Re: [Openvpn-users] >>> Alikhani X2

[Stefanie Leisestreichler]

On 15.02.23 18:43, Alikhani X2 wrote:
Hi..I don't use the terminal. I just want to go into Instagram. Because 
Iran is everything filtering


On Wed, Feb 15, 2023 at 21:08 Stefanie Leisestreichler 
> wrote:


Hi Alikhani.
You are sending me private mail, but this mail account does not make it 
through the gmail mail server checks.


This is what I would try if I were you:
Visit https://torproject.org read the docs and use their browser.

Good luck.


___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] openVPN vs openSSH for single user access

[Stefanie Leisestreichler]

On 15.02.23 17:51, Marc SCHAEFER wrote:

On Wed, Feb 15, 2023 at 05:43:12PM +0100, Jan Just Keijser wrote:

Having port 22 open on the internet is asking for bots & script kiddies to
try and break in, but usually fail2ban takes care of it quite nicely.


Yes, and I you can report to abuseipdb.com -- that's why my main server has
port 22 open (and there are a few measures that make succeeding
authentification unlikely -- the remaining risk is a zero-day on SSH itself).


This is where my default fw setup is getting its dynamic blocklists 
from, I mentioned that earlier. With the list I am using (around 64000 
IP records) I am getting up to 2000 hits/24 hours.



On a sensitive machine, I use port knocking. 


This is what I was talking about in an earlier post - port knocking to 
protect this instances would be implemented in multiple dimensions.
Also I would not run a sshd at its default port exposed to the internet 
even if hidden :)


Also no user/pw auth, ssh certs for auth.


___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] openVPN vs openSSH for single user access

[Stefanie Leisestreichler]

On 15.02.23 18:06, Gert Doering wrote:


Are you referring with "invisible" to the not shown signature of the
openvpn service?


Yes.


Thanks for clarification.




I tried and was able to port scan a running openvpn instance but got no
signature. So one can tell the port is opened but the attack vector will
be big. UDP-Scanning is doable also. To be honest I surely know where
the services are located but to get them is just a loop away.


Well, the thing is: if you suspect it's openvpn, you can send an
initial UDP openvpn handshake packet to it - and the server will reply,
as configured.

Now, if you add tls-auth or tls-crypt to the server (+client) config,
even a correct "openvpn UDP initial handshake" packet will *not* make
the server reply, unless you also have the right tls-auth/tls-crypt
configured on the client side - which needs a (secret!) key to do so.

So, with this config, OpenVPN is "invisible" because it will never reply
except to those that know the magic words :-) >
(Of course a port scanner can detect that there is "something", but
there is close to zero attack surface)

gert


Thanks for those further details. Now all you said makes perfectly sense 
to me.



___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] openVPN vs openSSH for single user access

[Gert Doering]

Hi,

On Wed, Feb 15, 2023 at 06:02:26PM +0100, Stefanie Leisestreichler wrote:
> On 15.02.23 16:43, Gert Doering wrote:
> > I guess this was intended to read "OpenVPN" :-) - and indeed, with
> > tls-auth/tls-crypt, an OpenVPN server is "invisible" unless you know
> > that it's there and have the right key material.
> 
> Are you referring with "invisible" to the not shown signature of the 
> openvpn service?

Yes.

> I tried and was able to port scan a running openvpn instance but got no 
> signature. So one can tell the port is opened but the attack vector will 
> be big. UDP-Scanning is doable also. To be honest I surely know where 
> the services are located but to get them is just a loop away.

Well, the thing is: if you suspect it's openvpn, you can send an
initial UDP openvpn handshake packet to it - and the server will reply,
as configured.

Now, if you add tls-auth or tls-crypt to the server (+client) config,
even a correct "openvpn UDP initial handshake" packet will *not* make
the server reply, unless you also have the right tls-auth/tls-crypt
configured on the client side - which needs a (secret!) key to do so.

So, with this config, OpenVPN is "invisible" because it will never reply
except to those that know the magic words :-)

(Of course a port scanner can detect that there is "something", but 
there is close to zero attack surface)

gert
-- 
"If was one thing all people took for granted, was conviction that if you 
 feed honest figures into a computer, honest figures come out. Never doubted 
 it myself till I met a computer with a sense of humor."
 Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany g...@greenie.muc.de


signature.asc
Description: PGP signature
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] openVPN vs openSSH for single user access

[Stefanie Leisestreichler]

On 15.02.23 16:43, Gert Doering wrote:

I guess this was intended to read "OpenVPN" :-) - and indeed, with
tls-auth/tls-crypt, an OpenVPN server is "invisible" unless you know
that it's there and have the right key material.


