Re: new ftp proxy: pftpx
hi, I've put up the latest version at http://www.sentia.org/downloads/pftpx-0.5.tar.gz many thanks, works great. i´m planning on trying pftpx on our main firewall, as we have some mac users with picky ftp clients and also pasv ftp for everyone would be cool. so it would be really nice if you could post possible updates on your website (or maybe on this list?) thanks again! tobias
pf port knocking
Hey all I am getting tired of seeing the following popping up every day (with various IPs) on my log server. * ROOT FAILURES jasper ssh2(pw) @221.143.156.58(3) * User Failures admin ssh2(pw) jasper(2) andrew ssh2(pw) jasper(1) angel ssh2(pw) jasper(1) barbara ssh2(pw) jasper(1) ben ssh2(pw) jasper(1) betty ssh2(pw) jasper(1) billy ssh2(pw) jasper(1) black ssh2(pw) jasper(1) blue ssh2(pw) jasper(1) brandon ssh2(pw) jasper(1) brian ssh2(pw) jasper(1) buddy ssh2(pw) jasper(1) carmen ssh2(pw) jasper(1) charlie ssh2(pw) jasper(1) daniel ssh2(pw) jasper(1) david ssh2(pw) jasper(1) dog ssh2(pw) jasper(1) emily ssh2(pw) jasper(1) eric ssh2(pw) jasper(1) god ssh2(pw) jasper(1) green ssh2(pw) jasper(1) guest ssh2(pw) jasper(1) henry ssh2(pw) jasper(1) jane ssh2(pw) jasper(1) jason ssh2(pw) jasper(1) jeremy ssh2(pw) jasper(1) joe ssh2(pw) jasper(1) johnny ssh2(pw) jasper(1) jordan ssh2(pw) jasper(1) justin ssh2(pw) jasper(1) larisa ssh2(pw) jasper(1) lion ssh2(pw) jasper(1) lp ssh2(pw) jasper(1) lucy ssh2(pw) jasper(1) magic ssh2(pw) jasper(1) mail ssh2(pw) jasper(1) maria ssh2(pw) jasper(1) market ssh2(pw) jasper(1) matthew ssh2(pw) jasper(1) max ssh2(pw) jasper(1) michael ssh2(pw) jasper(1) nathan ssh2(pw) jasper(1) nicholas ssh2(pw) jasper(1) nicole ssh2(pw) jasper(1) operator ssh2(pw) jasper(1) pub ssh2(pw) jasper(1) red ssh2(pw) jasper(1) robin ssh2(pw) jasper(1) rose ssh2(pw) jasper(1) shell ssh2(pw) jasper(1) stephen ssh2(pw) jasper(1) steven ssh2(pw) jasper(1) system ssh2(pw) jasper(1) test ssh2(pw) jasper(2) tom ssh2(pw) jasper(1) user ssh2(pw) jasper(1) vampire ssh2(pw) jasper(1) william ssh2(pw) jasper(1) yellow ssh2(pw) jasper(1) Just script kiddies most probably. Plus, we use public/private keys on jasper so it's not like people are going to get in that way. However, having the port wide open does give the possibility that a bug in the SSH daemon (if one pops up) could open the door for a hacker to get in. Further, jasper is the only machine that is externally accessible via SSH (the only other open ports are domain, web and mail on other servers). I need to leave SSH open as a number of people work remotely and tunnel through it to some of the services on the internal network. Additionally, we are about to setup a system to run a VPN between our office and some contractors. I would like that box's IP to appear offline/completely closed (until required) as well. To sum up, apart from web, mail and domain (to specific servers), I would much prefer that every port appear closed. To achieve this, I would like to implement port knocking on the gateway firewall (runs OBSD 3.4 and pf). For those unfamiliar with the technique, it is like knocking a certain pattern/code on a door to open it. Here, you fire connections at a server on designated ports to instruct the firewall to open a port. So, if the firewall detects a connection on ports 14289, 32883, 1234 and 3428 (in that order), port 22 is opened for the relevant IP address. Has anyone heard of anyone working on a portknocking daemon for OBSD/pf? There are a couple of basic setups over at www.portknocking.org but thought I would check here before attempting a port. If no work has begun, I think I will take the perl prototype script they have at portknocking.org and see what I can do for pf. I would imagine I will have to setup anchors in pf which I haven't done yet but am sure I will get my head around it. Any pointers would be appreciated! :) I will also need to write a windows util to do the knocking for the contractors - can Perl run on a Windows machine or will I have to dust off my C compiler? :) Andrew Find local movie times and trailers on Yahoo! Movies. http://au.movies.yahoo.com
Re: Re: (why can't)/(does) carp work on bridges ?
