pop users can browse my server

Wed, 07 Jun 2000 09:25:21 -0700 

Hi all,

I have given popuser accounts on my 6.0 redhat box
They dial in and get their mail

The other day I found out that a popuser can browse my server
How do I prevent that ?

thanks
Jacob

The script that I use for my dial-in setup is attached.
Title: SETTING UP A PPP/POP DIAL-IN SERVER LG #36

"Linux Gazette...making Linux just a little more fun!"

Setting Up a PPP/POP Dial-in Server USING Red Hat Linux 5.1

By Hassan Ali

DISCLAIMER:

This worked for me. Your mileage may vary!

OBJECTIVES:
To install PPP and POP/IMAP services on a Red Hat Linux 5.1 server for dial-in users.

TOOLS:
Red Hat Linux 5.1 CDs

ASSUMPTIONS:
You have a PC with basic installation of Red Hat Linux 5.1 with a Linux kernel that supports IP forwarding.

STEP 1: Install "mgetty" (if not yet installed) from Red Hat 5.1 CD #1
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

  1. Login as "root", insert Red Hat 5.1 CD #1 in the CD-ROM drive and mount it using the command: 
         # mount -t iso9660 /dev/hdb /mnt/cdrom
    (It is assumed that your CD-ROM drive is device /dev/hdb, if not change it accordingly)
  2. Get to the RPMS directory: 
         # cd /mnt/cdrom/RedHat/RPMS
  3. Install "mgetty" rpm files: 
         # rpm -Uvh mgetty*
    This will install mgetty and all its cousins, but who cares!! If you hate extended family, have your way and replace "mgetty*" with "mgetty-1.1.14-2.i386.rpm".
  4. At the end of /etc/mgetty+sendfax/mgetty.config file, add the following set of three lines for each serial port connected to a modem for dial-in users. Here is an example for /dev/ttyS1 and /dev/ttyC15: 
         # For US Robotics Sportster 28.8 with speaker off
     port ttyS1
     init-chat "" ATZ OK AT&F1M0E1Q0S0=0 OK
     answer-chat "" ATA CONNECT \c \r

     # For Practical Peripheral 14.4 with fax disabled and prolonged
     # carrier wait time (90 sec)
     port ttyC15
     init-chat "" ATZ OK AT&F1M0E1Q0S0=0S7=90+FCLASS=0 OK
     answer-chat "" ATA CONNECT \c \r
    Notes:
    1. AT&F1 sets hardware flow-control mode on many modems. For other modems use appropriate initializations in the init-chat line.
    2. Just in case you wonder why I took as an example a ttyC15 port; well, you may have such a port if you have a multiport serial card. If you need one, I recommend Cyclades cards.
  5. In /etc/mgetty+sendfax/login.config file, search for the line that starts with /AutoPPP/. Make sure that it is not commented (i.e. there is no "#" at the beginning of the line), and edit it to be: 
         /AutoPPP/	-	a_ppp  	/etc/ppp/ppplogin
    If you wish to have users' login names (rather than "a_ppp") to appear in the /var/run/utmp and /var/log/wtmp log files, then the above line should be: 
         /AutoPPP/	-	-	/etc/ppp/ppplogin
  6. In /etc/inittab file, search for the section that runs "getty" processes and add at the end of that section one line of the following form for each modem port. Example here is given for ttyS1 and ttyC15. 
         7:2345:respawn:/sbin/mgetty -x 3 ttyS1
     8:2345:respawn:/sbin/mgetty -x 3 ttyC15
    [the first number (7,8) is arbitrary (in fact I have seen in some cases "s1", "s2", etc, used instead). Just give a different number for each port. And why not you go by the order!!? Me wonders!]
  7. Connect the modems to the serial ports, switch them ON and then initialize "mgetty" with the command: 
         # init q
    NOTE: If you spawn "mgetty" on a serial port with no modem connected to it, or the modem is not switched ON, you'll get lots of error messages in "/var/log/messages" or/and in the other mgetty ("/var/log/log_mg.ttyXX") log files. In fact those error messages may continuosly pop up on your screen. Quite annoying, eh? To avoid this annoyance, each serial port that has no modem connected to it should have its corresponding lines commented out in /etc/inittab and in /etc/mgetty+sendfax/mgetty.config files.

