pages for their usage.

REFERENCES
http://dsumsky.blogspot.com/2008/08/quickly-how-to-download-file-to-esx-3x.html

ILO Setup

SkyHi @ Thursday, May 27, 2010

ILO Setup


ILO – Integrated Lights Out


This is a very cool feature that allows one to manage the server box remotely. Idea is physically you don’t have to be in the data center to manage servers. ILO interface provides exact same interface as you will see when you have connected monitor, keyboard and mouse to each individual server.


Each server comes with default DNS name for ILO web interface (it’s DHCP enabled! so if your network has DHCP IP addresses available, then it will pick up the one for it’s factory default DNS name.)


Default DNS names usually in the pattern ILO<Serial#OfBox>

For example serial id for server is HPPRO1234567, then DNS name to access server using ILO would be ILOHPPRO1234567 and it would be available at http://ILOHPPRO1234567


It comes with default administrator user id / password. This user id/password should be changed immediately in order to make your server secure.


ilo-login-screen.jpg


Once you login using with given credentials, four tabs that are available for use are: System Status, Remote Console, Virtual Devices, Administration


Change ILO Administrator password

Go to “Administration” -> “User Administration” -> “Select a User” -> “View / Modify” Also if needed you can create more users and give them selective permissions to manage the server using ILO.


How to recover the ILO password

In a worst case scenario where you forgot the user id/ password for ILO login, then only way to reset the password is by connecting physically to the box. Make sure monitor and keyboard is connected to box and boot the machine.


Press F8 to enter into ILO Configuration. Then go to Users -> Modify user and change the ILO admin password which can help to get back to use ILO again.


ilo-user-management.jpg


Change the ILO DNS name


  • Before you get started, need to get the static ip address and dns name entry configured for this ILO interface.
  • Now login to ILO web interface using default dns name (http://DefaultDNSNAME) using default user id/password if that’s not yet changed. let’s say http://ILOHPPRO1234567)
  • Click on Administration tab -> settings -> network. Then first disable the DHCP.
  • Enter correct values for IP Address, subnet mask and Gateway IP Address that you allocated for new ILO DNS Name in Eman.
  • Enter new iLO 2 Subsystem Name

And click on “Apply” to make changes effective. Following message will be displayed :


Please wait – iLO 2 is being reset with new changes. You will automatically be redirected to the login page in 59 seconds. If an SSL error message is displayed, please restart your browser and re-login.


It will logout you in one or two minutes. Or you can open the new browser session and now try to login using new ilo DNS name. For example http://newdnsname and it should redirect to login screen.


Troubleshooting ILO DNS Name


But for some reasons if you haven’t configured ILO dns correctly, then you may not be able to access the ILO web interface. In this case to debug the configuration, you need to connect that machine physically.


Following are steps:


  • Connect Monitor to this machine (connect to front port, it’s easy!) and have keyboard connection at the back.
  • Power on the machine. Once system start booting… You will see white screen display “HP Proliant Servers ….” After this keep on pressing F8 key to get you into ILO configuration Screen.
  • Now go to Network -> DHCP menu

    * Make sure DHCP is set to OFF (use spacebar to change the settings)

    * Verify ILO name has correct value.
  • Now go to Menu Network -> TCP/IP Go to IP Address selection You can’t change these settings if DHCP is ON Update IP Address to new ILP DNS entry. Also Enter correct values for subnet and default getway.

Save the settings (F10) and exit. Now you should be able to login to ILO interface using new dns name like http://newdnsname


Note NIC Mac address


We have connected the server on LAN port 1. Hence note the value of Port 1 NIC MAC address, we will need this value to do the Linux installation using the PXE boot.


Go to tab “System Status” -> “System Information” -> NIC -> Port 1 NIC MAC address


REFERENCES

http://adyamarathon.wordpress.com/ilo-setup/


Simple NAT router for ESX

SkyHi @ Thursday, May 27, 2010

Questions:

Hi Guys,



I'm looking for a simple virtual appliance that I can deploy to my ESX environment to use as a virtual NAT router / firewall to create an isolated network that I can easily give internet access too.



Basic setup: ESX Host, has 2 vswitches configured: 1 is connected to the physical LAN, the other is isolated. I need an appliance that I can add 2 vNICs to, and attach one to the isolated vSwitch, the other to the LAN, to give the isolated network outbound access (so it can reach the internet).



Anyone have an appliance that I can setup quickly to do so?



Thanks.


Solutions:


I like PFSense www.pfsense.org, they have a VMWare appliance:



http://doc.pfsense.org/index.php/VMwareAppliance



Any VM with routing capabilities will do:



  • Linux with some IPTABLES configuration.
  • FreeBSD with its PF (or IPTABLES again).
  • Windows Server with the built-in RRAS.
  • Even Windows client (XP, Vista, 7) with its built-in Internet Connection Sharing can do that.