On Thu, Dec 16 2004 - 20:46, Jason Dixon wrote: On Dec 16, 2004, at 10:18 AM, Joel CARNAT wrote: I wanted to do CARPing on interfaces which were part on bridges. According to my readings and testing (it's been 1 week I'm trying to have it working ;), it seems you can't enable carp on an interface that is bridged to some other... I believe you can, so long as your interface has an IP assigned to it. An IP is needed, but you will not be routing- don't let it confuse you. You're still bridging all packets between the external segment and the protected segment. I haven't tried it myself (yet), so caveat emptor. I just (re)test this configuration : bge0: 192.168.10.201 bge1: 192.168.10.202 carp0: 192.168.10.200 carpdev bge0 bridge0: add bge0 add bge1 my test is pinging 192.168.10.200 (the carp interface). it's OK until I brconfig bridge0 up. from then, I can see (tcpdump) echo request on bge0 and bge1 but nowhere else (and no ack anywhere). then I brconfig bridge0 down and the ping works back. that's why I'm pretty sure the bug is the bridge (or @least the way I configured it ;)... I thought, maybe, setting the bridge confuses carp because paquets are first forwarded from bge0 to bge1 and as carp0 is linked to bge0, it doesn't work on the paquet (yes, I already tried to set carp0 on bge1 and same error occurs). another weird thing (or @least one I don't understand =) is, on the working config (aka ping carp is OK), I see rq/ack on bge0 and rq only on carp0. shouldn't I see rq/ack on carp0 too ? maybe the clue ? Is is really true (or did I miss a bit of configuration) ? And, if so, why ? What makes it impossible ? Actually, Ryan McBride recently posted a diff to -current to allow CARP interfaces to bind to the physical interface (without IP) using the carpdev keyword. well, I already had this discussion with him (I think it was either privatly or on [EMAIL PROTECTED]) ; anyway, I did install the snapshot (timestamped about Dec 8th) that allows the carpdev feature. so this is OK, I can have carp listen on some IP while the real interface has no IP (or IP on some different IP range - in my case, interface as private IP and carp has public). but even with this patch apply, my carp stops working as soon as I ifconfig bridge0 up. http://marc.theaimsgroup.com/?l=openbsd-techm=110229937028512w=2 -- ,-- This mail runs -. ` NetBSD/i386 --'
Re: Re: (why can't)/(does) carp work on bridges ?
On Fri, 17 Dec 2004, Joel CARNAT wrote: my test is pinging 192.168.10.200 (the carp interface). it's OK until I brconfig bridge0 up. from then, I can see (tcpdump) echo request on bge0 and bge1 but nowhere else (and no ack anywhere). then I brconfig bridge0 down and the ping works back. that's why I'm pretty sure the bug is the bridge (or @least the way I configured it ;)... I thought, maybe, setting the bridge confuses carp because paquets are first forwarded from bge0 to bge1 and as carp0 is linked to bge0, it doesn't work on the paquet (yes, I already tried to set carp0 on bge1 and same error occurs). It's something I'm working on at the moment. The bridge does not recognize that the CARP MAC address is destined for itself (bge0), and tries to bridge it to no avail. At the moment there is no simple solution.
Re: Re: (why can't)/(does) carp work on bridges ?
