Ever wonder how you could get a solid Security Enhanced Enterprise Grade Linux Router/Server with ftp, apache, traffic shaping, pop-up blocker, content filter, intrusion detection/prevention, and other nice handy tools that every robust server should have…and here’s the kicker…installed and running in about 30 minutes in your home? I know quite a few friends of mine that went out and bought routers from brand names like Linksys, Dlink, and Netgear and then bragged about how cool their new router was (especially concerning ‘gaming routers’. Good lord that’s a con). I then showed them that their router was hackable within a few minutes because most of them didn’t change their default password. It’s interesting also that their routers didn’t do a whole heckuva lot other than route traffic…without throttling or intrusion prevention/detection. On those that were wireless…after some intense packet sniffing, I logged into their network and began surfing the web.
The bottom line is…most routers, if not configured correctly and used to full potential, are wide open and provide only a few functions. If you’re like me, this just won’t do. To combat this in the past, I used to use Red Hat 7.2 on a PI 75Mhz like an appliance to provide DHCP addresses for the LAN and a tidy firewall via ipchains and later iptables. Now there is a Linux distro that is more robust, more organized, and much more dynamic than most Linux router/server configured systems and it provides MANY functions. That distro is ClarkConnect. Today, I’m going to take a look at ClarkConnect 3.2 and show you how you can secure your network using its web interface and excellent administration tools.
ClarkConnect is based on CentOS 4.X and offers a very robust set of tools organized into easy to navigate administration pages. The administration pages are very similar to those that you would find with IPCOP and Smoothwall. However, ClarkConnect throws in extras such as the ability to use Samba and set it up as a PDC (Primary Domain Controller), 2 click updates, a caching dns server, a transparent proxy to speed up web surfing, a pop up blocker built into the proxy, dansguardian with blacklisting, online log viewer…there just is a list of features WAY to long to list here. So I’ll link to the features page and you can read a few more things for yourself. Also, if you’re wondering Point Clark Network’s take on community and open source, please read this page. They’re committed to community AND open source.
I started using ClarkConnect at version 2.0. Back then, they used Red Hat Linux as their base. Today, they’ve ported over to CentOS packages…which are Red Hat Enterprise Linux binaries repackaged by the CentOS project. All in all, I’ve been extremely pleased with the performance and handy web interface ClarkConnect provides which enables me to monitor my home network from afar. One thing that truly impresses me is that the home version remains free and open source despite the rise in business that ClarkConnect is currently enjoying. The people at Point Clark networks have a strong sense of community and they are continuously helping in the forums. They are to be commended for keeping this version available to home users! Any problems you might have with CC can be and will be addressed in the community forums. If you get lost or need to understand something better at anytime, please check the userguides at clarkconnect.com. You can also download the Quickstart Guide to get things rolling as well.
You can download and burn the 3.2 Home version of ClarkConnect (or CC as it is commonly referred). When installing, you’ll be greeted by a variation of the old Red Hat Anaconda text installer. It’s relatively easy to follow and hardware detection is superb…although I’ve found some older computers (think 266Mhz 🙂 ) do have a bit of trouble with the newer kernel (2.6 branch). I’ll assume that you can get it installed and up and running. Please be advised that in order to route traffic on your LAN, you’ll need at least two Network Cards in the computer you’ll be installing ClarkConnect on (see requirements)…one for internal and one for external traffic. Please also be advised that if you do install ClarkConnect onto a computer, it will wipe the entire hard disk of all operating systems. After installing, point your browser in a computer on your LAN to the IP address you assigned CC during install (should be an internal IP address). So you’d point your browser to https://192.168.1.X:81. The port number 81 and https are important…81 isn’t a standard web port and https means this is a secure transaction of information.
You should be greeted by the dashboard screen. –>
The dashboard tells you what your two (or how ever many you have) interfaces are (LAN and External Internet, DMZ, whatever) as well as gives you the opportunity to set languages, set system time, and see a quick overview of current intrusion attempts. Navigating to other areas is a snap with the menu bar at the top of the screen.