If you know some Linux and IPTABLES, it's quite easy to set this up; if you're more Windows-oriented, the Routing and Remote Access Service (built-in in Windows Server since 2000) it's very easy to set up and configure on a (virtual) server with two NICs.




REFERENCES
http://serverfault.com/questions/143440/simple-nat-router-for-esx

=====================================================


NAT in VMWare vSphere/ESX – In a nut shell




This post is about NATing an ESX VM, but first, why do I need NAT:


The SIP protocol is not NAT oblivious. To traverse NAT our application has to replace the DNS in the SIP message contact header to the external FQDN that the message receiver will be sending responses to (A NAT with static routing configured).

Therefore I needed to test our software in a NAT topology.


In the past, when we used VMWare player/workstation, it had a build-in NAT network. But, unfortunately, the ESX hypervisor does not provide a NATed network option.

Seeking alternatives at VMWare’s appliance marketplace, I found and downloaded the Vyatta’s community edition (VC5) router appliance (also downladble from sourceforge), and comes under the GPL license.

After 3-4 hours – guided by the official quick start guide - I had a working NAT configuration in the ESX. Hurray!

Overall, not a hard nut to crack ;) , though I wish VMWare will wise up and just add an build-in NAT option to vSphere.


Left to do:

Obtain some static IPs, so the config won’t break each time the vm reboots and the DHCP lease expires.

Tip #1:

If you want want to access your NATed VM by RDP/VNC, without setting up extra NAT routing rules, consider adding the VM an additional un-NATed NIC, but when doing so, make sure that the OS routing tables are set to route through the NIC that is NATed.

Tip #2:

This short vyatta user installation report also helped me a bit.


Here’s the complete configuration script I ended up feeding to the appliance console (network topology is similar to the one presented in the Vyatta’s getting stated guide):

Where:

1.2.3.4 is your department’s DNS server

192.168.1.199 is the VMs NATed private IP address (provided by the DHCP).

The script contains a NAT forward rule for VNC (port 5900)


<code>
configure
set system host-name vyatta-nat
set interfaces ethernet eth0 address dhcp
set service ssh
set service https
commit;
save;
# restart the appliance to switch from console remote desktop to SSH:

#login with user and password
configure
show interfaces

set interfaces ethernet eth1 address 192.168.1.254/24

commit;

delete service dhcp-server
set service dhcp-server shared-network-name ETH1_POOL subnet 192.168.1.0/24 start 192.168.1.100 stop 192.168.1.199
set service dhcp-server shared-network-name ETH1_POOL subnet 192.168.1.0/24 default-router 192.168.1.254
set service dhcp-server shared-network-name ETH1_POOL subnet 192.168.1.0/24 dns-server 1.2.3.4
commit;
show service dhcp-server

set service nat rule 1 source address 192.168.1.0/24
set service nat rule 1 outbound-interface eth0
set service nat rule 1 type masquerade
commit;
show service nat
save;
exit
show nat rules
configure
set service nat rule 20 type destination
set service nat rule 20 inbound-interface eth0
# use a negative fake address to so that all incoming communication will be nated
#set service nat rule 20 destination address !192.168.50.0
#Forward traffic to address 192.168.1.199
set service nat rule 20 inside-address address 192.168.1.199
set service nat rule 20 protocol tcp
set service nat rule 20 destination port 5900
commit;
save;
exit
</code>


REFERENCES
http://www.javatuning.com/nat-in-vmware-vsphereesx-in-a-nut-shell/







=====================================================

SmoothWall Express as NAT on ESXi




It’s odd that ESXi doesn’t come with an NAT implementation. Even more strange is that it’s not easy to find a simple-to-use virtual appliance to fit the gap.


From the VMWare community, there are suggestions on using Freesco or m0n0wall. However, both are not as easy to setup as I like. Finally, I found SmoothWall Express 3.0 VMWare image but there lacks doc on using the image.


Here is a quick setup guide to use the appliance as an NAT server,


  • From ESXi server, create a vSwitch and connect it to host NIC. Add a virtual machine network, say external, to it.
  • Create another vSwitch without NIC. Add a virtual machine network, say protected, to it.
  • Download SmoothWall Express 3.0 VMWare.
  • Extract the VM files.
  • Use VMWare Converter to convert the VM and upload to ESXi server:
    • eth0->connect to protected network
    • eth1->connect to external network

  • Login the SmoothWall VM with account root and password happydays.
  • run setup:
    • Keyboard mapping->us
    • Networking
      • Network configuration type->GREEN + RED
      • Drivers and card assignments: Green->eth0 / Red->eth1
      • Address settings: Green->internal IP / Red->external IP
      • DNS and Gateway settings: for external interface

    • DHCP Server Configuartion
      • Enable it. Add internal address range. DNS is the internal IP in address setting.