On Fri, 17 Dec 2004, Joel CARNAT wrote: that's why I'm pretty sure the bug is the bridge (or @least the way I configured it ;)... I thought, maybe, setting the bridge confuses carp because paquets are first forwarded from bge0 to bge1 and as carp0 is linked to bge0, it doesn't work on the paquet (yes, I already tried to set carp0 on bge1 and same error occurs). You're lucky, Chris Pascoe just fixed it in -current. Go try it! ;-)
Re: pf port knocking
For those unfamiliar with the technique, it is like knocking a certain pattern/code on a door to open it. anyone unfamiliar with the technique hasn't read the archives whatsoever and thus is not going to garner favour from anyone here at all. Has anyone heard of anyone working on a portknocking daemon for OBSD/pf? There are a couple of basic setups over at www.portknocking.org but thought I would check here before attempting a port. i would venture to guess, probably not. portknocking topic shows up in pf@ or misc@ once every three months it seems, and someone comes in all full of stars and hope, but the blinding majority of code-contributing members, as well as at least the regular majority of list members don't really seem to want anything to do with it... some people seem to think it's cool and hip and stealthy while others think it is cumbersome, increases liability, and is essentially energy better spent elsewhere. they have at portknocking.org and see what I can do for pf. I would imagine I will have to setup anchors in pf which I haven't done yet but am sure I will get my head around it. Any pointers would be appreciated! :) anchors are cake. spend some time with authpf(8) and you can get to know anchors very quickly. instead of motioning to start a discussion about something that will probably want to make people jump down your throat, perhaps just use LogLevel QUIET or FATAL for sshd? if you think that sshd is a loose end that needs to be tied up, why not just do something far simpler and clearer like setup isakmpd or whatever vpn setup you need and only let sshd listen on the internal iface or otherwise filter the rest out? far less crappy voodoo to break or setup wrong. I will also need to write a windows util to do the knocking for the contractors - can Perl run on a Windows machine or will I have to dust off my C compiler? :) i think there are perl interpreters for windows. jared -- [ openbsd 3.6 GENERIC ( nov 4 ) // i386 ]
RE: pf port knocking
change your ssh port to like 30222 or something .. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of A Sent: December 17, 2004 12:12 AM To: [EMAIL PROTECTED] Subject: pf port knocking Hey all I am getting tired of seeing the following popping up every day (with various IPs) on my log server. * ROOT FAILURES jasper ssh2(pw) @221.143.156.58(3) * User Failures admin ssh2(pw) jasper(2) andrew ssh2(pw) jasper(1) angel ssh2(pw) jasper(1) barbara ssh2(pw) jasper(1) ben ssh2(pw) jasper(1) betty ssh2(pw) jasper(1) billy ssh2(pw) jasper(1) black ssh2(pw) jasper(1) blue ssh2(pw) jasper(1) brandon ssh2(pw) jasper(1) brian ssh2(pw) jasper(1) buddy ssh2(pw) jasper(1) carmen ssh2(pw) jasper(1) charlie ssh2(pw) jasper(1) daniel ssh2(pw) jasper(1) david ssh2(pw) jasper(1) dog ssh2(pw) jasper(1) emily ssh2(pw) jasper(1) eric ssh2(pw) jasper(1) god ssh2(pw) jasper(1) green ssh2(pw) jasper(1) guest ssh2(pw) jasper(1) henry ssh2(pw) jasper(1) jane ssh2(pw) jasper(1) jason ssh2(pw) jasper(1) jeremy ssh2(pw) jasper(1) joe ssh2(pw) jasper(1) johnny ssh2(pw) jasper(1) jordan ssh2(pw) jasper(1) justin ssh2(pw) jasper(1) larisa ssh2(pw) jasper(1) lion ssh2(pw) jasper(1) lp ssh2(pw) jasper(1) lucy ssh2(pw) jasper(1) magic ssh2(pw) jasper(1) mail ssh2(pw) jasper(1) maria ssh2(pw) jasper(1) market ssh2(pw) jasper(1) matthew ssh2(pw) jasper(1) max ssh2(pw) jasper(1) michael ssh2(pw) jasper(1) nathan ssh2(pw) jasper(1) nicholas ssh2(pw) jasper(1) nicole ssh2(pw) jasper(1) operator ssh2(pw) jasper(1) pub ssh2(pw) jasper(1) red ssh2(pw) jasper(1) robin ssh2(pw) jasper(1) rose ssh2(pw) jasper(1) shell ssh2(pw) jasper(1) stephen ssh2(pw) jasper(1) steven ssh2(pw) jasper(1) system ssh2(pw) jasper(1) test ssh2(pw) jasper(2) tom ssh2(pw) jasper(1) user ssh2(pw) jasper(1) vampire ssh2(pw) jasper(1) william