| System Web Pages | ||
|---|---|---|
 | Chapter 2. Administration and Configuration |  |
| System Web Pages | ||
|---|---|---|
| | Chapter 2. Administration and Configuration | |
This group of web pages is designed to help you administer and control the IPCop server itself. To get to these web pages, select from the tab bar at the top of the screen. The following choices will appear in a dropdown:
— Allows you to set the admin and optionally, the dial password.
— Allows you to enable and configure Secure Shell, SSH, access to IPCop.
— Enables or disables the use of JavaScript and allows you to set the language of the web display.
— Backs up your IPCop settings either to files or to a floppy disk. You can also restore your settings from this web page.
—This web page lists the many volunteers and other projects that make IPCop so great.
This section has 3 sections:
Shows your current patch level.
Informs you of new patches available.
Allows you to apply a given patch.
Every time you connect to the Internet IPCop will check for any new Updates that may be available. You may also manually check for updates by clicking the . When a new patch is available you will see the information on screen with the short description and a link for more information. Follow the “Info” link. When you have followed the link you will see a page with all relevant information about the patch including a download link.
Downloading the patch will place it on the machine you are running your web browser on, not the IPCop machine. Once you have downloaded the patch simply use the Update page to to where you saved it and then the patch to apply it to your IPCop server.
![[Note]](../images/note.png) | Note |
|---|---|
The Opera web browser does not handle uploads properly and thus should not be used for applying a patch to your IPCop server. |
| Note |
|---|---|
Only IPCop official patches will actually install on your IPCop server. Some patches may automatically reboot your IPCop server, so please read all patch information thoroughly before applying said patch. |
The Passwords subsection of this AW is present to allow you to change the Admin and/or Dial User passwords, as you deem necessary. Simply enter the desired password once in each field for the User you wish to update and click on .
Entering the Dial password activates the Dial user ID. This special user has the ability to use the buttons on the IPCop Home web page but cannot get to any other IPCop web pages. Use this facility if you have a dial up connection and want to allow users to connect to the Internet, but not have admin authority on the firewall.
The SSH subsection of this AW allows you to decide if remote SSH access is available on your IPCop server or not. By placing a checkmark in the box you will activate remote SSH access. It is also possible to configure several SSH daemon parameters from this web page. The SSH option is disabled by default and we would advise enabling it only as needed and then disabling it afterwards.
Similar to the HTTP and HTTPS ports for the IPCop machine being switched to ports 81 and 445, the SSH port on the IPCop machine is switched to 222. If you are using a GUI based application to access your IPCop machine, remember to specify port 222. If you are using the ssh, scp or sftp commands, the syntax for specifying non-standard ports is different for each command, even though they are related. Assuming your IPCop machine is at IP address 192.168.254.1, the commands would be:
$ssh -p 222 root@192.168.254.1
$scp -P 222 some/file root@192.168.254.1:
$sftp -o port=222 root@192.168.254.1
Use your desktop machine's man pages to get a more complete explanation of these commands.
The following SSH options are available from the web page:
Checking this box enables SSH. Unless you use external access, SSH will only be available from the GREEN network. With SSH enabled it possible for anyone with the IPCop root password to log into your firewall at the command prompt.
Checking this box enables support of SSH version 1 clients. Use of this option is strongly discouraged. There are known vulnerabilities with SSH version 1. Use this option only for temporary access, if you only have SSH version 1 clients and there is no way to upgrade to SSH version 2. Most, if not all, of the current SSH clients support version 2. Upgrade your clients if at all possible.
Checking this box, allows you to create SSH encrypted tunnels between machines inside your firewall and external users.
What use is this when IPCop already has a VPN?
You are on the road and something goes wrong with one of your servers. You haven't set up a road warrior VPN connection. If you know your IPCop root password you can use SSH port forwarding to get through your firewall and get access to a server on one of your protected networks. These next few paragraphs will discuss how to do this, assuming you have a Telnet server running on an internal computer at 10.0.0.20. It also assumes your remote machine is a Linux machine. The putty SSH command on Windows has the same capabilities, but they are accessed via dialog boxes. You may already have done one or more of the first two steps.
Enable or have someone else enable external access for port 445, the HTTPS port.
Use the IPCop web pages to enable SSH access, port forwarding and external access for port 222.
Create an SSH tunnel between your remote machine and the internal server running an SSH daemon by issuing the command:
$ssh -p 222 -N -f -L 12345:10.0.0.20:23 root@ipcop
IPCop listens for SSH on port 222, not the normal 22.
in conjunction with -f, tells SSH to run in the background
without terminating.
If you use this option, you will have to remember to use kill to
terminate the SSH process.
As an alternative, you may want to add the command
sleep 100
to the end of the command line, and not use the -N option.
If you do this the SSH invoked by the ssh command will terminate
after 100 seconds, but the telnet session and its tunnel will not
terminate.
option to run SSH in the background.
tells SSH to build a port forwarding tunnel as specified by the next parameters.
The local port that will be used to tunnel to the remote service. This should be greater than 1024, otherwise you must be running as root to bind to well known ports.
This is the GREEN address of the remote server.
This specifies the remote port number to be used, Telnet.
Finally, this specifies you will be using your IPCop firewall as the port forwarding agent. You need a user ID to log in as, and the only one available on IPCop is root. You will be prompted for IPCop's root password.
Finally, log into the remote Telnet using the tunnel.