Are you referring with "invisible" to the not shown signature of the 
openvpn service?
I tried and was able to port scan a running openvpn instance but got no 
signature. So one can tell the port is opened but the attack vector will 
be big. UDP-Scanning is doable also. To be honest I surely know where 
the services are located but to get them is just a loop away.


And yes shodan did not show the port is open.


___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] openVPN vs openSSH for single user access

[Stefanie Leisestreichler]

On 15.02.23 17:43, Jan Just Keijser wrote:

On 15/02/2023 14:12, Stefanie Leisestreichler wrote:


On 15.02.23 13:54, Jan Just Keijser wrote:
sure, I use them , I even manage a few that offer such access to 
students and employees.
Do I trust that host? no, it is monitored very intensively and it's 
purely a "jumphost" with chroot sandboxes for the people logging in.


Which leads to the question: Do you focus with same caution to an 
exposed openvpn service or is this more specific for those sshd?



this is actually starting to sound like we're doing your homework 


Let's stop here. Do not waste your time with me any more. I do not need 
YOU to do my homework. I know you are a valuable person of this 
community maybe you just had a bad day.




Like Marc Schaefer wrote, for OpenVPN it is a bit different, as you can 
run it over UDP which makes it a little easier to hide.


Having port 22 open on the internet is asking for bots & script kiddies 
to try and break in, but usually fail2ban takes care of it quite nicely.
However, sometimes it is necessary to open up this port as I've seen 
sites which allow outbound access on tcp port 22 only, not on a random 
port like 2 - plus, when offering public access for students you 
have to document and list it on a public webpage, so having a public 
wiki/web page stating "we run ssh on tcp port  to confuse script 
kiddies" is not a very good way to hide your ssh service.


JJK




___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] openVPN vs openSSH for single user access

[Gert Doering]

Hi,

On Wed, Feb 15, 2023 at 05:51:40PM +0100, Marc SCHAEFER wrote:
> (*) I read some litterature that scanning the whole ipv4 space for every
> TCP port takes about a day with a GBit/s or so optimized SYN sender.

https://github.com/robertdavidgraham/masscan

"MASSCAN: Mass IP port scanner

This is an Internet-scale port scanner. It can scan the entire Internet
in under 5 minutes, transmitting 10 million packets per second, from a
single machine."

(for a single port only, so scanning "every TCP port" will take 
much longer - 225 days, my math says - OTOH, scanning "the usual suspects"
is fast again)

gert
-- 
"If was one thing all people took for granted, was conviction that if you 
 feed honest figures into a computer, honest figures come out. Never doubted 
 it myself till I met a computer with a sense of humor."
 Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany g...@greenie.muc.de


signature.asc
Description: PGP signature
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] openVPN vs openSSH for single user access

[Gert Doering]

Hi,

On Wed, Feb 15, 2023 at 05:43:12PM +0100, Jan Just Keijser wrote:
> Having port 22 open on the internet is asking for bots & script kiddies 
> to try and break in, but usually fail2ban takes care of it quite nicely.

Unfortunately, the botnets have become smarter.  We observe that we're
only seeing 2-3 password attempts per source IP, and then a new bot
comes testing (and this one moves on to the next server) - so fail2ban
does not kick in as often as it should be.

So, whatever you do: do not allow password auth on a "internet reachable"
sshd...

gert
-- 
"If was one thing all people took for granted, was conviction that if you 
 feed honest figures into a computer, honest figures come out. Never doubted 
 it myself till I met a computer with a sense of humor."
 Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany g...@greenie.muc.de


signature.asc
Description: PGP signature
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] openVPN vs openSSH for single user access

[Marc SCHAEFER]

On Wed, Feb 15, 2023 at 05:43:12PM +0100, Jan Just Keijser wrote:
> Having port 22 open on the internet is asking for bots & script kiddies to
> try and break in, but usually fail2ban takes care of it quite nicely.

Yes, and I you can report to abuseipdb.com -- that's why my main server has
port 22 open (and there are a few measures that make succeeding
authentification unlikely -- the remaining risk is a zero-day on SSH itself).

> and list it on a public webpage, so having a public wiki/web page stating
> "we run ssh on tcp port  to confuse script kiddies" is not a very good
> way to hide your ssh service.

Also, I have one container which has a random port for SSH. It was discovered
by scanners in about one to two weeks. (*)

On a sensitive machine, I use port knocking. Or I hide services behind a
private OpenVPN network, depending. Which is also useful when the ISP no longer
offers port forwarding (CGNAT) for CPE.

(*) I read some litterature that scanning the whole ipv4 space for every
TCP port takes about a day with a GBit/s or so optimized SYN sender.