First, let’s move over and update the system. To do this, we’ll have to register with Point Clark Networks (who develop ClarkConnect) using their built in registration. Registering gives you a dynamic domain name (yourname.pointclark.net but hey, it’s automatically configured and allows you remote access to your box from the outside world). You can also piece together other services should you decide to purchase them. Of course, since I use the home version, I choose only the dynamic DNS service which is free so that I can connect from work to my box at home. So, back to updating the system. After you register, click on the sidebar item “Critical Updates”. Any updates that are critical to the system, including kernel patches, will update themselves here. To install the updates, turn off your popup blocker for this site, toggle the checkmarks, and click “go”. A window will pop up and show you apt-get progress. Close it when it states it is done. Feel free to browse other updates and install them at any time.
It’s important to note that all updates are pushed through this interface. This includes major updates to new versions as well. Updating to new versions is therefore extremely easy. The upcoming ClarkConnect 4.0 release is currently in beta and ClarkConnect is looking to release this in the very near future. Look for some new packages including Horde Webmail, Kollab groupware, ClamAV, and others.
Another handy thing that ClarkConnect does is keep track of those patches you’ve installed (as long as you go through the services tab on this webconfig). You can also update via apt and the shell (soon to be yum with the next release 4.0)…I use putty to connect via SSH to the box and update from time to time. You can cycle through other updates as well and even see some of the handy community contributed modules. Install any you’d like and head to the various resources that clarkconnect has to get you started such as the forums, the newbie guide, and Ya-FAQ.
To take a look at the users present and to have control over whether or not your users have shell accounts available, etc. Head over to the users tab. Here you have ultimate control over all the users on your system. This makes it handy in situations where you’d like to setup a user for VPN but don’t want that user to have a shell account (for security reasons). I leave one user and make the password as complex as I possibly can. I also change the password about once every 3 months to keep things secure. Whatever your security policy is, the web interface makes things easy to administer and easy to use.
Now that we previously updated the system, let’s take a look at the overview of all hardware. Click on the reports tab and make sure “current status” is selected. This gives us a graphical overview of all hardware and current performance. As you can see from the screenshot, you don’t need a fast computer to power your ClarkConnect install (pictured is my emachines Celeron 900). I’ve had over 194 days of uptime with this current install of ClarkConnect (version 3.2). I don’t see any reason why it won’t continue other than a hardware fail. Overall, ClarkConnect is stable, secure, and the most handy server distro I’ve ever used. I trust it so much after using it these years as my main workhorse server that I’m prepping to start a side business installing and configuring ClarkConnect boxes for small businesses. Point Clark Networks is doing a great job helping small businesses have the functionality they need at an affordable price. Anyway, back to the review.
Back to the reports tab; In reports, you’ll be able to check out all the logs on your server. This makes reading logs less of a hassle and something you can do without cracking the shell.
Click the services tab. In this view, we should be defaulted to “Running Services” which is the handiest page in the admin section. Here you will find a service listing of all the system services/software that can be toggled “on” the CC box. You can start, stop, enable at boot, or disable at boot any single service you see in this view. The color scheme will tell you what is enabled (Green) and what service is disabled (red). Take a look to make sure you have running what you need to have running…since CC defaults are safe, we can leave everything as it is or turn on whatever it is we need.
Next, let’s make a quick backup snapshot of all our settings. You can do this by staying in the services tab and clicking “backup/restore”. From there, you can backup all your settings in CC. This is handy if, like me, you’re thinking of starting a business. One click snapshots means less configuring. It also makes things nice if you are planning on reinstalling. You can take this backup snapshot you’re creating and upload it to a fresh install to restore settings. Please be advised though that this backup is configuration files only (in /etc and /usr) and only for CC default apps. If you install something else, CC won’t backup that install without hacking.
