Greetings,

I have watched the following tutorials on Youtube which shows me how to set up External Network Access on a Linux system...

http://www.youtube.com/watch?v=iuKR6Q8lbTU
and
http://www.youtube.com/watch?v=NdzWp-8b61A&feature=related

These tutorials are all fine and good if your system is set up using Fedora Core but I am using Ubuntu 9.04! I do have the latest version of Apache HTTP Server installed (2.0 is the latest, I think) and my Router is a Belkin Wireless G Router Model # F5D7230-4.

I'm not sure if you need any other information on my computer or if this is the right forum to try to get help on this issue. Any help will be greatly appreciated.

Thank you in advance.

DC

"First, we need to log in as root..."

Um, no.

What are you trying to accomplish? What kind of access do you want? That video has you doing it an ugly and cludgy way, and it's not exactly a complete explanation. I assume you have the web server working internally just fine, yes?

"First, we need to log in as root..."

Um, no.

What are you trying to accomplish? What kind of access do you want? That video has you doing it an ugly and cludgy way, and it's not exactly a complete explanation. I assume you have the web server working internally just fine, yes?

Yes, this is working fine internally. I have four other computers that are able to access the Linux (Ubuntu) server. I want to be able to leave my computer running and be able to access the files on my Linux computer outside of my internal network structure here at home (ie through the web). I know those videos explain dynDNS.org and registering a free domain name on that site, along with that I would like to keep this access password protected.

Yes, this is working fine internally. I have four other computers that are able to access the Linux (Ubuntu) server. I want to be able to leave my computer running and be able to access the files on my Linux computer outside of my internal network structure here at home (ie through the web). I know those videos explain dynDNS.org and registering a free domain name on that site, along with that I would like to keep this access password protected.

Right, but how do you want to access said files? Through HTTP? FTP?

Through HTTP.

Okay, well, assuming you know how to sign up for DynDNS, then I assume the problem you're having is with the port forwarding?

Question: is your Linux machine set to a static IP address?

Okay, well, assuming you know how to sign up for DynDNS, then I assume the problem you're having is with the port forwarding?

Question: is your Linux machine set to a static IP address?

No. I'm pretty well versed in setting a static IP on a Windows Server machine but I'm in the dark as to how to do that using my Ubuntu machine. Also, the port forwarding is something else I'm a little sketchy with! I know how to access my router and find the page where I can adjust port forwarding and virtual server settings.

I'm guessing there are administrative settings that I can access where I can change to a static IP instead of messing with files in the /etc file folder like the tutorials are showing? I really appreciate the help. Thanks.

DC

Okay, you're first going to want to set the IP of your Ubuntu system as static. I strongly recommend checking Google for some Ubuntu-specific websites out there for tutorials on how to do things, but for this specific purpose here is an article (http://www.ubuntugeek.com/change-ubuntu-system-from-dhcp-to-a-static-ip-address.html) that gives you a basic skinny on how to do this. It will require you doing this in a Terminal window if you have Ubuntu desktop, or in the command line on Ubuntu server (same thing, but I suggest working on Ubuntu Server without the GUI).

The steps for setting up port forwarding depend on your particular router. I recommend checking the model number and doing a Google search for its particular User Manual since I bet dollars to donuts that there's a section in it with a graphic walk-through of the process for setting up port forwarding.

Just so you know, port forwarding is simply the router taking a request to connect from the outside (the internet, also known as The WAN) and routing the corresponding port over to the computer at the IP address it's told to direct it. A "port" is basically comparable to a "channel" on a CB or short-wave radio (except there are way more ports to choose from), and many programs have standard ports on which they communicate. Web servers most typically use port 80 or port 8080 for HTTP (web) programs. Your router typically disallows most requests from the WAN side (the internet) to communicate with your internal computers unless an internal computer requests the communication and opens up a "channel" (port connection) first. Port forwarding basically allows certain ports (or "channels") to communicate with an internal computer using only that port. There are different degrees of port forwarding and more complicated ways to port forward, but in its simplest and most basic form that's how port forwarding works, and most home internet routers work at this very basic level.

Now, your virtual server settings are another (more complicated) story. Unless you're going to run multiple different sites you shouldn't need to worry too much about them anyway, but again this is where the Ubuntu-specific support websites will be more useful to you for setting stuff up. The thing is that you have to have an idea of what exactly you want to accomplish with the virtual server settings before you do something, and for that I'm not sure where to start. If you can get your static IP and port forwarding settings taken care of first, then you should at least be able to test it from the outside.

