It was time for a new project this weekend. Looking around my desk and box of tech goodies two things caught my attention:
- A DLink PCI Ethernet card, that I acquired sometime during my life but never had a purpose for.
- An old WinXP era desktop computer that I picked up from my Aunt when she upgraded to a laptop about 8 years ago.
I decided to do what any sane person would do, and build my own router because let’s be honest, that little box that sits on my desk is médiocre at best. It needs frequent restarting, it’s DHCP is only adequate, and doesn’t let me configure DNS.
I am going to go through the steps I followed to complete this project, you can jump to them here. Sources will be listed at the bottom of the page. But first, a little prep.
What is this old computer running on?
- I started up the computer and was welcomed by:
- To which I thought:
- Fsck started up, because yeah it has been over 120 days since last boot, churned for a bit and then errors filled the screen and the hard drive crashed. Oh well, there probably wasn’t anything important on it anyway.
- Into my box of tech goodies again to get another IDE hard drive.
- While I was installing the new hard drive, I also popped the PCI Ethernet card in, and started torrenting Ubuntu 14.04 Server Edition. * I know there’s a lot of controversy over the direction that Ubuntu is going recently, and on the desktop edition I would agree, but as far as I’m concerned, the server edition is solid, I like the community resources, and APT package management.
- Before I installed the server OS, I wanted to make sure that the hardware supported the Ethernet card, so I installed a copy of Xubuntu 13.10 onto a USB stick and started up the box with it’s new HDD and Ethernet card. The BIOS has no option to boot from USB. Ah yes, it’s 10 years old.
- Instead of wasting 2 CDs on disc images which would be obsolete in 6 months, I burned a copy of Plop Boot Manager onto CD so I could always have the option of booting from USB in the future.
- From the Live CD I confirmed that the PCI Ethernet card worked, and then installed the new 14.04 edition from USB.
At this point the fun begins. If you’re following this as a guide, you should have a modern installation of Ubuntu Server Edition (Debian would probably work too, but no guarantees) with 2 Ethernet cards.
NOTE: This document is provided “as is” without warranty of any kind. I take no responsibility for any loss or damage arising from the use of this document.
- My network domain is
- My router’s host name is
eth0is my external facing network card. My ISP expects the following settings: * IP:
eth1is my internal facing network card. My router will use the following settings: * IP:
Install the stuff
$ sudo apt-get install bind9 isc-dhcp-server ufw fail2ban
bind9is the DNS server.
isc-dhcp-serveris the DHCP server.
ufwis a firewall (actually just a frontend of iptables).
fail2banis a monitoring program which will ban IPs if they try to bruteforce common programs on your server.
At this point, you should unplug from the internet, or you are going to confuse your existing network.
Configure Network Interfaces
Dynamic Updating DNS
To get DHCP to update DNS automatically, you have to set up a cryptographic hash for the DNS and DHCP services to share.
$ cd /etc/bind/ $ sudo /usr/sbin/rndc-confgen -a
This will create a file
Create DNS Zones
Copy sample zone files into
/var/lib/bind/ and customise.
$ cd /etc/bind/ $ sudo cp db.local db.127 /var/lib/bind/ $ cd /var/lib/bind/ $ sudo chown bind:bind * $ mv db.local db.lan.example.com $ mv db.127 db.192
/var/lib/bind/db.lan.example.com to provide forward domain name to IP address translation.
lan.example.comis my domain name.
pegasus.lan.example.comis the FQDN of my router.
root.lan.example.comis the email address
email@example.com will contact the admin user of the router.
2014040501is the date April 5th, 2014 + 01 representing revision 1. Every time an update is made to this file, the serial must be changed so a common way is to use the date + a revision number (in case you update the zone more than once a day).
NSthe FQDN of your DNS server (this server).
Athe DNS server’s IP.
$ORIGIN lan.example.com.* Here is where I specify the addresses, and aliases of my other servers. * Using CNAMES is contested, it requires an additional DNS lookup, so there is some overhead. I use them however, because it is an effective way of managing growth in your environment. At a later time when I get some more servers, I can replace the CNAME records with A records and pre-existing applications will not break.
/var/lib/bind/db.192 to provide reverse IP address to domain name translation.
- Note: only A records need an associated PTR record in this file.
/etc/default/bind9 and set:
$ sudo ufw default deny incoming $ sudo ufw default allow outgoing
And allow traffic from the local network:
$ sudo ufw allow from 192.168.0.255
/etc/ufw/sysctl.conf and set the following:
net/ipv4/ip_forward=1 net/ipv6/conf/default/forwarding=1 net/ipv6/conf/all/forwarding=1
/etc/default/ufw and set the following:
/etc/ufw/before.rules and add this block to the top of the file, before the
$ sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local $ sudo cp /etc/fail2ban/fail2ban.conf /etc/fail2ban/fail2ban.local
/etc/fail2ban/jail.local and enable or disable the jails based on the services you are running on the server. Some log file locations need to be updated.
Severly Ban Persistent Attackers
Taken verbatim from: http://whyscream.net/wiki/index.php/Fail2ban_monitoring_Fail2ban
When Fail2Ban notices an IP being blocked multiple times in it’s own log file, ban it for an extra long time.
Add a new file
/etc/fail2ban/jails.local and append the following:
Restart the services
Unplug your old router, plug in your new super router and restart your services.
$ sudo service networking restart $ sudo service bind9 restart $ sudo service isc-dhcp-server restart $ sudo service fail2ban restart $ sudo ufw disable && sudo ufw enable