ssh2(pw) jasper(1) yellow ssh2(pw) jasper(1) Just script kiddies most probably. Plus, we use public/private keys on jasper so it's not like people are going to get in that way. However, having the port wide open does give the possibility that a bug in the SSH daemon (if one pops up) could open the door for a hacker to get in. Further, jasper is the only machine that is externally accessible via SSH (the only other open ports are domain, web and mail on other servers). I need to leave SSH open as a number of people work remotely and tunnel through it to some of the services on the internal network. Additionally, we are about to setup a system to run a VPN between our office and some contractors. I would like that box's IP to appear offline/completely closed (until required) as well. To sum up, apart from web, mail and domain (to specific servers), I would much prefer that every port appear closed. To achieve this, I would like to implement port knocking on the gateway firewall (runs OBSD 3.4 and pf). For those unfamiliar with the technique, it is like knocking a certain pattern/code on a door to open it. Here, you fire connections at a server on designated ports to instruct the firewall to open a port. So, if the firewall detects a connection on ports 14289, 32883, 1234 and 3428 (in that order), port 22 is opened for the relevant IP address. Has anyone heard of anyone working on a portknocking daemon for OBSD/pf? There are a couple of basic setups over at www.portknocking.org but thought I would check here before attempting a port. If no work has begun, I think I will take the perl prototype script they have at portknocking.org and see what I can do for pf. I would imagine I will have to setup anchors in pf which I haven't done yet but am sure I will get my head around it. Any pointers would be appreciated! :) I will also need to write a windows util to do the knocking for the contractors - can Perl run on a Windows machine or will I have to dust off my C compiler? :) Andrew Find local movie times and trailers on Yahoo! Movies. http://au.movies.yahoo.com
Re: CARP
On Thu, Dec 16, 2004 at 08:54:54PM -0500, Jason Dixon wrote: There is probably a good reason for this, but might be hard to determine a) for an experienced user without access to your network, or b) for an inexperienced user *with* access to your network. ;-) I suggest monitoring your interfaces continually (while true; do ifconfig -a | grep carp; sleep 1; clear; done) while you recreate your problems. It wouldn't hurt to also monitor your pfsync traffic for hiccups. 'ifconfig carp' works, no need for '-a | grep carp'. carp(4) state transitions also show up on the routing socket, so you can do 'route monitor'. I usually experience ~3 seconds of packet loss during a failover. Recovery is always instantaneous (no loss). Regardless, I've yet to lose any TCP connections. I'd suggest you try to isolate the questionable behavior. Sorry if I sound like a Loinux whiny, I'm almost there, just need a few more pointers. 1) If I reduce advskew to something like 10 on machine A and 12 on machine b, would that increase the stability of the firewalls? I suggest larger advskew differences. You can only go as high as the size of your segment (256-1 for /24, for example). If you're only using 2 firewalls, I suggest advskews of 0 and 100. This isn't documented anywhere, and is only based on my own experience, so YMMV. If by not documented you mean explicitly ignoring the examples in the carp(4) manpage, then you're correct :-) The advskew range doesn't depend on the network segment. It's an 8 bit number in the CARP packet and the legal values are 1-255. Keep the value below 240 unless you really know what you're doing. 2) Why does it seem that when the master returns from me issuing a reboot does the connection for the client appear to get shaky again? What is the value of 'sysctl net.inet.carp.preempt'? Those who want useful advice on a CARP problem should provide the output of the following (from both machines): $ ifconfig -a $ sysctl net.inet.carp $ netstat -sp carp
Re: pf port knocking
On Friday 17 December 2004 15:45, Roy Morris wrote: change your ssh port to like 30222 or something .. That's dumb. Choose a port 1024.