Great. This gives me a good start! Thank you for all of your help. I will let you know if I got it all worked out or if I need further assistance!

Thanks again!

DC

PS, Is your location really Folsom Prison?

Now, your virtual server settings are another (more complicated) story. Unless you're going to run multiple different sites you shouldn't need to worry too much about them anyway, but again this is where the Ubuntu-specific support websites will be more useful to you for setting stuff up. The thing is that you have to have an idea of what exactly you want to accomplish with the virtual server settings before you do something, and for that I'm not sure where to start. If you can get your static IP and port forwarding settings taken care of first, then you should at least be able to test it from the outside.

I have the static IP running flawless within the home network, however I still cannot access from the outside. I did the port forwarding and assigned the proper port numbers and included HTTP, FTP, and SSH and I also assigned a domain name via DynDNS.org. I'm wondering what's missing?

I have the static IP running flawless within the home network, however I still cannot access from the outside. I did the port forwarding and assigned the proper port numbers and included HTTP, FTP, and SSH and I also assigned a domain name via DynDNS.org. I'm wondering what's missing?

is the apache service running on the server, and is there a firewall on the server that needs to be changed?

is the apache service running on the server, and is there a firewall on the server that needs to be changed?

Apache server is running... haven't checked the Firewall. I will do that now (in a few actually... eating lunch now). I know there are also firewall settings on the router, specifically DMZ setting, should I worry about that?

Apache server is running... haven't checked the Firewall. I will do that now (in a few actually... eating lunch now). I know there are also firewall settings on the router, specifically DMZ setting, should I worry about that?

No, do NOT put that machine on the DMZ.

No, do NOT put that machine on the DMZ.

What if I already did and then disabled it?

Apache server is running... haven't checked the Firewall. I will do that now (in a few actually... eating lunch now). I know there are also firewall settings on the router, specifically DMZ setting, should I worry about that?

Yes I agree with GrenME. Do not do that.

do this in a terminal on Ubuntu:


ducky@mcp:~$ sudo ufw status
Status: active


If you see active, like mine just showed, you have a firewall running on the machine. The command to disable it is as follows:

ducky@mcp:~$ sudo ufw disable

or, better yet, do this:

ducky@mcp:~$ sudo ufw allow 80

then:

ducky@mcp:~$ sudo ufw allow 443

Other things to do to test are as follows:

ducky@mcp:~$ telnet localhost 80

the above will attempt to open a telnet connection to your local machine on port 80 for http. This can at least show if your apache is running and accepting traffic.

What if I already did and then disabled it?

Congrats, the internet just crashed. ;)


No seriously, if you put it in the dmz, you should remove it and revert changes you made to put it there. afterward you're fine.

What if I already did and then disabled it?

Like Ducky said, re-check the settings you changed in the port forwarding section and re-enable them.

Like Ducky said, re-check the settings you changed in the port forwarding section and re-enable them.

Thank you so much guys, you're a definite help! I'll work on this later this evening and see what happens. I will give you a status report then.

Thanks again for all your help!

DC

Ok so since you are going to have ports facing the world on a Ubuntu machine (hopefully only port 80 for http, however I'll expound on this later) I should show you one (of many) tools to protect your machine against attacks.

IMPORTANT!!!! ACHTUNG!!!!! DANGER WILL ROBINSON!!!!!!

THIS IS NOT A COMPREHENSIVE OR COMPLETE ANSWER TO SECURITY IN ANY WAY SHAPE OR FORM!!!!

This is only to protect against common nuisance attacks. It will not secure the code that runs your website, it only protects the server processes, and even then only does so in a limited way.

If you want to know more about securing your apache installation, you should see the following tutorials:

http://www.linuxsecurity.com/content/view/133913/171/

http://www.howtoforge.com/apache_mod_security

And of course you should, if you are running a packaged opensource content management system like joomla or wordpress keep it updated and patched! This tutorial will not protect against poorly written php code, etc.

Now, on to the tutorial:

Welcome to fail2ban 101.

Now that you have your services running on your machine, take note of which services will face the world. In this case, I will comment on two ports that are common to be world facing: port 80 and port 22.

Port 80 is your webserver. Unless you are running SSL-encrypted pages, this is the only port you need to face the world for web pages to serve content.

Port 22 is SSH. This is only needed if you want command-line shell access to your machine from the outside. SSH stands for "Secure Shell" however the secure only refers to the fact that it uses encryption in transit to hide clear text transmissions. It is still a vulnerable service often used to exploit *nix machines.

