The goal of this article is to isolate a small public web server on a simulated demilitarized zone (DMZ) network, and to restrict the local network access in case the server is breached. It is an extra security layer added to an existing home server setup.
Internal DMZ network setup
The DMZ consists of an internal network 10.10.20.0/24 connected to br0 bridge device. On this network I place a Linux namespaces security sandbox at 10.10.20.10, running a web server. In case an intruder gets control of the web server, he will be running with low privileges as a generic www-data user. The host firewall configuration will not allow him to open connections anywhere outside DMZ network.
Firejail is a SUID sandbox program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux namespaces. It allows a process and all its descendants to have their own private view of the globally shared kernel resources, such as the network stack, process table, mount table.
Started as a simple sandbox for Mozilla Firefox, Firejail was expanded to work on any type of executable, such as servers, graphic programs, and even as login shell.
The program is written in C and only needs libc and POSIX threads (libpthreads), available by default on any Linux platform. The download page provides source code (./configure && make && sudo make install), deb (dpkg -i firejail.deb) and rpm (rpm -i firejail.rpm) packages. Once installed, you can start a program in sandbox as:
$ firejail [options] program and arguments
$ firejail --debug firefox
To login into a Firejail sandbox, you need to set /usr/bin/firejail as user shell in /etc/passwd. You can change the shell for an existing user with chsh command:
# chsh --shell /usr/bin/firejail
Another option is to define the shell when the user account is created:
# adduser --shell /usr/bin/firejail username
Below is a ssh login session into a sandboxed account:
SSH login into a default Firejail sandbox
The traditional Linux security model starts with file permissions. The model lets the kernel decide whether or not a process may access a resource based on permissions set as part of the filesystem. The coarse-grained granularity of this model often causes Linux processes to have too many rights. If more granularity is needed, one has to resort to adding security related code into the program source.
This series of articles is about Linux namespaces, a lightweight virtualization technology implemented in Linux kernel. In part 1 I’ve talked about building chroot jails using mount namespace, and in part 2 I’ve looked into isolating processes using PID namespace. The next step is to isolate the TCP/IP networking stack using network namespaces.
Security at this level is always reactive. Assuming the bad guy breaks into your server, he will realize he doesn’t have root privileges (classic Unix privilege separation implemented in server software), he runs on top of a fake filesystem (chroot), and he cannot get outside on the network. The later is usually done by placing the computer in a Demilitarized Zone (DMZ) behind a firewall.
The same effect can be achieved on the cheap using Linux namespaces. For this, I place the server in a container (vm1) running its own network segment (10.10.20.0/24). The container is connected to the host through a Linux bridge interface (br0). On the host I configure iptables firewall, isolating the server and effectively limiting the potential damage that could be inflicted on the larger network. The final setup looks like this:
Ethernet networks can be partitioned into multiple distinct broadcast domains using VLANs. VLAN domains are mutually isolated. Whenever a hosts in one VLAN domain needs to communicate with a hosts in another VLAN domain, the traffic must be routed between the two domains. This is known as inter-VLAN routing.
This document provides a VLAN configuration example for a small network split into two separate VLAN domains: SALES and ENGINEERING. The backbone consists of two VLAN bridges connected by a VLAN trunk. I will use a Linux-based router, RCPlive, connected to the trunk to provide routing between the two VLAN domains and the outside world. On the router I will also enable a number of services such as DHCP and stateful firewall.
Virtualization refers to the creation of virtual machines that acts like real computers with an operating system. Software executed on these virtual machines is separated from the underlying hardware resources.
This article discusses LXC, a lightweight virtualization technology built into Linux kernel. The user space LXC tool is distributed with a number of templates that allow the creation of different Linux distro filesystems, usually one template for each major Linux distribution. The problem with these templates is they never work, or they stop working with every new release of LXC tool or of the particular Linux distribution. This is the case with all Linux distributions, and Debian is no exception. Currently, the Debian template is borken under “wheezy”. The relevant Debian bug is here, and history shows that as soon such a bug gets fixed, lxc user space driver changes again and breaks it. It could be worse, in Fedora LXC was broken in Fedora 15 and it was never fixed.
The simple way to handle the problem is to forget all about the template mechanism and roll your own containers. In Debian you can build the container filesystem using the standard debootstrap, or mount read-only the host filesystem, and then use lxc-execute to start a simple bash session inside the container. In this session you can than start all the programs you need to run in the container. It is an application container, very similar to the containers created using the official ssh template distributed with LXC.
The virtual machine I will describe in this article uses a root filesystem build using debootstrap (apt-get install debootstrap). The procedure is simple and it should work on any Debian machine. It will probably work also on any other distro based on Debian, such as Ubuntu, Mint etc.
An SNMP MIB browser is an indispensable tool for engineers and system administrators to manage SNMP enabled network devices such as routers, switches, servers and workstations. The information provided by SNMP includes uptime, interface traffic data, routing information, TCP and UDP connection information, installed software, and much more.
In this tutorial, I introduce qtmib, an easy-to-use SNMP browser available for Linux and published under GPLv2 license. The program is build as a front-end for net-snmp tools using QT4 library.
qtmib browser window
Virtualization allows the creation of multiple virtual machines (VM) on top of an existing computer, each VM configured in a very specific way. All virtual machines run in parallel alongside the regular host applications, without affecting the host system. The type of virtualization I am currently using is Linux containers (LXC), a lightweight virtualization technology built into Linux kernel.
This is my third Debian virtualization article. In the first article, I’ve described the steps to create and run a basic virtual machine using LXC. In the second article I’ve isolated the VM on its own network segment, with its own TCP/IP networking stack. Both articles were dealing with server VMs, I’ve used Lighttpd as an example throughout my articles.
I will describe now how to run desktop applications such as Mozilla Firefox and LibreOffice in a virtual machine. I will use virtenv to build and run the VM. virtenv is a QT4 application released under GPLv2 license. It is basically a configuration wizard that allows you to configure and start the LXC-based virtual machines. Once the VM is started, you get a regular controlling terminal (xterm) and a desktop window running the lightweight Openbox window manager. In this window you can run your GUI applications, very similar to VMware Workstation or Oracle’s VirtualBox.
virtenv desktop and controlling terminal