Re: [systemd-devel] Adding "After=network-online.target" via drop-in

2017-02-20 Thread Lennart Poettering 
On Sun, 19.02.17 14:34, Mantas Mikulėnas (graw...@gmail.com) wrote:

> On Sat, Feb 18, 2017 at 10:32 PM, Ian Pilcher  wrote:
> 
> > I have configured sshd on my firewall to listen only on its internal
> > IP address.  This is causing it to fail when it first starts, since the
> > IP address is not actually configured yet.
> >
> > I have confirmed that adding network-online.target to the After=... line
> > in sshd.service file works, but I know that using a drop-in is the
> > preferred way of doing this.
> >
> > I haven't been able to find clear documentation of whether files in the
> > drop-in directory are "incremental" or not.
> >
> 
> All multi-valued parameters are incremental.
> 
> Alternatively, you could use sshd.socket (socket-activation) with
> FreeBind=yes -- that way Linux would allow the socket to be bound even if
> the address isn't configured yet.
> 
> That said... listening only on internal addresses doesn't mean the
> connections will be accepted only from internal interfaces -- at least for
> IPv4, Linux considers the addresses as belonging to the whole host, and
> will still accept connections from any interface. (I tested this just a
> while ago.) So changing the listen-addr is not a good security measure, you
> *still* need the corresponding firewall rules (filtering by source IP).

An efficient way to mask all traffic coming in from other interfaces
is by using BindToDevice= in the socket file.

Lennart

-- 
Lennart Poettering, Red Hat
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] Adding "After=network-online.target" via drop-in

2017-02-19 Thread Mantas Mikulėnas 
On Sun, Feb 19, 2017 at 6:56 PM, Andrei Borzenkov 
wrote:

> 19.02.2017 15:34, Mantas Mikulėnas пишет:
> > On Sat, Feb 18, 2017 at 10:32 PM, Ian Pilcher 
> wrote:
> >
> >> I have configured sshd on my firewall to listen only on its internal
> >> IP address.  This is causing it to fail when it first starts, since the
> >> IP address is not actually configured yet.
> >>
> >> I have confirmed that adding network-online.target to the After=... line
> >> in sshd.service file works, but I know that using a drop-in is the
> >> preferred way of doing this.
> >>
> >> I haven't been able to find clear documentation of whether files in the
> >> drop-in directory are "incremental" or not.
> >>
> >
> > All multi-valued parameters are incremental.
> >
> > Alternatively, you could use sshd.socket (socket-activation) with
> > FreeBind=yes -- that way Linux would allow the socket to be bound even if
> > the address isn't configured yet.
> >
> > That said... listening only on internal addresses doesn't mean the
> > connections will be accepted only from internal interfaces -- at least
> for
> > IPv4, Linux considers the addresses as belonging to the whole host, and
> > will still accept connections from any interface. (I tested this just a
> > while ago.) So changing the listen-addr is not a good security measure,
> you
> > *still* need the corresponding firewall rules (filtering by source IP).
> >
>
> What is the value of rp_filter sysctl on your interfaces
> (/proc/sys/net/ipv4/conf/*/rp_filter)?
>

.all.rp_filter = 2 (loose filter), so max(all, ) = 2 as well.

But rp_filter only verifies the source address, which is going to be
perfectly fine (it has to be, otherwise you wouldn't get the SYN/ACK back).
It's the *destination* address that would be for the "wrong" interface, so
you might be thinking of .arp_filter or .arp_ignore instead. (Though those
wouldn't help any, since the user can just do `ip route add
/32 via `.)

It's really nothing new, and yes, this only works if the client is
*already* in one of the device's subnets... but imagine an edge
router/firewall with user VLAN and mgmt VLAN and it's not that unlikely
anymore.

-- 
Mantas Mikulėnas 
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] Adding "After=network-online.target" via drop-in

2017-02-19 Thread Andrei Borzenkov 
19.02.2017 15:34, Mantas Mikulėnas пишет:
> On Sat, Feb 18, 2017 at 10:32 PM, Ian Pilcher  wrote:
> 
>> I have configured sshd on my firewall to listen only on its internal
>> IP address.  This is causing it to fail when it first starts, since the
>> IP address is not actually configured yet.
>>
>> I have confirmed that adding network-online.target to the After=... line
>> in sshd.service file works, but I know that using a drop-in is the
>> preferred way of doing this.
>>
>> I haven't been able to find clear documentation of whether files in the
>> drop-in directory are "incremental" or not.
>>
> 
> All multi-valued parameters are incremental.
> 
> Alternatively, you could use sshd.socket (socket-activation) with
> FreeBind=yes -- that way Linux would allow the socket to be bound even if
> the address isn't configured yet.
> 
> That said... listening only on internal addresses doesn't mean the
> connections will be accepted only from internal interfaces -- at least for
> IPv4, Linux considers the addresses as belonging to the whole host, and
> will still accept connections from any interface. (I tested this just a
> while ago.) So changing the listen-addr is not a good security measure, you
> *still* need the corresponding firewall rules (filtering by source IP).
> 

What is the value of rp_filter sysctl on your interfaces
(/proc/sys/net/ipv4/conf/*/rp_filter)?
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] Adding "After=network-online.target" via drop-in

2017-02-19 Thread Mantas Mikulėnas 
No, that's not how I tested it.