___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] openVPN vs openSSH for single user access

[Jan Just Keijser]

On 15/02/2023 14:12, Stefanie Leisestreichler wrote:


On 15.02.23 13:54, Jan Just Keijser wrote:
sure, I use them , I even manage a few that offer such access to 
students and employees.
Do I trust that host? no, it is monitored very intensively and it's 
purely a "jumphost" with chroot sandboxes for the people logging in.


Which leads to the question: Do you focus with same caution to an 
exposed openvpn service or is this more specific for those sshd?



this is actually starting to sound like we're doing your homework 

Like Marc Schaefer wrote, for OpenVPN it is a bit different, as you can 
run it over UDP which makes it a little easier to hide.


Having port 22 open on the internet is asking for bots & script kiddies 
to try and break in, but usually fail2ban takes care of it quite nicely.
However, sometimes it is necessary to open up this port as I've seen 
sites which allow outbound access on tcp port 22 only, not on a random 
port like 2 - plus, when offering public access for students you 
have to document and list it on a public webpage, so having a public 
wiki/web page stating "we run ssh on tcp port  to confuse script 
kiddies" is not a very good way to hide your ssh service.


JJK
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] openVPN vs openSSH for single user access

[Marc SCHAEFER]

On Wed, Feb 15, 2023 at 05:19:07PM +0100, Gert Doering wrote:
> SPF itself is not the problem (that only checks envelope-from, which
> the list does change), but DMARC with p=reject is.

Correct!

> Not sure if the list actually can do the "do the From: rewrite for
> DMARC p=reject enabled senders" dance.  I know mailman can, but it's
> not a mailman list.
> 
> Always rewriting From: is the worst of all solutions.

I have configured it for a few years now on many lists (with Mailman) and it
works quite well.  Intelligent MUA will even differenciate from replying to the
list, or to the user (via Reply-To:).

Now, if you can't, well, you can't, and I will get reports like this everytime
I post, which is not problematic:

  Sender Domain: alphanet.ch
  Sender IP Address: 216.105.38.7
  Received date: Wed, 15 Feb 2023 17:13:10 +0100
  SPF Alignment: no
  DKIM Alignment: no
  DMARC Results: None, Accept

As you can see, in my case it's not that problematic (it might be if the remote
server uses disalignement to add "spam points"). In that specific case they
seem to use spamassassin and the disalignement has no impact, according to
the spamassassin headers.

I only currently configure reject for the domains I no longer use that are used
to send out spam, namely some alphanet.ch subdomains:

   schaefer@reliand:~$ host -t txt _dmarc.vulcan.alphanet.ch
   _dmarc.vulcan.alphanet.ch is an alias for _dmarc.obsolete.alphanet.ch.
   _dmarc.obsolete.alphanet.ch descriptive text "v=DMARC1; p=reject"

The only reason I publish a DMARC policy on my main domain (of p=none) is it
made my mail more easily acceptable to gmail for some magical reason.

Some day, I might switch to reject policy.


signature.asc
Description: PGP signature
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] openVPN vs openSSH for single user access

[Gert Doering]

Hi,

On Wed, Feb 15, 2023 at 05:11:07PM +0100, Marc SCHAEFER wrote:
> On a side note, you don't rewrite the From: in your mailing-list, which means
> that SPF enabled domains like me will not always be delivered.

SPF itself is not the problem (that only checks envelope-from, which
the list does change), but DMARC with p=reject is.

Not sure if the list actually can do the "do the From: rewrite for
DMARC p=reject enabled senders" dance.  I know mailman can, but it's
not a mailman list.

Always rewriting From: is the worst of all solutions.

gert
-- 
"If was one thing all people took for granted, was conviction that if you 
 feed honest figures into a computer, honest figures come out. Never doubted 
 it myself till I met a computer with a sense of humor."
 Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany g...@greenie.muc.de


signature.asc
Description: PGP signature
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] openVPN vs openSSH for single user access

[Marc SCHAEFER]

On Wed, Feb 15, 2023 at 04:43:07PM +0100, Gert Doering wrote:
> On Wed, Feb 15, 2023 at 04:06:44PM +0100, Marc SCHAEFER wrote:
> > I run OpenSSH with UDP and on a random port, it's is presumably much
> > more difficult to find on scanners.
> 
> I guess this was intended to read "OpenVPN" :-) - and indeed, with
> tls-auth/tls-crypt, an OpenVPN server is "invisible" unless you know
> that it's there and have the right key material.

Yes, sorry, s/OpenSSH/OpenVPN/.

On a side note, you don't rewrite the From: in your mailing-list, which means
that SPF enabled domains like me will not always be delivered.

For the record, using MailMan, it's the General > from_is_list > Munge option.

