Re: Restricting source with dDNS (dynamic DNS)
* Alvaro Mantilla Gimenez alv...@dydnetworks.com [2009-12-19 12:00]: It would be awesome if pf could implement some port knocking features over my dead body -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting
Re: Restricting source with dDNS (dynamic DNS)
Alvaro Mantilla Gimenez alv...@dydnetworks.com writes: It would be awesome if pf could implement some port knocking features in next releases...maybe and associate daemon (like spamd with email attempts delivers...or something like that). Do you think is it possible? The first hurdle in getting port knocking functionality into the base system or a port would be to demonstrate that the added complexity is worth it in a very practical sense. Basically it's just one more feature that would need to be implemented in a sane way and be demonstrated to be useful enough to warrant inclusion. I wouldn't want to rate the chance of success, but if you think you can do it, what's stopping you? For the original poster's scenario, the suggestion write a script that resolves the hostnames and maintains a table specifically addresses their problem, using existing tools in a very simple way. One could of course argue that a little sshd config would go a long way too, say enabling key based logins only (turning off password authentication) and disallowing root logins so on, but we don't know whether they've done that already. - Peter -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ Remember to set the evil bit on all malicious network traffic delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: Restricting source with dDNS (dynamic DNS)
Karl O. Pinc k...@meme.com writes: I'd say this sounds like a situation where authpf could come in quite handy. How? I thought authpf grants additional rights to those who can ssh. But he wants to restrict those allowed to ssh period. authpf loads rulesets, with all the flexibility that comes with pf. but you're right, it requires ssh to be accessible in order to log in, and so may not be what the original poster was looking for. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ Remember to set the evil bit on all malicious network traffic delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: Restricting source with dDNS (dynamic DNS)
On 15:40, Fri 18 Dec 09, Jim Flowers wrote: To lock down services (particularly ssh) as tightly as possible, I like to allow administrative access to a firewall only from specific ip addresses. Unfortunately, some of the administrators are working from dynamic ip addresses that change with some frequency. Is there a straightforward way to incorporate dynamic ip source addresses in the pf ruleset? You can go with the previously mentioned table + resolvingscriptcronjob, or you can not restrict access to ssh based on ip but disable root ssh login and passwordauthentication, ask for public keys, and go with that. This is the way i chose (mostly because of GPRS/UMTS/HSDPA access nowedays) and it's working great. -- Michiel van Baak mich...@vanbaak.eu http://michiel.vanbaak.eu GnuPG key: http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x71C946BD Why is it drug addicts and computer aficionados are both called users?
Re: Restricting source with dDNS (dynamic DNS)
On Fri, 2009-12-18 at 20:58 +0100, Peter N. M. Hansteen wrote: Karl O. Pinc k...@meme.com writes: I'd say this sounds like a situation where authpf could come in quite handy. How? I thought authpf grants additional rights to those who can ssh. But he wants to restrict those allowed to ssh period. authpf loads rulesets, with all the flexibility that comes with pf. but you're right, it requires ssh to be accessible in order to log in, and so may not be what the original poster was looking for. It would be awesome if pf could implement some port knocking features in next releases...maybe and associate daemon (like spamd with email attempts delivers...or something like that). Do you think is it possible? Regards, Alvaro
RE: Restricting source with dDNS (dynamic DNS)
While also not what the OP specifically requested but a good option to consider in general is to use the overload option to allow PF to dynamically add abusing IPs to a table which is then blocked from ssh access. This is more for frequent TCP connections on port 22 (or any other) for brute force type activity. This is similar to but not the same as the fail2ban type scripts. I get about 5-10 IP's added to my block table every day which is cleared daily via cron. -Original Message- From: owner...@benzedrine.cx [mailto:owner...@benzedrine.cx] On Behalf Of Alvaro Mantilla Gimenez Sent: Friday, December 18, 2009 5:31 PM To: Karl O. Pinc Cc: pf@benzedrine.cx Subject: Re: Restricting source with dDNS (dynamic DNS) El 18/12/2009, a las 12:20, Karl O. Pinc k...@meme.com escribió: On 12/18/2009 10:16:44 AM, Peter N. M. Hansteen wrote: Jim Flowers jflow...