One of the first things we need to do is install the blockip shell script. The file can be found on the CD-ROM in the book/crackertrap/ directory. The specific version we will be using is blockip.tables.csh. We will want to cp this file into our home directory as blockip to work on.
Next, we need to edit this file to fit our system. There is a CUSTOMIZE section near the beginning that will be where we specify certain custom settings for our network.
# CUSTOMIZE
# Who to notify by email (typically work and home addresses)
# Best to define warnme & warnmepage in
# /etc/mail/aliases and do newaliases
set email="warnme"
This first entry specifies the e-mail address to send warnings to. You do not want this to be root, it is best to have it be one of the non-root accounts of your administrators.
# CUSTOMIZE
# Who to page for new intruders (comment out to disable)
# Best to define warnme & warnmepage in
# /etc/mail/aliases and do newaliases
set pagenew="warnmepage"
Similar to the first, this specifies who we will send a page warning to. If your system is not set up to send pages, then this will simply deliver to another account. NOTE: If you set these to the same account, you will get two different e-mail warnings for each potential attack on your system!
# CUSTOMIZE
# What services NOT to page for
# (because scans are so common)
set pageskip=(Zftp Zmail Zhttp)
This specifies which services we do not page for (because they are so common, and you don't want to become inundated with pages, do you?) Normal e-mails will still be sent.
# CUSTOMIZE
# Normally just locks out the attacking
# system (set lckmsk=""). Uncomment
# the other line (set lckmsk="/24") to
# lock out the entire 256 block of
# addresses if you're worried about multiple systems
# in the attacking organization getting compromised
set lckmsk=""
#set lckmsk="/24"
The default setting here specifies that we want to block an individual IP (the IP of the potential attacker). If we were worried about a flood across a netblock, then we would specify the other commented out setting.
# CUSTOMIZE
# Sound file to send to speakers
#set soundf=/etc/attack.au
# CUSTOMIZE
# Cmd to send sound to local system (comment out to disable)
# set lcl_sound="cp $soundf /dev/audio"
# CUSTOMIZE
# Cmd to send sound to remote system
# (comment out to disable)
# Use separate unprivileged account, e.g.,
# sound with SSH public key and
# /dev/audio owned by sound mode 222
# set rmt_sound="scp $soundf sound@laptop:/dev/audio"
# CUSTOMIZE
# Cmd: flash lights w/ X10 Firecracker (comment out to disable)
# "br" is the Linux BottleRocket? program (on CD-ROM)
<snip>
# set lcl_lights="br -r 3 -x /dev/ttyS0 -c A -f1,2,3 -n1,2,3"
These settings are for various auditory and visual alerts that you could do.
# CUSTOMIZE
# Specify full path for your mail program
<snip>
#Bob set mailprog=/bin/Mail?
set mailprog=/bin/mail
You will have to edit this to point to the correct mail program. Likewise, you will have to fixe any other erroneous paths such as this one that calls the arp command:
set mac="`/usr/sbin/arp -v <snip>
And you will have to fix the lines that point to /etc/rc.d to point whereever your Linux distro places it's init files (Debian places them in /etc/init.d).
echo "" >> /etc/init.d/fw.trouble
and others underneath
Install the scripts
Next, we must install the scripts. We first install blockip into /usr/sbin:
We also copy fw.trouble from the CD-ROM into /etc/init.d. This will be where blockip will store it's IP information in. This script should be sourced at boot, so add it to /etc/rcS.d near the end.
Finally, we will install the blockiptest script from the CD-ROM into /usr/local/bin. This script allows us to test our system once it has been set up.