  • Update the root/admin/user passwords
  • Connect a Windows VM to the protected network to verify DHCP is working properly.
  • From the Windows VM, browse to https://internal_ip:441.
  • Logon with account admin and the new password you set.
  • Click Maintenance->Update->Update to install patches from mySmoothWall. Reboot afterward.


REFERENCES
http://blog.ust.hk/martinl/2009/03/25/smoothwall-express-as-nat-on-esxi/


=====================================================

OpenBSD as a Simple NAT Router



To setup a simple NAT router/firewall using OpenBSD, use these steps as a general guideline. I’m assuming that you have general knowledge of OpenBSD.


First, configure the network interfaces appropriately. Typically, this will involve editing the hostname.<NIC type> file. In a VMware ESX Server environment, OpenBSD uses pcn0 for the first virtual NIC, pcn1 for the second virtual NIC, etc., so the appropriate configuration files would be hostname.pcn0, hostname.pcn1, and so forth.


Next, enable IP forwarding by editing /etc/sysctl.conf and making the following change (the line is present in a default installation, you just need to uncomment it):



net.inet.ip.forwarding=1


Next, we’ll need to enable the OpenBSD packet filter, pf. This is typically done by creating/editing the file /etc/rc.conf.local and making sure the following line is present:



pf=YES


Next, we’ll configure pf for network address translation (NAT) and simple packet filtering. If you’ve never configured pf before, I highly recommend this OpenBSD PF guide; it will introduce you to the functionality of this very powerful packet filtering engine. (Sometimes I wish Mac OS X would switch to using pf.) You configure pf by placing a ruleset into /etc/pf.conf.

Here’s a quick sample ruleset (keep in mind this is based on OpenBSD running as a virtual machine in a VMware environment):

# Set some variables for use later
ext_if=“pcn1”
int_if=“pcn0”
icmp_types=“echoreq”

# Skip all loopback traffic
set skip on lo

# Scrub all traffic
scrub in

# Perform NAT on external interface
nat on $ext_if from $int_if:network -> ($ext_if:0)

# Define default behavior
block in
pass out keep state

# Allow inbound traffic on internal interface
pass quick on $int_if

# Protect against spoofing
antispoof quick for { lo $int_if }

# Allow other traffic
pass in on $ext_if proto tcp to ($ext_if) port ssh flags S/SA keep state
pass in inet proto icmp from $allowed_hosts icmp-type $icmp_types keep state

This is a really, really simple configuration, but it will get the job done. (I did title this “OpenBSD as a Simple NAT Router”, after all.)

For more advanced configurations, I highly recommended reviewing the OpenBSD documentation (which, by the way, is very thorough and very extensive; kudos to the OpenBSD team for their documentation efforts.)



REFERENCES
http://blog.scottlowe.org/2006/10/06/openbsd-as-a-simple-nat-router/




pfSense as router(nat) for ESX Vsphere

SkyHi @ Thursday, May 27, 2010
0 Members and 2 Guests are viewing this topic.
mali
Newbie
*
Offline Offline

Posts: 6


View Profile
« on: November 16, 2009, 12:00:07 pm »


Hi,

I am new bie to Pfsense. I have ESX Server 4 (vsphere) having 2 NIC .
Right Now only 1 NIC is connected to Internet and having PUBLIC IP say
202.33.44.2
I want to secure Virtual Machine running on it.
What should i know to configure PFsense on ESX Server(Vsphere).

Is there any tutorial or recommendation for it.

Regards,
mali


Logged


Heitor Lessa
Full Member
***
Offline Offline

Posts: 116



View Profile
« Reply #1 on: November 20, 2009, 05:47:08 am »


HI there,

Actually I´m using pfsense under VMware ESXi with 2 nic*, both internal network and works fine.

What kind doubt do you have exactly?

How to configure 2 nic on pfsense under ESXi?

First you need to know what nic is from internet (public address), on this case will be WAN nic
Second you need to adjust one more nic on "Configuration" --> "Networking" on VMware to add your LAN nic.

To install choose what nic is WAN e what nic is LAN.. for example:

em0 -> LAN
em1 -> WAN

About security, pfsense uses pf firewall and you´ll need to know how to configure policies, rules, nat. But this ... deppends of you.

Anyway, I´m here for any questions about installation and configure under ESX.