@ezo.net writes: To lock down services (particularly ssh) as tightly as possible, I like to allow administrative access to a firewall only from specific ip addresses. Unfortunately, some of the administrators are working from dynamic ip addresses that change with some frequency. Is there a straightforward way to incorporate dynamic ip source addresses in the pf ruleset? I'd say this sounds like a situation where authpf could come in quite handy. How? I thought authpf grants additional rights to those who can ssh. But he wants to restrict those allowed to ssh period. If I remember well, sometime ago somebody did a port knocking program and he asked in the OpenBSD misc list about to include it into the ports tree. He had very bad responses and a very ugly discussion. All the people involved into the discussion ( I wasn't ) didn't understood special cases like this: if you want to close ssh access from the world and let some people open ports for administration, maintenance, or whatever you want then authpf is not a solution but port knocking is. Google about that and you see your solution there. You can, for example, define a port combination to execute some script to send you a sms with the status of one specifical service and/or another to open, for the IP which is doing the combination (of course), the redirection port to the SWAT (samba web administration) in one specifical server so you can define different port combinations for different groups of users... Google it. Regards, Alvaro
RE: Restricting source with dDNS (dynamic DNS)
On Sat, 2009-12-19 at 06:05 -0600, Justin Krejci wrote: While also not what the OP specifically requested but a good option to consider in general is to use the overload option to allow PF to dynamically add abusing IPs to a table which is then blocked from ssh access. This is more for frequent TCP connections on port 22 (or any other) for brute force type activity. This is similar to but not the same as the fail2ban type scripts. I get about 5-10 IP's added to my block table every day which is cleared daily via cron. Yes, that is a good option but it is not the purpose of the discussion. He wants to have the ssh port closed and open the ports in a dynamic way. His approach to do that with a dns resolution is not the right approach to solve the issue. Port Knocking is, by far, the best option to do that. The problem here is...there is no port knocking support in OpenBSD then the only solution he has in hands is authpf + bruteforce tables to defend itself from the offenderswhich, again, is not the best approach to solve his problem. Regards, Alvaro -Original Message- From: owner...@benzedrine.cx [mailto:owner...@benzedrine.cx] On Behalf Of Alvaro Mantilla Gimenez Sent: Friday, December 18, 2009 5:31 PM To: Karl O. Pinc Cc: pf@benzedrine.cx Subject: Re: Restricting source with dDNS (dynamic DNS) El 18/12/2009, a las 12:20, Karl O. Pinc k...@meme.com escribió: On 12/18/2009 10:16:44 AM, Peter N. M. Hansteen wrote: Jim Flowers jflow...@ezo.net writes: To lock down services (particularly ssh) as tightly as possible, I like to allow administrative access to a firewall only from specific ip addresses. Unfortunately, some of the administrators are working from dynamic ip addresses that change with some frequency. Is there a straightforward way to incorporate dynamic ip source addresses in the pf ruleset? I'd say this sounds like a situation where authpf could come in quite handy. How? I thought authpf grants additional rights to those who can ssh. But he wants to restrict those allowed to ssh period. If I remember well, sometime ago somebody did a port knocking program and he asked in the OpenBSD misc list about to include it into the ports tree. He had very bad responses and a very ugly discussion. All the people involved into the discussion ( I wasn't ) didn't understood special cases like this: if you want to close ssh access from the world and let some people open ports for administration, maintenance, or whatever you want then authpf is not a solution but port knocking is. Google about that and you see your solution there. You can, for example, define a port combination to execute some script to send you a sms with the status of one specifical service and/or another to open, for the IP which is doing the combination (of course), the redirection port to the SWAT (samba web administration) in one specifical server so you can define different port combinations for different groups of users... Google it. Regards, Alvaro
RE: Restricting source with dDNS (dynamic DNS)