How about setting up a transparent proxy server to speed up your web browsing? Point Clark and CC have you covered in a couple of point-clicks. Head over to the Software tab. Select “Web Proxy” on the left side menu. From there, select the proxy to auto start if you’d like it to start at boot, then select to start the service. You can setup cache space, enable download size limits, and set maximum object size. Let’s set all to defaults for now…just make sure that if you plan on downloading larger files to set the maximum download file size to Unlimited. Also, if you want to use content filtering along with our transparent proxy, select “transparent + content filter” in the selection box titled “Transparent Mode.” You can clear your proxy out anytime by selecting “Reset Cache.”
Now that you have the web proxy setup, let’s put the pop-up blocker on and look at content filtering. Select “Banner/Pop-up Blocker” from the menu on the right. Start it up by clicking on the links (Autostart if you choose). That’s it! Pretty simple eh? Let’s move over to content filtering. Click on “Content Filter” on the left side menu.
Now CC will automatically update your blacklists for content management for you. However, you’ll have to upgrade to one of the service levels to do so. Since I’m a home user and someone who’s run DansGuardian (the content filter system they use) for quite some time…I do my updates manually and pass on the upgrade in service. Point Clark networks has no problem with this, they simply have this in place to cater to their business clients to provide no-hassle management of their servers. Let’s get our update in place. Head over to the folks at URLBlacklist.com, specifically their download section. Download the bigblacklist.tar.gz. This is a one time free download for personal use. This is an up to date blacklisting that we can drop into our dansguardian directory to make sure that it is running with the latest and greatest. Drop all the contents of bigblacklist.tar.gz inside the /etc/dansguardian/blacklists directory. Remember, you will need to either purchase a subscription through dansguardian, urlblacklist.com, or go with purchasing the personal gateway service through clarkconnect to have a completely updated dansguardian blacklist. I’ve found that I don’t really need an up to date box…it does quite nicely on it’s own and I can add and remove sites as I see fit. Plus, you can do well to check out dmoz and their urlblacklists for squidguard which translate nicely into dansguardian (for advanced users only). You can enable dansguardian with a couple of clicks and set options for it on the Software Tab >> Content Filtering Menu.
Now that we’ve seen some of the wizbang features built into ClarkConnect, let’s take a look at the rest of the tabs. You can see from the screenshot to the left of this paragraph that there is plenty other software that you can configure in CC, but let’s move over to the other tabs to show you just what you can control using the web interface. Click on the “Network” tab. ClarkConnect can operate in gateway mode (which is ‘router’ style mode with ipmasquerading, etc.), DMZ mode if you want to have a DMZ (demilitarized zone), standalone with firewall, and standalone without firewall. You can set these anytime you’d like to and control all of your network interfaces here. You can also go straight to DHCP configuration which will allow your CC box to give computers connected behind it a network address.
One thing that is a definitive plus for CC is the firewall manager. You can control incoming, outgoing, and port forwarding all from the web interface. I specifically like the group manager. Why? Because it is handy if I want to use torrents, I setup a group to open up ports 10000-60000 and forward to my desktop behind my CC box. When I’m done, I turn it off by disabling that group of rules. Handy eh?
Also contained in the network tab is intrusion detection and intrusion prevention. I enable both of these but will enter into the intrusion prevention exempt list my work IP address and all the addresses of my LAN. That way I don’t have my CC box thinking that I’m trying to break in and dropping my connections to it as I test things or connect to it using various methods (ftp, ssh, web, vpn, etc). Intrusion detection rules can be updated through Point Clark Networks by upgrading to gateway service level to SOHO which is around $10 USD a month. I just enable mine and let it go :D. Seems to do a fine job using the default rules and as long as I keep a watchful eye on my firewall rules, I’m just as safe as if I had a Security Enhanced Linux Fedora box running things. To read your intrusion detection and prevention logs, head over to your reports tab and then select the appropriate area on the left.
One other area of interest here in the network tab is bandwidth management. Select “Bandwidth” from the left menu area. In this menu, you can enter in upload and download limits for bandwidth and take control of your network. Very handy if you have a multiple computer LAN and a teenager that downloads EVERYTHING. Play around with the settings and when you’re satisfied, let’s cinch things up with samba, ftp, and webserver.
