My Old Way

So, after having an uninvited guest traverse my network I decided to finally secure all of my servers. There's nothing like having someone play with my Philips Hue lights in the dead of the night.

The network was pretty secure, but I had left port 80 forwarded through the firewall because I used to have web servers that sat there. It wasn't one of my proudest moments, but that has been fixed for a very, very long while (well, minus the port forwarding part).

So, after several more VLANs, a ton of ACLs, and moving some IP addresses, I looked good to go...until I started running updates

None of the servers had access to the internet because it was verboten.

A Little Proxying Goes a Long Way

So, I could open up ports 80 and 443 to the server VLAN. It's a simple enough idea to implement, and I could update every server as many times as I'd like. The firewall rule would be easy to create and I could close this issue out.

Then I remembered the flashing of lights---oh how the memory haunts me.

The other method was to place a proxy server onto the network and route updates through that server. Configure something like privoxy or squid and have a whitelist of all of the possible servers that updates could come from.

Even better, distros like Arch Linux have this awesome mirror list file that contains all of the mirrors you could ever want! Things were looking up with respect to getting this project off the ground.

A few more benefits is that it's easy to lock down one server versus locking down all of the servers. Controlled access to the internet outbound through the proxy server is the most secure option.

The Setup

So, we'll tackle this from an Arch Linux perspective since this holds true to most of my servers. The assumption is that all of the servers have ports 80 and 443 outbound blocked except for the proxy server.

I used privoxy myself, so this setup will be specific to that software.

Happy Fun Time

1. Okay, for those who may have never built an Arch Linux server, I'd recommend the install guide.

2. Install privoxy on to the server.

   sudo pacman -S privoxy

3. Let's get the server listening on the right IP address. Navigate to the /etc/privoxy directory as there are files that need addressing.

   cd /etc/privoxy

4. Edit the config file, and search for the listen-address line. Replace the IP address with the IP address of the server. The config file has great documentation which I've also included in the example below.

   #  4. ACCESS CONTROL AND SECURITY
   #  ===============================
   #
   #  This section of the config file controls the security-relevant
   #  aspects of Privoxy's configuration.
   #
   #
   #  4.1. listen-address
   #  ====================
   #
   #  Specifies:
   #
   #      The address and TCP port on which Privoxy will listen for
   #      client requests.
   #
   #  Type of value:
   #
   #      [IP-Address]:Port
   #
   #      [Hostname]:Port
   #
   #  Default value:
   #
   #      127.0.0.1:8118
   #
   #  Effect if unset:
   #
   #      Bind to 127.0.0.1 (IPv4 localhost), port 8118. This is
   #      suitable and recommended for home users who run Privoxy on the
   #      same machine as their browser.
   #
   #  Example:
   #
   #      Suppose you are running Privoxy on a machine which has the
   #      address 192.168.0.1 on your local private network
   #      (192.168.0.0) and has another outside connection with a
   #      different address. You want it to serve requests from inside
   #      only:
   #
   #        listen-address  192.168.0.1:8118
   #
   #      Suppose you are running Privoxy on an IPv6-capable machine and
   #      you want it to listen on the IPv6 address of the loopback
   #      device:
   #
   #        listen-address [::1]:8118
   #
   listen-address  1.2.3.4:8118

5. Now that we've got that set, open the default.action file. This file is huge and full of great information. We're going to delete a majority of this file because we're using this to limit outbound connections to a list of servers.

   Delete everything after the #2816708 section. You could probably delete this as well, but this is where I chopped everything and it works.

   #############################################################################
   # These belong to multimedia files of which Firefox occasionally only
   # requests parts. #2816708
   #############################################################################
   {-filter -deanimate-gifs}
   # Sticky Actions = -filter -deanimate-gifs
   # URL = http://www.example.org/foo/bar.ogg
   # URL = http://www.example.net/bar.ogv
   /.*\.og[gv]$

6. Now, lets block everything that resembles a website by adding this to the file.

   ################################################
   # Block all websites
   ################################################
   { +block }
   / # Block everything
   

7. Add another section to the default file that allows certain websites out of the proxy.

   ################################################
   # Add the "pacman" websites back
   ################################################
   { -block }

8. So, open up another terminal window, and navigate to the /etc/pacman.d directory. We're going to convert the mirrorlist into a list of hosts that we can add to the /etc/privoxy/default.action file.

   Of course, you could simply pick one server out of the mirror list and add that one. Just ensure that the other servers agree with your choice.

   grep -v "#" /etc/pacman.d/mirrorlist | grep -v "^$" | cut -d"/" -f3 >> /etc/privoxy/default.action

9. Open up the /etc/privoxy/default.action file, and ensure that the server names were added appropriately by the previous command.

   ################################################
   # Block all websites
   ################################################
   { +block }
   / # Block everything
   ################################################
   Add the "pacman" websites back
   ################################################
   
   { -block }
   
   mirror.f4st.host
   
   mirror.pseudoform.org
   
   ftp.halifax.rwth-aachen.de
   
   archlinux.polymorf.fr
   
   archlinux.cyborg-connect.de
   
   mirror.one.com

10. Now, let's enable the privoxy service and get everything started.

    systemctl enable privoxy
    systemctl start privoxy

11. We should be able to download updates through the newly created proxy server. We need to tell the OS about the new proxy via exporting variables.

    export http_proxy=1.2.3.4:8118
    export https_proxy=$http_proxy
    pacman -Syy
    :: Synchronizing package databases...
     core                               123.5 KiB   281K/s 00:00 [################################] 100%
     extra                             1719.8 KiB   738K/s 00:02 [################################] 100%
     community                            3.7 MiB   638K/s 00:06 [################################] 100%

12. Enjoy having a proxy server that works!

Conclusion

It's always a good idea to limit outbound connections. It's preferable to have one server that filters everything than having unfettered access out to the wild, wild west of the internet.

You could also incorporate a majority of this to proxy everything in your network, but that would be another article as I would probably opt for Squid and DansGuardian.

Changelog

2017-01-22

• Initial release.