I think it is tangentially related to the discussion as OP is obviously looking for some advice on security and I think what I mentioned was likely applicable to maybe other firewalls separate from this one specifically OP is configuring, perhaps on other networks altogether. But you are right it is not directly related, which I stated at the start of my message. I agree that an auto dns checker updating a pf table is a pretty decent way to do this with built in openbsd tools but it leaves one prone to DNS poisoning which can happen on non-openbsd systems completely out of OP's control on the internet. I dont particularly like relying on something like public DNS for who has TCP layer access. What if the DNS servers are down or having issues and a remote user then cant connect? Maybe that is an acceptable risk. What if the DNS zones get poisoned and now an attacker's own IP address is the only one allowed to access SSH (aside from any other statically allowed IPs)? Maybe that is an acceptable risk. Solely relying on dynamic DNS in this way is not acceptable to me. -Original Message- From: owner...@benzedrine.cx [mailto:owner...@benzedrine.cx] On Behalf Of Alvaro Mantilla Gimenez Sent: Saturday, December 19, 2009 12:28 PM To: Justin Krejci Cc: 'Karl O. Pinc'; pf@benzedrine.cx Subject: RE: Restricting source with dDNS (dynamic DNS) On Sat, 2009-12-19 at 06:05 -0600, Justin Krejci wrote: While also not what the OP specifically requested but a good option to consider in general is to use the overload option to allow PF to dynamically add abusing IPs to a table which is then blocked from ssh access. This is more for frequent TCP connections on port 22 (or any other) for brute force type activity. This is similar to but not the same as the fail2ban type scripts. I get about 5-10 IP's added to my block table every day which is cleared daily via cron. Yes, that is a good option but it is not the purpose of the discussion. He wants to have the ssh port closed and open the ports in a dynamic way. His approach to do that with a dns resolution is not the right approach to solve the issue. Port Knocking is, by far, the best option to do that. The problem here is...there is no port knocking support in OpenBSD then the only solution he has in hands is authpf + bruteforce tables to defend itself from the offenderswhich, again, is not the best approach to solve his problem. Regards, Alvaro -Original Message- From: owner...@benzedrine.cx [mailto:owner...@benzedrine.cx] On Behalf Of Alvaro Mantilla Gimenez Sent: Friday, December 18, 2009 5:31 PM To: Karl O. Pinc Cc: pf@benzedrine.cx Subject: Re: Restricting source with dDNS (dynamic DNS) El 18/12/2009, a las 12:20, Karl O. Pinc k...@meme.com escribió: On 12/18/2009 10:16:44 AM, Peter N. M. Hansteen wrote: Jim Flowers jflow...@ezo.net writes: To lock down services (particularly ssh) as tightly as possible, I like to allow administrative access to a firewall only from specific ip addresses. Unfortunately, some of the administrators are working from dynamic ip addresses that change with some frequency. Is there a straightforward way to incorporate dynamic ip source addresses in the pf ruleset? I'd say this sounds like a situation where authpf could come in quite handy. How? I thought authpf grants additional rights to those who can ssh. But he wants to restrict those allowed to ssh period. If I remember well, sometime ago somebody did a port knocking program and he asked in the OpenBSD misc list about to include it into the ports tree. He had very bad responses and a very ugly discussion. All the people involved into the discussion ( I wasn't ) didn't understood special cases like this: if you want to close ssh access from the world and let some people open ports for administration, maintenance, or whatever you want then authpf is not a solution but port knocking is. Google about that and you see your solution there. You can, for example, define a port combination to execute some script to send you a sms with the status of one specifical service and/or another to open, for the IP which is doing the combination (of course), the redirection port to the SWAT (samba web administration) in one specifical server so you can define different port combinations for different groups of users... Google it. Regards, Alvaro
Re: Restricting source with dDNS (dynamic DNS)
On 12/18/2009 11:25:18 AM, Michiel van Baak wrote: You can go with the previously mentioned table + resolvingscriptcronjob, or you can not restrict access to ssh based on ip but disable root ssh login and passwordauthentication, ask for public keys, and go with that. And if you need access beyond that there's also one-time-passwords/skey. Karl k...@meme.com Free Software: You don't pay back, you pay forward. -- Robert A. Heinlein
Re: Restricting source with dDNS (dynamic DNS)
On 12/18/2009 09:40:36 AM, Jim Flowers wrote: To lock down services (particularly ssh) as tightly as possible, I like to allow administrative access to a firewall only from specific ip addresses. Unfortunately, some of the administrators are working from dynamic ip addresses that change with some frequency. Is there a straightforward way to incorporate dynamic ip source addresses in the pf ruleset? Yes. Make a table with the dynamic source addresses. Control access using that table. Update the table with pfctl from a script that runs periodically and does dns lookups. Karl k...@meme.com Free Software: You don't pay back, you pay forward. -- Robert A. Heinlein