Since you only want to run port 80 to the world, I will focus on using fail2ban to monitor your apache and system logs to be able to react against unwanted behaviors from the outside world. At the end, I will give tips on securing your ssh service should you want that access from the outside world (you probably don't. If not run securely, it is a wide open door for someone to root your Ubuntu server.)

I assume now that you have apache installed and it is serving webpages to your satisfaction. Now let's install fail2ban. Open a Terminal session (Applications --> Accessories --> Terminal) and type the following:

sudo aptitude install fail2ban python2.5

The above command will install fail2ban services and python2.5 which is used by fail2ban. Once that is installed you will need to modify the top of one file to make sure fail2ban knows which version of python to use (this is a limitation of linux distros including python 2.6 which fail2ban has not adopted yet.)

So to modify the correct file do the following:

sudo nano /usr/bin/fail2ban-server

The above code was to (as root) edit the file /usr/bin/fail2ban-server using the editor nano. Nano is a functional editor that is easy for newbies to negotiate. If you are already familiar with Vim or Emacs you may use that. I will assume in this tutorial that you will be using nano.

On the very first line you want to change this:

#!/usr/bin/python

to this:

#!/usr/bin/python2.5

Once you have edited it correctly, you save and quit nano with control-x and typing "y" to the prompt to save the file, when prompted with where to save the file, just hit enter.

Now we're ready to tell fail2ban to watch certain services for bad behavior. To do this, we need to edit /etc/fail2ban/jail.conf and set a few variables, as well as turn on "jails" to watch the services you want.

sudo nano /etc/fail2ban/jail.conf

First, you want to set a few variables now that you're in the file. down arrow until you see the following:

# The DEFAULT allows a global definition of the options. They can be override
# in each jail afterwards.

[DEFAULT]

# "ignoreip" can be an IP address, a CIDR mask or a DNS host
ignoreip = 127.0.0.1
bantime = 300
maxretry = 6


Change these values as follows:

ignoreip is a space-separated list of ip addresses you want fail2ban to give a pass to. It is advisable not to ban your own internal network, or at least one host in your internal network so that you can still access the machine's services. I would put the following in after 127.0.0.1:

192.168.1.0/24

So that it looks like this:

ignoreip = 127.0.0.1 192.168.1.0/24

Note: If your internal network ip addresses are not 192.168.1.XXX then change accordingly. Ie: 192.168.0.0/24 etc.

Next we set the ban time. This is the amount of time we put the offender into banned status. I have mine set to a week, you may choose a time of your liking. I suggest at least a few hours, if not a day. The numerical value is in seconds, so do the math accordingly for hours/days/weeks etc.

Below that is the default setting for how many retry attempts we give. I change this to 2 (three strikes and you're out!) You may change this to whatever makes you comfortable. The default is 6.

Next we will enable the jails for apache. Down-arrow in the file until you get to this section:

[apache]

enabled = false
port = http,https
filter = apache-auth
logpath = /var/log/apache*/*error.log
maxretry = 6

# default action is now multiport, so apache-multiport jail was left
# for compatibility with previous (<0.7.6-2) releases
[apache-multiport]

enabled = false
port = http,https
filter = apache-auth
logpath = /var/log/apache*/*error.log
maxretry = 6

[apache-noscript]

enabled = false
port = http,https
filter = apache-noscript
logpath = /var/log/apache*/*error.log
maxretry = 6

[apache-overflows]

enabled = false
port = http,https
filter = apache-overflows
logpath = /var/log/apache*/*error.log
maxretry = 2



To enable the jails change "false" to "true" at the first line of each settings grouping. For example:

[apache]

enabled = true
port = http,https
filter = apache-auth
logpath = /var/log/apache*/*error.log
maxretry = 6

# default action is now multiport, so apache-multiport jail was left
# for compatibility with previous (<0.7.6-2) releases
[apache-multiport]

enabled = true
port = http,https
filter = apache-auth
logpath = /var/log/apache*/*error.log
maxretry = 6

[apache-noscript]

enabled = true
port = http,https
filter = apache-noscript
logpath = /var/log/apache*/*error.log
maxretry = 6

[apache-overflows]

enabled = true
port = http,https
filter = apache-overflows
logpath = /var/log/apache*/*error.log
maxretry = 2


Also note there is a file path to your logs from apache. If you set custom apache logging (you will know if you did) then you should change those file paths accordingly (leave the * in the path, it is used as a wildcard to suss out any mis-named or custom named log files to watch.)

Save the file and exit with control x, y, enter.