CC comes ready to operate as a PDC (Primary Domain Controller) for your LAN. If you only operate a small LAN (1-2 computers) having a PDC is really for bragging rights only. Instead, you might want to configure your samba shares using CC’s handy web interface. Head over to the “Software” tab and click “Windows File Sharing”. ClarkConnect has common shares already in place for you. You can enable these or disable them. You can even add your own. It’s up to you. Starting samba is once again just a point click away. There is also an advanced setup option for those of you who are a bit more experienced with samba.
Personally, I don’t use the samba interface from ClarkConnect. I instead use Network Attached Storage which automatically is detected on my network by all my desktops (easy as connecting to another PC) so I haven’t found the need to implement samba on my CC box. In the future, when I expand to include a computer for my son, I will implement a PDC with roaming profiles so that all settings are backed up to ClarkConnect. Thus, if a computer fails, I still have all settings saved server side.
We’ve covered a varying amount of information in this review and I won’t cover everything that CC has to offer either. But two other areas I wanted to discuss was ftp and webserver. CC uses proftp for their ftp server and apache 2 for their webserver. One thing I’ve found of value for the webserver (which I’ll discuss first) is their virtual host creator.
FTP and Webserver
The webserver interface is handy. Very handy. You can enable SSL for Apache by toggling a setting. You can setup a virtual host by typing in the webaddress. Dead easy. I’ve found that setting up virtual hosts via this interface is better than doing so through webmin because it configures all defaults for you a bit better than webmin does. No idea why, but I’ve had trouble with webmin in the past with vhosts. I usually create a vhost with CC on their web server interface…such as linuxblog.sytes.net shown in the picture. This was my old blog location when I hosted it at home (2004 with CC 2.2 I think). I now have a virtual host setup so that all requests for linuxblog.sytes.net go through my CC box…I’ve written a rewrite rule to forward all traffic from the old blog to this current blog. Handy and easy with ClarkConnect. Like I said, I create the vhosts with CC and then hand them off to webmin for more detailed configuration. It’s important to note that you can install webmin through your “services” tab.
If you notice in the picture in the previous paragraph, I have linuxblog.sytes.net as a virtual host. I use the no-ip service I previously blogged about to register this name. If you plugin the topic to that article with a ClarkConnect install…you can see that they’d be a fine fit together and that you can have your own webserver running in a matter of minutes. Put that together with Gallery, which CC is bundled with, and you’ve got yourself a family photo album!
Lastly, let’s look at the ftp server in CC. Click on the “Software” tab and then select “ftp server” from the menu on the left. You are a few clicks away from having a fully operational ftp server. Change the details you’d like to using the form provided by the web interface, then click to start and autostart the service. By default, CC shares /var/ftp. It is also open to anonymous connections. You’ll have to edit /etc/proftpd.conf to your liking to get your ftp server up and operational for other directories and users. Please see the proftp homepage for more details.
We’ve taken a semi-detailed look at ClarkConnect Home Edition 3.2 and how you can benefit both from the vast amount of software/programs already enabled on it and the ability to have an up and running router/server in as little as 30 minutes. Combine this with my previous article on using a no-ip domain and there isn’t any reason why you shouldn’t be able to show off a gallery or ftp server to your friends and relatives. If you have any problems, please head over to the ClarkConnect forums and ask…but not before using their search tool to see if the topic has been covered. As previously stated, there are two websites you can also connect to Ya-FAQ and the Newbie Portal. These two sites can provide you with good info as well as How-Tos made by the community.
I’d also like to take the time to let everyone know that I am in NO WAY being compensated for this article. I’ve used the software for quite some time and felt that I might be able to repay the people at Point Clark Networks by giving them props through this review. Whenever a new user is looking for a quick server oriented distribution, I always point them to ClarkConnect. In my opinion, it is the best distro out there to have for your home LAN. Hopefully, you’ll give it a test drive and come to the same conclusion.
This content is published under the Attribution-Noncommercial-Share Alike 3.0 Unported license.