Re: Restricting source with dDNS (dynamic DNS)
Hi, On Fri, Dec 18, 2009 at 03:40:36PM +, Jim Flowers wrote: To lock down services (particularly ssh) as tightly as possible, I like to allow administrative access to a firewall only from specific ip addresses. Unfortunately, some of the administrators are working from dynamic ip addresses that change with some frequency. Is there a straightforward way to incorporate dynamic ip source addresses in the pf ruleset? - Use a table for these IP src addresses in your pass rule - Run regularly via cron a script to resolve these dynamic IPs and add/modify/delete it in the src table via 'pfctl' A++ Laurent
Re: Restricting source with dDNS (dynamic DNS)
Jim Flowers jflow...@ezo.net writes: To lock down services (particularly ssh) as tightly as possible, I like to allow administrative access to a firewall only from specific ip addresses. makes sense. Unfortunately, some of the administrators are working from dynamic ip addresses that change with some frequency. Is there a straightforward way to incorporate dynamic ip source addresses in the pf ruleset? I'd say this sounds like a situation where authpf could come in quite handy. - P -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ Remember to set the evil bit on all malicious network traffic delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: Restricting source with dDNS (dynamic DNS)
On 2009/12/18 15:40, Jim Flowers wrote: To lock down services (particularly ssh) as tightly as possible, I like to allow administrative access to a firewall only from specific ip addresses. Unfortunately, some of the administrators are working from dynamic ip addresses that change with some frequency. Is there a straightforward way to incorporate dynamic ip source addresses in the pf ruleset? How about having them vpn in? OpenBSD+ipsec.conf is very easy, or if they're using Windows then the Shrewsoft client isn't too bad.
Re: Restricting source with dDNS (dynamic DNS)
Laurent Cheylus foxy at free.fr wrote: - Use a table for these IP src addresses in your pass rule - Run regularly via cron a script to resolve these dynamic IPs and add/modify/delete it in the src table via 'pfctl' Thanks, that should do it nicely.
Re: Restricting source with dDNS (dynamic DNS)
On 12/18/2009 10:16:44 AM, Peter N. M. Hansteen wrote: Jim Flowers jflow...@ezo.net writes: To lock down services (particularly ssh) as tightly as possible, I like to allow administrative access to a firewall only from specific ip addresses. Unfortunately, some of the administrators are working from dynamic ip addresses that change with some frequency. Is there a straightforward way to incorporate dynamic ip source addresses in the pf ruleset? I'd say this sounds like a situation where authpf could come in quite handy. How? I thought authpf grants additional rights to those who can ssh. But he wants to restrict those allowed to ssh period. Karl k...@meme.com Free Software: You don't pay back, you pay forward. -- Robert A. Heinlein
Re: Restricting source with dDNS (dynamic DNS)
El 18/12/2009, a las 12:20, Karl O. Pinc k...@meme.com escribió: On 12/18/2009 10:16:44 AM, Peter N. M. Hansteen wrote: Jim Flowers jflow...@ezo.net writes: To lock down services (particularly ssh) as tightly as possible, I like to allow administrative access to a firewall only from specific ip addresses. Unfortunately, some of the administrators are working from dynamic ip addresses that change with some frequency. Is there a straightforward way to incorporate dynamic ip source addresses in the pf ruleset? I'd say this sounds like a situation where authpf could come in quite handy. How? I thought authpf grants additional rights to those who can ssh. But he wants to restrict those allowed to ssh period. If I remember well, sometime ago somebody did a port knocking program and he asked in the OpenBSD misc list about to include it into the ports tree. He had very bad responses and a very ugly discussion. All the people involved into the discussion ( I wasn't ) didn't understood special cases like this: if you want to close ssh access from the world and let some people open ports for administration, maintenance, or whatever you want then authpf is not a solution but port knocking is. Google about that and you see your solution there. You can, for example, define a port combination to execute some script to send you a sms with the status of one specifical service and/or another to open, for the IP which is doing the combination (of course), the redirection port to the SWAT (samba web administration) in one specifical server so you can define different port combinations for different groups of users... Google it. Regards, Alvaro
