Ziltoid

From CSLabsWiki
Jump to: navigation, search
Ziltoid
IP Address(es): 128.153.145.2
Contact Person: Xperia64
Last Update: October 2016
Services: Various


Hostname: ziltoid.cslabs.clarkson.edu
Operating system: Debian 8.3
NIC 1: Clarkson Network
MAC: 0c:c4:7a:41:a7:bc
IP: 128.153.145.2
NIC 2: Clarkson Network
MAC: 0c:c4:7a:41:a7:bd
IP: Not Applicable
CPU: Intel Xeon CPU E3-1220 V2 @ 3.10GHz
RAM: 4 GB


Ziltoid is our latest ssh gateway box/firewall, following in the footsteps of (chronologically): Isengard, Mordor, Zuul and Zuko. But hopefully mostly Isengard.

The IP address allocated for Ziltoid is 128.153.145.2, necessitated by the fact that OIT's router for our subnets already occupies 128.153.144.1 and 128.153.145.1.

Setup

Start with a base 8.3.0 Debian install, follow the Kerberos setup instructions, and perform the following modifications:

Packages

The following must be uninstalled:

   rdnssd

The following can be uninstalled:

   nfs-client gcc-4.8-base ispell wamerican libthai-data
   libgtk2.0-0 libthai0 mlocate laptop-detect sgml-base debian-faq reportbug libwww-robotrules-perl 
   aptitude m4 man-db texinfo file mutt os-prober sensible-utils installation-report install-info manpages

The following should be installed:

   tcpdump nmap lm-sensors bridge-utils iptables iptables-persistent traceroute memtest86+

Network Config

This is the current /etc/network/interfaces file:

   source /etc/network/interfaces.d/*
   # The loopback network interface
   auto lo
   iface lo inet loopback
   # To output switch
   iface eth1 inet manual
   # From input switch
   iface eth3 inet manual
   auto br0
   iface br0 inet static
       bridge_ports eth3 eth1
       bridge_stp off
           address 128.153.145.2
           netmask 255.255.254.0
           gateway 128.153.145.1
           broadcast 128.153.145.255
           dns-search cslabs.clarkson.edu
           dns-nameservers 128.153.145.3

iptables Firewall

   # Generated by iptables-save v1.4.21 on Fri Mar 25 19:14:27 2016
   *filter
   :INPUT ACCEPT [132:9112]
   :FORWARD ACCEPT [0:0]
   :OUTPUT ACCEPT [72:6652]
   -A FORWARD -s 128.153.144.0/23 -j ACCEPT
   -A FORWARD -d 128.153.145.0/24 -j ACCEPT
   -A FORWARD -p tcp -m conntrack --ctstate ESTABLISHED -j ACCEPT
   -A FORWARD -p tcp -j DROP
   COMMIT
   # Completed on Fri Mar 25 19:14:27 2016

sshd Config

Disable sftp via this:

   Subsystem sftp /bin/false #/usr/lib/openssh/sftp-server

And block LDAP users from executing commands

   Match Group users
           AllowTCPForwarding yes
           X11Forwarding no
           ForceCommand /bin/false