Regards.
Heitor Lessa


Logged


mali
Newbie
*
Offline Offline

Posts: 6


View Profile
« Reply #2 on: November 20, 2009, 11:12:58 am »


First of all i THANKS for your reply.

I have 2 Virtual Machine on Vmware ESXi and i want to protect it from Pfsense.

I have installed Pfsense on Vmware ESXi with One Physical NIC.

I have assigned em0 to LAN & em1 to WAN Interface.

em0----> Vswitch0 ----LAN Interface. (202.33.44.2)

em1----> Vswitch0 ----WAN Interface.(202.33.44.3).


These are my concern.

How can i access WebGUI on WAN Interface ?
Can i used Public IP Address on Lan Interface ?

My Virtual Machine is also on Public Ip (202.33.44.4) which i want to protect from Pfsense.

Regards,
mali









Logged


Heitor Lessa
Full Member
***
Offline Offline

Posts: 116



View Profile
« Reply #3 on: November 20, 2009, 07:41:06 pm »


Well,

I have 4 VM under ESXi, but my environment is totally different of yours.

Anyway, answer some questions.

How can i access WebGUI on WAN Interface ?
Yes, it´s possible, for this propose you need to uncheck box "Block Private Addres" IF you need to access from your LAN, IF ELSE you just need allow port 80 on firewall rules or OTHER IF you change the WebGUI port, sure.

Can i used Public IP Address on Lan Interface ?
In LAN Interfaces you configure private ip address and not Public address ^^, until you can, but isn´t a best practice in security relation and standards.

Try not use just one NIC for pfsense firewall, use 2 nic and configure it on Networking as Virtual Switch and assign on pfsense, if not you can have a bottleneck.

About protect your other server, you REALLY need to configure public address in your other server?
You can configure an internal address and put gateway for your firewall (pfsense), and to access any service in this server, you can redirect traffic using NAT.

But this, I still not try this feature on pfsense, it´s better you ask in Firewalling topic.

Regards.
H


Logged


mali
Newbie
*
Offline Offline

Posts: 6


View Profile
« Reply #4 on: November 23, 2009, 05:28:12 am »


Thank you so much for this support.

I have added you on my MSN.

I am using one Physical Nic and two two logical NIC which connected to Virutal Switch.
I am able to connect WebGui on Wan Interface and ping it perfectly.

Now my major concern is that My Virtual Machine is on Public IP Address and i want to protect it from
Pfsense which is sitted infornt of my Virtual Machine.

For this what i have to do.

Can you share me your environment with Two Physical Nic.

Regards,
mali


Logged


Heitor Lessa
Full Member
***
Offline Offline

Posts: 116



View Profile
« Reply #5 on: November 25, 2009, 08:09:53 am »


You´re Welcome.

I still not received your ack for MSN.

But if you wanna add me on Skype is -> heitor.flessa

How I said, you may ask for firewalling topic for pfsense expert, but I throught that is not possible if you don´t redirect to pfsense gateway.

Sure I can.

We talk on MSN or skype.

Regards,
Heitor Lessa


Logged


EddieA
Full Member
***
Offline Offline

Posts: 98


View Profile
« Reply #6 on: December 22, 2009, 06:12:44 pm »


Here's how to set up your VMs on ESXi with 2 NICs. As they say, a picture is worth a thousand words:



Cheers.


Logged


kdoswald
Newbie
*
Offline Offline

Posts: 8


View Profile
« Reply #7 on: December 23, 2009, 04:51:17 pm »


You're wording is confusing me on this one. Protect the vm from pfsense? Do you mean protect the vm from outside using pfsense?

I use pfsense under esxi similar to other post. But have 3 virtual nics and two real ones.

Vswitch0 is local network
vswitch1 is my FIOS connection/Wan
vswitch2 is virtual for DMZ.

Pfsense setup
Lan - le0 (vswitch0)
wam - le1 (vswitch1)
OPT2 - le2 (vswitch2) (DMZ)
OPT3 - Tun0 (openvpn to connect to lan from outside)
OPT4 - tun1 (openvpn connection to office for work)


I would think if you want to protect those other machines with pfsense. Option would be port forward or 1:1 nat



Do these machines need to have public ip? I just redirect ports to my web server and other things mainly to DMZ on inside.


Logged


tractng
Newbie
*
Offline Offline

Posts: 5


View Profile
« Reply #8 on: February 25, 2010, 02:15:44 pm »


Here's how to set up your VMs on ESXi with 2 NICs. As they say, a picture is worth a thousand words:



Cheers.

I like the setup. I am going to setup like yours Smiley.

One NIC going to the WAN port of the FIOS router. The other NIC for internal connections with VMs.

tnt


REFERENCES
http://forum.pfsense.org/index.php?topic=20597.msg110768