Now we must restart the service to reflect our changes.

sudo /etc/init.d/fail2ban restart

Once you see this:

* Restarting authentication failure monitor fail2ban [ OK ]


You are done setting up fail2ban for apache.

If you want to set up fail2ban to monitor your sshd service (assuming you already have it installed) you should edit /etc/fail2ban/jail.conf and enable the sshd and sshd-ddos jails. you should set the max retry of the sshd-ddos jail to 0, and here's why:

This is the expression that fail2ban looks for in the ssh-ddos jail:

failregex = sshd(?:\[\d+\])?: Did not receive identification string from <HOST>$

"Did not receive identification string from" is a common entry from those who are using scanning tools to discover open ports on the internet. There are not many, if any, legitimate circumstances in which your machine, at home, on your own network, would see that error except for when script kiddies (or someone in china or russia) are out to do naughty. Since you only see that log entry once before the script they are running begins to attempt to guess user names and passwords, you should not have that jail wait for any retry. Ban on first sight, so set that variable to 0.

Now we must restart the service to reflect our changes.

sudo /etc/init.d/fail2ban restart

Once you see this:

* Restarting authentication failure monitor fail2ban [ OK ]


You are done setting up fail2ban for ssh.

Of course, this last part is not really applicable since if you're a newbie you shouldn't be running ssh open to the world. ever. got it? If you want a more comprehensive tutorial on securing your ssh service, I can start a new thread.

Cheers.

-D

I will start a new thread about securing more of your ubuntu box if desired. Just because it is linux does not mean it is bulletproof. Out of the box, Ubuntu is not totally secure.

Out of the box, Ubuntu is not totally secure.

Oh, if it is not plugged into the network and if you never move files to/from the machine, it is pretty secure. :)

Oh, if it is not plugged into the network and if you never move files to/from the machine, it is pretty secure. :)

This is true. ;)

But of course, the very most secure you can do is to bury the thing encased in lead and concrete.

This is true. ;)

But of course, the very most secure you can do is to bury the thing encased in lead and concrete.

I haven't read through your post about security (can't right this moment, am doing a paper for an assigment), but I will. I wanted to mention that a friend had told me that my reason for not being able to access my server externally is because there is probably a firewall installed on my cable modem. I do have my router and cable modem separate. Apparently, in order to change firewall settings on the modem, I have to contact my cable company. Does this make sense?

Also, I did install gufw in order to disable/enable firewall settings on my Ubuntu server. It is okay to use this or is it preferred to use the command line?

Thanks again.

DC

"First, we need to log in as root..."

Um, no.

What are you trying to accomplish? What kind of access do you want? That video has you doing it an ugly and cludgy way, and it's not exactly a complete explanation. I assume you have the web server working internally just fine, yes?

Fair warning to you, blasphemer, for I am a noble member of The House of Kludge. You may notice that it's correctly spelT with a 'K'. It is pronounced to rhyme with HUGE and SPOOGE, and I assure you that is no mere coincidence.

I have very few super-powers in my human form, but one that I DO possess is the ability to take YOUR elegant, standards-conforming square-peg source code and mercilessly jack-hammer it into the round-hole swirling cesspool of my own steaming desires.

And I'll never write a single line of comments! mua-hahahhhahahahaaaaa!

I haven't read through your post about security (can't right this moment, am doing a paper for an assigment), but I will. I wanted to mention that a friend had told me that my reason for not being able to access my server externally is because there is probably a firewall installed on my cable modem. I do have my router and cable modem separate. Apparently, in order to change firewall settings on the modem, I have to contact my cable company. Does this make sense?

Also, I did install gufw in order to disable/enable firewall settings on my Ubuntu server. It is okay to use this or is it preferred to use the command line?

Thanks again.

DC

If you would like to do it graphically, that's fine. I don't have a graphical interface for most of the machines here at home, and do what i need to via command line and ssh. Generally my instructions will be for command line, as it's most comfortable to me.

If you would like to do it graphically, that's fine. I don't have a graphical interface for most of the machines here at home, and do what i need to via command line and ssh. Generally my instructions will be for command line, as it's most comfortable to me.

What about the cable modem issue? Does that sound likely? I know that I have the option with my cable provider to swap out their leased modem for one that I could buy at a retail store.

What about the cable modem issue? Does that sound likely? I know that I have the option with my cable provider to swap out their leased modem for one that I could buy at a retail store.

That depends on how your cable modem acts. When I was on comcast it was transparent (ie. no firewall) and simply passed traffic through. Other cable companies may do it differently and it may actually have a firewall. I don't know. You'd have to check with your provider.