debian lenny ISP

1. Install Lenny base system
2. Install ISP - follow the ISP on Debian
3. Install firewall - shorewall

aptitude install shorewall

Disable log level from/to:
##MACLIST_LOG_LEVEL=info
MACLIST_LOG_LEVEL=
##TCP_FLAGS_LOG_LEVEL=info
TCP_FLAGS_LOG_LEVEL=
##RFC1918_LOG_LEVEL=info
RFC1918_LOG_LEVEL=
SMURF_LOG_LEVEL=info

Copy configuration files from example

cp /usr/share/doc/shorewall-common/examples/one-interface/* /etc/shorewall/
rm /etc/shorewall/shorewall.conf.gz

Change interfaces
cd $_
vim interfaces

#ZONE   INTERFACE       BROADCAST       OPTIONS
net     eth0            detect          tcpflags
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Change rules
-

vim rules

##Ping/DROP     net             $FW

# Permit all ICMP traffic FROM the firewall TO the net zone

ACCEPT          $FW             net             icmp
SSH/ACCEPT     net             $FW
DNS/ACCEPT     net             $FW
SMTP/ACCEPT    net             $FW
SMTPS/ACCEPT    net             $FW
POP3/ACCEPT    net             $FW
POP3S/ACCEPT   net             $FW
IMAP/ACCEPT    net             $FW
IMAPS/ACCEPT   net             $FW
Web/ACCEPT     net             $FW
FTP/ACCEPT     net             $FW
#PORTSENTRY
REDIRECT        net     49999           tcp     23
REDIRECT        net     49999           tcp     111
REDIRECT        net     49999           udp     111
REDIRECT        net     49999           tcp     515
REDIRECT        net     49999           tcp     1080
REDIRECT        net     49999           tcp     1433
REDIRECT        net     49999           tcp     1434
REDIRECT        net     49999           tcp     3128
REDIRECT        net     49999           tcp     12345
REDIRECT        net     49999           tcp     27374

#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Check configuration for errors. Then restart firewall and show rules

shorewall check ./
shorewall restart
shorewall show

And remeber to check default settings

vim /etc/default/shorewall

Startup=1

4. Install portsentry

aptitude install portsentry
vim /etc/portsentry/portsentry.ignore.static

127.0.0.1/32
0.0.0.0
78.46.193.35
83.13.191.232/29
188.40.151.160/27

cd /etc/portsentry
cp portsentry.conf portsentry.conf.dist
vim portsentry.conf

TCP_PORTS="49999"
UDP_PORTS="49999"
BLOCK_TCP="2"
KILL_RUN_CMD_FIRST = "1"
KILL_RUN_CMD="/root/bin/portsentry.temp.block $TARGET$ $PORT$"
SCAN_TRIGGER="0"

vim /root/bin/portsentry.temp.block

#!/bin/bash

# portsentry.temp.block
# Rodolfo J. Paiz <rpaiz@simpaticus.com>
# version 2003.07.01

# Usage: portsentry.temp.block <bad_ip> <bad_port>

# portsentry.temp.block is a small script intended to be run by portsentry
# when its sensors are triggered. It uses iptables (more specifically, it
# uses the dynamic blacklisting capabilities of Shorewall) to deny all
# access to the server from the attacking host. Then, a set time interval
# later, the block is removed.
#
# This script can also be run directly if desired, although this is not a
# common form of usage.
#
# Experience shows that most attacks come from dial-up IP addresses, so
# blocking them permanently gives no real benefit, and removing them
# keeps our blocking table from becoming huge.

# Set appropriate variables (easy to customize on different systems).
DROP_INTERVAL_DAYS=5
HOSTNAME="petabit.pl"
NOTIFY_EMAIL="admin@petabit.pl"

# Get the attacker's IP address and probed port from the command
# parameters. DO NOT CHANGE THIS!
BAD_IP=$1
BAD_PORT=$2

# Block the bad guy.
/sbin/shorewall drop $1
/sbin/shorewall save

# Unblock him X days after midnight tonight.
echo "/sbin/shorewall allow $1" | at midnight + $DROP_INTERVAL_DAYS days

# Mail me a note to notify me of each block.
# TEMPORARILY ENABLED.

echo "Portsentry has blocked $BAD_IP (`host $BAD_IP`) on `date`, \
from now until $DROP_INTERVAL_DAYS days from midnight tonight. At this \
point `at -l | wc -l` hosts are blocked ." | mail -s "$HOSTNAME: \
Portsentry blocked $BAD_IP on $BAD_PORT" $NOTIFY_EMAIL

chmod u+x /root/bin/portsentry.temp.block
/etc/init.d/portsentry restart

5. Install fail2ban

aptitude install fail2ban
vim /etc/fail2ban/jail.conf

http://isp-control.net/documentation/howto:security:make_ispcp_more_secure

6. Make ispCP more Secure
follow instructions on secure ISP

7. Install openVPN

aptitude install openvpn

vim /etc/network/interfaces
up ip addr add 83.13.191.235/29 brd 83.13.191.239 dev eth3 label eth3:0
Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License