This means that the real mail address is somewhat obfuscated (but probably can
be found as Reply-To: if it is not set to the list).


signature.asc
Description: PGP signature
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] openVPN vs openSSH for single user access

[Gert Doering]

Hi,

On Wed, Feb 15, 2023 at 04:06:44PM +0100, Marc SCHAEFER wrote:
> I run OpenSSH with UDP and on a random port, it's is presumably much
> more difficult to find on scanners.

I guess this was intended to read "OpenVPN" :-) - and indeed, with
tls-auth/tls-crypt, an OpenVPN server is "invisible" unless you know
that it's there and have the right key material.

gert
-- 
"If was one thing all people took for granted, was conviction that if you 
 feed honest figures into a computer, honest figures come out. Never doubted 
 it myself till I met a computer with a sense of humor."
 Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany g...@greenie.muc.de


signature.asc
Description: PGP signature
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] openVPN vs openSSH for single user access

[Marc SCHAEFER]

On Wed, Feb 15, 2023 at 02:12:58PM +0100, Stefanie Leisestreichler wrote:
> Which leads to the question: Do you focus with same caution to an exposed
> openvpn service or is this more specific for those sshd?

No.

I run OpenSSH with UDP and on a random port, it's is presumably much
more difficult to find on scanners.


___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] openVPN vs openSSH for single user access

[Stefanie Leisestreichler]

On 15.02.23 13:54, Jan Just Keijser wrote:
sure, I use them , I even manage a few that offer such access to 
students and employees.
Do I trust that host? no, it is monitored very intensively and it's 
purely a "jumphost" with chroot sandboxes for the people logging in.


Which leads to the question: Do you focus with same caution to an 
exposed openvpn service or is this more specific for those sshd?


I do not want to insult someone with that question, please do not get me 
wrong.


Thank you very much for sharing your thoughts, to everyone btw!


___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] openVPN vs openSSH for single user access

[Jan Just Keijser]

On 15/02/2023 11:53, Stefanie Leisestreichler wrote:


My intital question was meant something like: Do you or others trust 
ssh opened to the public internet and if so, under which circumstances?




sure, I use them , I even manage a few that offer such access to 
students and employees.
Do I trust that host? no, it is monitored very intensively and it's 
purely a "jumphost" with chroot sandboxes for the people logging in.


cheers,

JJK___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] openVPN vs openSSH for single user access

[Stefanie Leisestreichler]

I like paranoid firewalls :)

stunnel is a real good catch, I almost forgot about it. We used it in 
the earlier days a lot.


I'll use it in case the first entry in sshd audit file appears saying 
"access denied" or something pointing in that direction.


I have very best experience using knocking and I highly recommend it for 
clear logs. Always good if your open ports can not be scripted with the 
shodan api ;)


Script kiddies and all those known bots are kept away by using dynamic 
block lists.


My intital question was meant something like: Do you or others trust ssh 
opened to the public internet and if so, under which circumstances?


Thanks again!


On 15.02.23 11:19, j.witvl...@mindef.nl wrote:

Before opening SSH to the wordld, you might contemplate encapsulating it with 
stunnel.
It also helps with paranoid firewalls ;-)



___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] openVPN vs openSSH for single user access

[Hans via Openvpn-users]

Before opening SSH to the wordld, you might contemplate encapsulating it with 
stunnel.
It also helps with paranoid firewalls ;-)

-Original Message-
From: Stefanie Leisestreichler 
Sent: Tuesday, February 14, 2023 4:42 PM
To: openvpn-users@lists.sourceforge.net
Subject: [Openvpn-users] openVPN vs openSSH for single user access

Hi.
I like openVPN, it is a cool piece of software :) For years I've been reading 
this list. Always a good source for great info, thanks!

Today I am asking for your advice.
I need to grant access to one machine to an user who is able to use a terminal. 
The whole net is a small one without the need for openvpn to manage it since 
now. I am thinking about giving this single use the possibility to connect to 
the machine (running in DMZ) via ssh access, dnatted over the public internet. 
The sshd will be kept updated (arch linux as os). Auth will be made using 
public/private cert.

What do you think?

Steffi


___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Dit bericht kan informatie bevatten die niet voor u is bestemd. Indien u niet 
de geadresseerde bent of dit bericht abusievelijk aan u is toegezonden, wordt u 
verzocht dat aan de afzender te melden en het bericht te verwijderen. De Staat 
aanvaardt geen aansprakelijkheid voor schade, van welke aard ook, die verband 
houdt met risico's verbonden aan het elektronisch verzenden van berichten.

This message may contain information that is not intended for you. If you are 
not the addressee or if this message was sent to you by mistake, you are 
requested to inform the sender and delete the message. The State accepts no 
liability for damage of any kind resulting from the risks inherent in the 
electronic transmission of messages.


___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users