# Quagga Route Server on Ubuntu ## Setting up your real physical Cisco router to send un-altered routes to your Quagga server cisco core router config for sending routing data to quagga ``` ip access-list standard DENY-ALL-IPV4   deny   any exit ipv6 access-list DENY-ALL-IPV6   deny ipv6 any any exit route-map BLOCK-ROUTES-IN deny 10   match ip address DENY-ALL-IPV4   match ipv6 address DENY-ALL-IPV6 exit router bgp 210083   neighbor 2A07:E00::23 remote-as 65000   neighbor 2A07:E00::23 description Privex Route Server   neighbor 2A07:E00::23 ebgp-multihop 255   neighbor 185.130.44.23 remote-as 65000   neighbor 185.130.44.23 description Privex Route Server   neighbor 185.130.44.23 ebgp-multihop 255   template peer-policy GOBGP     route-map BLOCK-ROUTES-IN in     next-hop-unchanged allpaths     send-community both     send-label   exit-peer-policy   address-family ipv4     neighbor 185.130.44.23 activate     neighbor 185.130.44.23 inherit peer-policy GOBGP     neighbor 185.130.44.23 route-server-client   exit-address-family   address-family ipv6     neighbor 2A07:E00::23 activate     neighbor 2A07:E00::23 route-server-client     neighbor 2A07:E00::23 next-hop-unchanged   exit-address-family exit ``` ## Installing Quagga on Ubuntu 18.04 ### Install quagga on ubuntu 18.04 server ``` apt install quagga cp /usr/share/doc/quagga-core/examples/*.sample /etc/quagga/ cd /etc/quagga mv bgpd.conf.sample bgpd.conf mv zebra.conf.sample zebra.conf ``` ### Enable services and edit bgpd config so it listens on all interfaces ``` systemctl enable bgpd zebra systemctl edit bgpd ``` ### Insert into systemd edit window ``` [Service] ExecStart= ExecStart=/usr/sbin/bgpd -d -f /etc/quagga/bgpd.conf ``` ### Reload systemd + restart bgpd ``` systemctl daemon-reload systemctl restart bgpd ``` ## Quagga example config files /etc/quagga/bgpd.conf ``` hostname bgpd password privex banner motd file /etc/quagga/banner ! enable password REDACTED ! !bgp mulitple-instance ! router bgp 65000   bgp router-id 10.0.0.1 !  network 10.0.0.0/8   neighbor 185.130.44.1 remote-as 210083   neighbor 185.130.44.1 ebgp-multihop 255   neighbor 185.130.44.1 next-hop-self   neighbor 185.130.44.1 route-server-client !   neighbor 2a07:e00::1 remote-as 210083   neighbor 2a07:e00::1 ebgp-multihop 255   neighbor 2a07:e00::1 next-hop-self   neighbor 2a07:e00::1 route-server-client !   address-family ipv6     neighbor 2a07:e00::1 activate   exit-address-family exit log stdout line vty   no login   no anonymous restricted ``` /etc/quagga/daemon ``` bgpd=yes zebra=yes ospfd=no ospf6d=no ripd=no ripngd=no isisd=no babeld=no ``` /etc/quagga/banner ``` :::::::::  :::::::::  ::::::::::: :::     ::: :::::::::: :::    :::               ::::::::::: ::::::::                   :+:    :+: :+:    :+:     :+:     :+:     :+: :+:        :+:    :+:                   :+:    :+:    :+:                   +:+    +:+ +:+    +:+     +:+     +:+     +:+ +:+         +:+  +:+                    +:+    +:+    +:+                   +#++:++#+  +#++:++#:      +#+     +#+     +:+ +#++:++#     +#++:+                     +#+    +#+    +:+                   +#+        +#+    +#+     +#+      +#+   +#+  +#+         +#+  +#+                    +#+    +#+    +#+                   #+#        #+#    #+#     #+#       #+#+#+#   #+#        #+#    #+#      #+#          #+#    #+#    #+#                   ###        ###    ### ###########     ###     ########## ###    ###      ###      ########### ########    :::::::::   ::::::::  :::    ::: ::::::::::: ::::::::::       ::::::::  :::::::::: :::::::::  :::     ::: :::::::::: :::::::::    :+:    :+: :+:    :+: :+:    :+:     :+:     :+:             :+:    :+: :+:        :+:    :+: :+:     :+: :+:        :+:    :+:    +:+    +:+ +:+    +:+ +:+    +:+     +:+     +:+             +:+        +:+        +:+    +:+ +:+     +:+ +:+        +:+    +:+    +#++:++#:  +#+    +:+ +#+    +:+     +#+     +#++:++#        +#++:++#++ +#++:++#   +#++:++#:  +#+     +:+ +#++:++#   +#++:++#:    +#+    +#+ +#+    +#+ +#+    +#+     +#+     +#+                    +#+ +#+        +#+    +#+  +#+   +#+  +#+        +#+    +#+    #+#    #+# #+#    #+# #+#    #+#     #+#     #+#             #+#    #+# #+#        #+#    #+#   #+#+#+#   #+#        #+#    #+#    ###    ###  ########   ########      ###     ##########       ########  ########## ###    ###     ###     ########## ###    ### +++ Successfully connected to Privex Route Server :) +++ This is route-server.privex.cc - Operated by Privex Inc. ( https://www.privex.io ) Useful commands:   show ip bgp                       # Shows all IPv4 prefixes we're receiving or advertising   show ipv6 bgp                     # Shows all IPv6 prefixes we're receiving or advertising   show ip bgp 172.69.8.0            # Show the matching prefix info for this IPv4 address   show ipv6 bgp 2a07:e00::1         # Show the matching prefix info for this IPv6 address   show ip bgp community 0:300       # Shows only Privex IPv4 prefixes