Re: pf port knocking
On Friday 17 December 2004 06:11, A wrote: Further, jasper is the only machine that is externally accessible via SSH (the only other open ports are domain, web and mail on other servers). I need to leave SSH open as a number of people work remotely and tunnel through it to some of the services on the internal network. Try to reduce the access with options like OS-fingerprinting, src-IP, src-port.
Re: CARP
On Dec 17, 2004, at 1:47 PM, Ryan McBride wrote: I suggest larger advskew differences. You can only go as high as the size of your segment (256-1 for /24, for example). If you're only using 2 firewalls, I suggest advskews of 0 and 100. This isn't documented anywhere, and is only based on my own experience, so YMMV. If by not documented you mean explicitly ignoring the examples in the carp(4) manpage, then you're correct :-) I do. :) The advskew range doesn't depend on the network segment. It's an 8 bit number in the CARP packet and the legal values are 1-255. Keep the value below 240 unless you really know what you're doing. I overextended myself with that piece of logic. I remember it being capped at 255, but inappropriately associated it with the mask. Sorry for any confusion caused, I fucking hate it when people give wrong answers on list. :-P -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net
Re: CARP
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Fri, 17 Dec 2004 18:47:47 + Ryan McBride [EMAIL PROTECTED] wrote: $ ifconfig -a $ sysctl net.inet.carp $ netstat -sp carp Thankyou I will provide this with my next post. - -- /-- _| | Regards. Please note, my PGP key ID has changed. |-- / | | If you are planning on sending me something encrypted \__ \_| | please update your keyring. Debian/OpenBSD. 53C9FC6C. -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFBwzMGjtZArFPJ/GwRAh+ZAJ0ZyTyKhNeKCEnIrO5uWYotP3lbSwCfY42u UhR4kuTw7P0ksK+fQ4mmBkA= =KzSf -END PGP SIGNATURE-
Re: pf port knocking
Ed White [EMAIL PROTECTED] wrote: | On Friday 17 December 2004 15:45, Roy Morris wrote: | change your ssh port to like 30222 or something .. | | That's dumb. why? Choose a port 1024. why?
Re: pf port knocking
On Fri, 2004-12-17 at 15:51, Peter GILMAN wrote: Ed White [EMAIL PROTECTED] wrote: | On Friday 17 December 2004 15:45, Roy Morris wrote: | change your ssh port to like 30222 or something .. | | That's dumb. why? Choose a port 1024. why? not trying to speak for ed, but IMHO...it's dumb because any yahoo with a local account on a machine can create a listening socket on a port = 1024. running a daemon on a port 1024 requires privilege (thus the name)...sshd deserves the VIP treatment. if it doesn't conflict with an ssl httpd...443 is an awfully remote-side-firewall-friendly choice for an alternate sshd port... -j -- I hope I didn't brain my damage. --The Simpsons
RE: pf port knocking
not trying to speak for ed, but IMHO...it's dumb because any yahoo with a local account on a machine can create a listening socket on a port = 1024. Anyone can create a socket above 1024 anyway, regardless .. this has nothing to do with ssh. If you are running a server, full of users with shell access, you must have a completely different security model. If this is a gateway then ... I don't want to beat this to death, so let me say this is my opinion. If you want to knock off most of the port pounding twits, stop allowing ssh from 'any', filter instead by source. If you can't do that, because you MUST have access from your remote laptop, then maybe try using a ssh rule that says use OS type =my remote OS. Cheers Rm