STEP 2: Install PPP (if not installed) from Red Hat 5.1 CD #1
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

  1. If the Red Hat CD #1 is properly mounted (see STEP 1.1), to install PPP type the following command: 
     # rpm -Uvh /mnt/cdrom/RedHat/RPMS/ppp*
  2. Edit /etc/ppp/options files to read as follows: 
         -detach
     crtscts
     netmask 255.255.255.0
     asyncmap 0
     modem
     proxyarp
    NOTES:
    1. Use appropriate netmask for your network. It doesn't have to be 255.255.255.0, in fact in my case it was 255.255.255.224
    2. Read man pages for "pppd" to understand those options.
  3. Edit /etc/ppp/ppplogin file (create it if it doesn't exist) to read as follows: 
         #!/bin/sh
     mesg n
     stty -echo
     /usr/sbin/pppd silent auth -chap +pap login
    Make the file executable using command: 
         # chmod +x /etc/ppp/ppplogin
    NOTE: We're going to use PAP authentication BUT using the ordinary /etc/passwd password file. That's what "+pap login" means.
  4. For each serial port connected to a modem, create a corresponding /etc/ppp/options.ttyXX file, where "XX" is "S1" for ttyS1 port, "S2" for ttyS2 port, "C15" for ttyC15, etc. In one such file put the following line: 
         myhost:ppp01
    where "myhost" is the hostname of the PPP server - change it accordingly to the actual hostname of your Linux box. If you're more forgetful than you can REMEMBER to admit, remind yourself of the hostname of your server using the "hostname" command. 
         # hostname
    The word "ppp01" used above is just an arbitrarily chosen name for the virtual host associated with one of the PPP dial-in lines and its corresponding IP address as defined in /etc/hosts file (to be discussed later). In another /etc/ppp/options.ttyXX file, you may wish to type in the following line: 
         myhost:ppp02
    That is, here you define a different PPP hostname, "ppp02". Use a different hostname for each serial port. You can choose any names that your lil' old heart desires! They don't have to be ppp01, ppp02, ppp03, etc. They can be "junkie", "newbie", "noname", whatever!
  5. Edit /etc/ppp/pap-secrets file and add one line as shown below for each IP address that is to be dynamically assigned to PPP dial-in users. This, of course, assumes that you have a pool of IP addresses that you can assign to your dial-in clients: 
         # Secrets for authentication using PAP
     # client	server		secret		IP addresses
     *		*		""		10.0.0.3
     *		*		""		10.0.0.4
    This says: no PAP secrets (passwords) set for any client from anywhere in the world with the shown IP address. We don't need to use PAP secrets if we will be using /etc/passwd instead. If you are REALLY not paranoid, you can have just one following line that will serve all the IP addresses (yours and your neighbour's!): 
         # Secrets for authentication using PAP
     # client	server		secret		IP addresses
     *		*		""		*
  6. Make /usr/sbin/pppd program setuid "root" by using command: 
         # chmod u+s /usr/sbin/pppd
  7. Edit /etc/hosts file to assign IP addresses to all PPP hostnames you used in STEP 2.4. Use the pool of IP addresses used in STEP 2.5: 
         10.0.0.3	ppp01	ppp01.mydomain.com
     10.0.0.4	ppp02	ppp02.mydomain.com
    NOTE: Replace "mydomain.com" with the actual domain name of your PPP server. Just in case you're confused, I assume your PPP server is "myhost.mydomain.com".

STEP 3: Install POP/IMAP servers (if not installed) from Red Hat 5.1 CD #1
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

  1. With the Red Hat CD #1 properly mounted, issue the following command to install POP and IMAP: 
         # rpm -Uvh /mnt/cdrom/RedHat/RPMS/imap*
  2. Check /etc/inetd.conf file to see if "pop-2", "pop-3", and "imap" service lines are all uncommented. If not, uncomment them (i.e remove the leading "#"). If you only want to support POP3 clients, just uncomment the "pop-3" line. If POP2 and POP3 files are not in the "imap*" RPM file, try to see if you have "ipop*" RPM file and use it instead.
  3. Activate the new services by using command: 
         # kill -HUP `cat /var/run/inetd.pid`

STEP 4: Enable IP fowarding
~~~~~~~~~~~~~~~~~~~~~~~~~~~

  1. If you use the already compiled Linux kernel that comes with Red Hat 5.1, it does normally have support for IP forwarding. If you compile your own Linux kernel, you have to enable "IP: forwarding/gatewaying" networking option during compilation. For RFC compliance, the default bootup process does not enable IP forwarding. Enable IP forwarding by setting it to "yes" in /etc/sysconfig/network file, like so: 
         FORWARD_IPV4=yes
  2. Activate IP forwarding by using command: 
         # echo "1" > /proc/net/ip_forward
    or by rebooting the system.

STEP 5: Test the server
~~~~~~~~~~~~~~~~~~~~~~~

  1. First create users (if not ready). You can give them "/home/username" home directory and "/bin/bash" login shell if you want them to have both "PPP" and shell access. Give them "/home/username" home directory and "/etc/ppp/ppplogin" login program if you want them to have PPP access but not shell access. It's better to use "usercfg" tool to set-up new users. Typical /etc/passwd file entries may be as follows: 
         jodoe:tdgsHjBn/hkg.:509:509:John Doe:/home/jodoe:/bin/bash
     jadoe:t8j/MonJd9kxy:510:510:Jane Doe:/home/jadoe:/etc/ppp/ppplogin
    In this example, John Doe will have both PPP and shell access, while Jane Doe will only have PPP access. If you have just started to wonder how John Doe may have PPP access, the answer lies with the /AutoPPP/ configuration in "mgetty" - it does the magic. Any user that will dial in and talk PPP, mgetty will give him/her the /etc/ppp/ppplogin program.

    So, if John Doe dials-in using Windows 95 dial-up adaptor which is set up to make a PPP connection, mgetty will give John Doe PPP access. If he dials in with any other communication software e.g HyperTerminal, (with no PPP negotiation) he will be given the normal login shell. This will never happen for Jane Doe. She will always be welcome by the "/etc/ppp/ppplogin" program.

    In fact "mgetty" allows you to use the same modem lines for various protocols. For example, your UUCP clients (if you have any) may use the same modem lines as your PPP clients! Of course, you have to give your UUCP clients "/var/spool/uucppublic" home directory and "/usr/sbin/uucico" login program.

  2. Assuming you have a web server (Apache) already setup (it's a piece-a-cake to setup Apache), use a web browser, and a POP e-mail client (e.g Eudora) on a remote PC connected to a modem and a phone line. If it is a Windows 95/98 PC, setup the Dial-up Adaptor appropriately by specifying the IP address of the PPP server as the Gateway, use correct DNS IP address, and specify that the server will assign an IP address automatically. In the POP client (e.g Eudora), set SMTP and POP host as the IP address of the PPP/POP server.

    Now dial-up the server and wait for connection. Test out web browsing, and POP mail sending and receiving. If it doesn't work... something is wrong somewhere ;-)

REFERENCES:

1. PPP-HOWTO 2. NET-3-HOWTO 3. "Using Linux", Bill Ball, published by Que (around US$30 - highly recommended) 4. mgetty documentation

Copyright © 1999, Hassan O. Ali
Published in Issue 36 of Linux Gazette, January 1999

[ TABLE OF CONTENTS ] [ FRONT PAGE ] Back Next

Reply via email to