we're advertising via BGP   show ipv6 bgp community 0:300     # Shows only Privex IPv6 prefixes we're advertising via BGP ``` ## IPTables rules to forward port 23 (telnet) to BGPD port iptables rules.v4 + rules.v6 ``` *nat :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] -A PREROUTING -p tcp -m tcp --dport 23 -j REDIRECT --to-ports 2605 COMMIT *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -p tcp --dport 23 -j ACCEPT -A INPUT -p tcp --dport 2605 -j ACCEPT COMMIT ``` ## Setting up an isolated SSH user for connecting to the route server via SSH ### creating isolated SSH user for accessing route server over SSH ``` # as root #### # Create user #### adduser --gecos "" --disabled-password rs # Set password to blank passwd --delete rs # enter user home dir cd /home/rs #### # create basic /dev inside of home dir, for chroot to work properly #### mkdir dev cd dev mknod -m 666 null c 1 3 mknod -m 666 tty c 5 0 mknod -m 666 zero c 1 5 mknod -m 666 random c 1 8 # make sure folder is owned by root and is 755 cd .. chown root:root /home/rs chmod 755 -R /home/rs #### # create folders #### mkdir -v bin lib lib64 usr etc # when chrooted, /home/rs/ is / - so /home/rs/home/rs is the /home/rs used by bash mkdir -p home/rs #### # silence MOTD / last login from x.x.x.x for this user #### touch /home/rs/.hushlogin touch /home/rs/home/rs/.hushlogin #### # copy locales to avoid locale issues when connecting via SSH #### mkdir -p usr/share/i18n/locales usr/share/X11/locale usr/share/locale/ usr/lib/locale/ rsync -a /usr/share/i18n/locales/ usr/share/i18n/locales/ rsync -a /usr/share/X11/locale/ usr/share/X11/locale/ rsync -a /usr/share/locale/ usr/share/locale/ rsync -a /usr/lib/locale/ usr/lib/locale/ #### # for each required binary in the chroot, use 'ldd' to find out what libraries are needed #### ldd /bin/bash #        linux-vdso.so.1 (0x00007ffdf79b2000) #        libtinfo.so.5 => /lib/x86_64-linux-gnu/libtinfo.so.5 (0x00007f830adde000) #        libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f830abda000) #        libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f830a7e9000) #        /lib64/ld-linux-x86-64.so.2 (0x00007f830b322000) ldd /usr/bin/telnet #        linux-vdso.so.1 (0x00007ffefafd3000) #        libstdc++.so.6 => /usr/lib/x86_64-linux-gnu/libstdc++.so.6 (0x00007f2a7d644000) #        libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f2a7d253000) #        libm.so.6 => /lib/x86_64-linux-gnu/libm.so.6 (0x00007f2a7ceb5000) #        /lib64/ld-linux-x86-64.so.2 (0x00007f2a7dbea000) #        libgcc_s.so.1 => /lib/x86_64-linux-gnu/libgcc_s.so.1 (0x00007f2a7cc9d000) #### # copy /lib and /usr/lib libraries into /home/rs/lib # and copy /lib64 and /usr/lib64 libraries into /home/rs/lib64 #### cp -v /lib/x86_64-linux-gnu/{libtinfo.so.5,libdl.so.2,libc.so.6} lib/ cp -v /lib64/ld-linux-x86-64.so.2 lib64/ cp -v /usr/lib/x86_64-linux-gnu/libstdc++.so.6 lib/ cp -v /lib/x86_64-linux-gnu/{libm.so.6,libgcc_s.so.1} lib/ cp -v /lib64/ld-linux-x86-64.so.2 lib64/ # copy required binaries into user bin folder cp -v /bin/{bash,ls} bin/ cp -v /usr/bin/telnet bin/ #### # create rs.sh to be used as user shell, which runs telnet to localhost port 2605, with no # escape character (preventing telnet console access) #### cat > rs.sh <<"EOF" #!/bin/bash telnet -E 127.0.0.1 2605 exit EOF # make rs.sh executable chmod +x rs.sh # Set rs's shell to /rs.sh ( remember they're chrooted, so /home/rs == / ) chsh -s "/rs.sh" rs ``` Now open up /etc/ssh/sshd_config in vim/nano/whatever and add this to the bottom: ``` # allow user "rs" to login without a password # chroot them into /home/rs so they can't hack the system Match User rs     ChrootDirectory /home/rs     PermitEmptyPasswords yes     PasswordAuthentication yes     AcceptEnv no #### # OPTIONAL # If you normally have iptables rules to restrict SSH to your "secure" network # You can disable password+pubkey auth globally, then only enable it for specific subnets #### PasswordAuthentication no PubkeyAuthentication no # Allow only 185.130.44.0/27, 127.0.0.0/24, and 2a07:e00::/32 to log into normal accounts # using SSH keys. Match Address 185.130.44.0/27     PubkeyAuthentication yes Match Address 127.0.0.*     PubkeyAuthentication yes Match Address 2a07:e00::/32     PubkeyAuthentication yes Finally restart ssh, then test 'ssh rs@your-ip' from a different machine. systemctl restart ssh #### # From another machine, e.g. your local machine #### ssh rs@your-server-ip #### # If you added the extra SSH IP ACL for normal accounts, make sure you can still # log into your normal users from your subnets. #### ssh ubuntu@your-server-ip # You can use SSH "jumping" to test your public key is rejected when connecting from an # unauthorised IP (in this example, 'non-whitelisted-server') ssh -A -J user@non-whitelisted-server ubuntu@your-server-ip ``` If you added the extra SSH IP ACL for normal accounts, **make sure you can still log into your normal users from your subnets.**