$telnet localhost 12345
localhost is the machine you are running on. The loopback address 127.0.0.1 is defined as localhost. 12345 is the local tunnel port specified on the previous command.
There is a tutorial on SSH port forwarding at Dev Shed.
Allows users to log into the IPCop server using the root password. If you decide to turn this off, set up your SSH key files first, and then verify you can log in using your key files.
By checking this box, public key authentication can be used by SSH. This is the preferred method of securing IPCop using SSH. This article has a discussion about using SSH-keygen to generate RSA keys and how to use them with SSH.
This section lists the host key fingerprints used by SSH on IPCop to verify you are opening a session with the right machine. The first time a session is opened, one of the fingerprints will be displayed by SSH and you will be asked to verify it's correct. If you wish, you verify can it by looking at this web page.
This web page governs how the IPCop web pages function and appear.
After making any changes, remember to press the button.
To restore the default settings, press the button, then press the button.
Enable Javascript: . The 1.4.0 administrative web pages use JavaScript extensively to provide an improved look and feel. However, some browsers do not work properly wth JavaScript. If this button is not checked, the various drop down menus will be disabled and your choices on any page will appear across the top of the page.
Display hostname in window title: . This checkbox will turn on the display of an IPCop's hostname at the top of each web page. If you are maintaining more than one IPCop machine, this will be advantageous, since you will be able to tell which machine your browser is currently displaying.
Refresh index.cgi page whilst connected . By default, the Home page refreshes once when IPCop connects to the Internet, and a manual click on the “Refresh” button forces the Home page to update with the latest connection time. Enabling this option forces the Home page to refresh every 30 seconds, so the connection time is regularly updated, and if the connection drops due to lack of demand, the “Dial on Demand waiting” status message will appear.
Select the language you wish IPCop to display in:
.
This drop down menu will let you choose which one of the 34
languages currently available for IPCop web pages, this IPCop
will use for its display.
You can also select the language to be used by IPCop during
installation.
However, your desired language may not be available during
installation.
The IPCop translation group is planning on making more
languages available as volunteers aid the translation effort.
When new languages become available, these are added via the
regular system updates.
Of course, you may wish to translate IPCop to another
language yourself.
If you do, we urge you to contact the IPCop Translation
Coordinator, Eric Oberlander, <eoberlander@users.sourceforge.net>,
first.
He may be aware of on-going translation projects for your
language.
Please check the
IPCop How To Translate web page for more details.
The Backup Web Page was overhauled in v1.4.11, and the changes include:
The new backup supports USB keys.
Unencrypted backups were removed for security reasons.
Export of backup.key
Key is encrypted with a 'backup' password needed for reinstallation, hostname is included in the exported key file.
backup.dat now includes the hostname
and timestamp of the backup.
Before reinstalling, remove the timestamp from the filename you want to use for the restore.
A comment field is available for each backup. The comment will be restored on backup upload (if available).
Floppy backup
Display size used. Check that backup is not too big. Display errors for bad floppy, missing disk etc.
The top section of the panel of the Backup Web Page will let you back up your IPCop configuration to a floppy disk. The only current way to restore your configuration from a floppy is to re-install IPCop from CD-ROM or HTTP/FTP. Early in the installation process, you will be asked if you have a floppy with an IPCop system configuration on it. Your configuration will be restored and installation will terminate.
Place a floppy disk in the floppy disk drive and click the button. Your configuration will be written to the floppy and verified.
All error messages and any information generated during a backup will appear at the foot of the panel.
The rest of the panel allows you to create multiple Backup Sets, and to select different media onto which you can save the files. The default is IPCop's hard drive, but removable usb-stick devices are supported.
For security, backups created on the Backup Web Page are encrypted using your 'backup' password. To be safe, enter your backup password and export the backup key, using the button provided, in addition to exporting your backups. You will need the backup key if you want to install from a usb-stick, or if you need to restore settings after a hard disk failure.
To import a backup during IPCop installation, you will be prompted for your backup key.
| Backup password |
|---|---|
There is a new menu item in the setup command to enter your 'backup' password which you will have found if you have done a fresh installation. If you are upgrading, you can re-run setup to do this. Log in as root, via the console, or with putty or ssh on port 222 on your IPCop v1.4.11 firewall.
Enter |
To use the new Web Backup Key Export, do the following:
Set a 'backup' password.
On the Backup Web page type this password in the appropriate field. The key is exported encrypted and you have to choose where to write the file when you click the button.
Create a backup and export the .dat
(you don't need to fill in the 'backup'
password field this time).
You now have everything you need to be able to install a system configuration from a usb key, or http/ftp server.
Write the .dat file, without the
timestamp in the name, and the encrypted key file on the
media you want to use to restore from (usb key or
http/ftp server), and the restore will work if you type
the right 'backup' password and the hostname
matches the encrypted key and the .dat file's name.
This page allows you to either or the IPCop server. You can simply click the button for the option you want, or schedule a cronjob to reboot or shutdown IPCop at a particular time.
The ability to schedule reboots or shutdowns was added in version 1.4.10. A cronjob is added to root's crontab. To schedule IPCop to reboot once a day on a regular schedule, select the time from the drop down menu; check the day (or days) you require; select or ; and press the button.
To remove a schedule, clear (uncheck) all the checkboxes and press the button.
| |  | |
| Chapter 2. Administration and Configuration |  | Status Menu |