On Sun, Feb 19, 2017 at 2:42 PM, Reindl Harald 
wrote:
>
> i guess you tested that from the local host itself and not from the
> outside because this is *not* true
>
> on the local machine things are different like reject a specific port for
> the "lo" interface but "telnet lan-address port" is also refused


-- 
Mantas Mikulėnas 
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] Adding "After=network-online.target" via drop-in

2017-02-19 Thread Ian Pilcher 

On 02/19/2017 06:34 AM, Mantas Mikulėnas wrote:

That said... listening only on internal addresses doesn't mean the
connections will be accepted only from internal interfaces -- at least
for IPv4, Linux considers the addresses as belonging to the whole host,
and will still accept connections from any interface. (I tested this
just a while ago.) So changing the listen-addr is not a good security
measure, you *still* need the corresponding firewall rules (filtering by
source IP).


That's a great point.  In my case the internal address is non-routable,
so listening on only that address does add at least some level of
difficulty for a hypothetical attacker.

Always good to remember this counter-intuitive (IMO) behavior.

--

Ian Pilcher arequip...@gmail.com
 "I grew up before Mark Zuckerberg invented friendship" 

___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] Adding "After=network-online.target" via drop-in

2017-02-19 Thread Mantas Mikulėnas 
On Sat, Feb 18, 2017 at 10:32 PM, Ian Pilcher  wrote:

> I have configured sshd on my firewall to listen only on its internal
> IP address.  This is causing it to fail when it first starts, since the
> IP address is not actually configured yet.
>
> I have confirmed that adding network-online.target to the After=... line
> in sshd.service file works, but I know that using a drop-in is the
> preferred way of doing this.
>
> I haven't been able to find clear documentation of whether files in the
> drop-in directory are "incremental" or not.
>

All multi-valued parameters are incremental.

Alternatively, you could use sshd.socket (socket-activation) with
FreeBind=yes -- that way Linux would allow the socket to be bound even if
the address isn't configured yet.

That said... listening only on internal addresses doesn't mean the
connections will be accepted only from internal interfaces -- at least for
IPv4, Linux considers the addresses as belonging to the whole host, and
will still accept connections from any interface. (I tested this just a
while ago.) So changing the listen-addr is not a good security measure, you
*still* need the corresponding firewall rules (filtering by source IP).

-- 
Mantas Mikulėnas 
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] Adding "After=network-online.target" via drop-in

2017-02-19 Thread Reindl Harald 


Am 19.02.2017 um 13:34 schrieb Mantas Mikulėnas:

On Sat, Feb 18, 2017 at 10:32 PM, Ian Pilcher > wrote:

I have configured sshd on my firewall to listen only on its internal
IP address.  This is causing it to fail when it first starts, since the
IP address is not actually configured yet.

I have confirmed that adding network-online.target to the After=... line
in sshd.service file works, but I know that using a drop-in is the
preferred way of doing this.

I haven't been able to find clear documentation of whether files in the
drop-in directory are "incremental" or not.


All multi-valued parameters are incremental.

Alternatively, you could use sshd.socket (socket-activation) with
FreeBind=yes -- that way Linux would allow the socket to be bound even
if the address isn't configured yet.

That said... listening only on internal addresses doesn't mean the
connections will be accepted only from internal interfaces -- at least
for IPv4, Linux considers the addresses as belonging to the whole host,
and will still accept connections from any interface. (I tested this
just a while ago.) So changing the listen-addr is not a good security
measure, you *still* need the corresponding firewall rules (filtering by
source IP)


i guess you tested that from the local host itself and not from the 
outside because this is *not* true


on the local machine things are different like reject a specific port 
for the "lo" interface but "telnet lan-address port" is also refused

___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] Adding "After=network-online.target" via drop-in

2017-02-18 Thread Andrei Borzenkov 
18.02.2017 23:32, Ian Pilcher пишет:
> I have configured sshd on my firewall to listen only on its internal
> IP address.  This is causing it to fail when it first starts, since the
> IP address is not actually configured yet.
> 
> I have confirmed that adding network-online.target to the After=... line
> in sshd.service file works, but I know that using a drop-in is the
> preferred way of doing this.
> 
> I haven't been able to find clear documentation of whether files in the
> drop-in directory are "incremental" or not.
> 
> I.e., the system sshd.service file contains:
> 
>   After=network.target sshd-keygen.target
> 
> Should my drop-in file contain:
> 
>   After=network.target sshd-keygen.target network-online.target
> 
> Or is this sufficient?
> 
>   After=network-online.target
> 
> Thanks!
> 

In case of After they are additive - each directive adds to the list of
existing ones unless you set 'After=' which removes the while list.
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel