DaemonForums  

Go Back   DaemonForums > FreeBSD > FreeBSD Security

FreeBSD Security Securing FreeBSD.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 22nd August 2008
neurosis neurosis is offline
Fdisk Soldier
 
Join Date: Jul 2008
Posts: 69
Thanked 0 Times in 0 Posts
Question jails, aliasing, router, and dmz?

I was wondering,

I want to set up an ftpd. My freebsd computer is behind a router and i dont really know enough about firewalls to set one up properly although im starting to read up on pf lately and hopefully before too long understand it better. I have jails set up finally and am running httpd on one, and an ftpd on another. My host is pretty much not running any open connections anymore (besides ssh) now that I know how to jail them. How much of a security risk is it, and is it even possible, to have the ip of the ftpd set in the dmz on my router? im running pureftpd and want to know exactly how much of a risk that is. That is the only open connection on that jail. I dont even have ssh running in it. Im just learning now so please bear with me.

Thanks.
Reply With Quote
  #2   (View Single Post)  
Old 22nd August 2008
BSDfan666 BSDfan666 is offline
Real Name: N/A, this is the interweb.
Helpful companion
 
Join Date: Apr 2008
Location: Ontario, Canada
Posts: 2,223
Thanked 193 Times in 184 Posts
Default

It's possible, but security is always a debatable topic... the real question is, why do you want to "dmz" the "jail" if it's only running an ftpd?

Only tcp ports 20 and 21 need to be forwarded.
Reply With Quote
  #3   (View Single Post)  
Old 22nd August 2008
neurosis neurosis is offline
Fdisk Soldier
 
Join Date: Jul 2008
Posts: 69
Thanked 0 Times in 0 Posts
Default

Well I dont know how crazy this is, but im not running it on port 21. Im running it on a much higher port and in passive mode. It seems to use allot of data ports. I dont really know wtf im doing so it may be easier to solve this problem than I think. As it sits, I have "LOTS" of data ports forwarded to that ip along with the data ports being regulated by the ftpd itself.
Reply With Quote
  #4   (View Single Post)  
Old 22nd August 2008
BSDfan666 BSDfan666 is offline
Real Name: N/A, this is the interweb.
Helpful companion
 
Join Date: Apr 2008
Location: Ontario, Canada
Posts: 2,223
Thanked 193 Times in 184 Posts
Default

What you're looking for is ftp-proxy(8).

I agree, ftp is a horrible protocol... active mode causes problems with NAT, and passive mode causes problems with firewalls.
Reply With Quote
  #5   (View Single Post)  
Old 22nd August 2008
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,154
Thanked 182 Times in 149 Posts
Default

ftp uses 2 separated connections
  1. A command channel, where the ftp client uses port 21 as the destination port.

  2. A data channel, where in passive mode the ftp client uses a destination port >1023 as suggested by the ftp server.
    In active mode the server initiates this channel using source port 20, which usually is a not liked and thus not allowed by most system administrators.

Since my house move I don't have access to a FBSD box, but in OpenBSD the ports suggested by the ftp server for passive ftp channels is set by the following sysctls in blue
Code:
net.inet.ip.portfirst=1024
net.inet.ip.portlast=49151
net.inet.ip.porthifirst=49152
net.inet.ip.porthilast=65535
Re: ftp-proxy

ftp-proxy needs to run on a dedicated pf firewall with 2 NICs. It can neither run on a ftp client box, nor on a ftp server box.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #6   (View Single Post)  
Old 22nd August 2008
neurosis neurosis is offline
Fdisk Soldier
 
Join Date: Jul 2008
Posts: 69
Thanked 0 Times in 0 Posts
Default

Thanks for the reply's. Ive been reading on this the last two days and this is all why im looking to put the ftpd in the dmz. I just wonder how this can compromise the security of the rest of the box.
Reply With Quote
  #7   (View Single Post)  
Old 22nd August 2008
ephemera's Avatar
ephemera ephemera is offline
Knuth's homeboy
 
Join Date: Apr 2008
Posts: 537
Thanked 49 Times in 43 Posts
Default

> this is all why im looking to put the ftpd in the dmz. I just wonder how this can compromise the security of the rest of the box.

looks like you are not clear about dmz. see: http://en.wikipedia.org/wiki/Demilit...one_(computing)
Reply With Quote
  #8   (View Single Post)  
Old 22nd August 2008
neurosis neurosis is offline
Fdisk Soldier
 
Join Date: Jul 2008
Posts: 69
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by ephemera View Post
>

looks like you are not clear about dmz.


http://en.wikipedia.org/wiki/Demilit...ne_(computing)

Your link failed so I put it here. I am clear about dmz (sort of ) In theory it would be optimal to have a seperate server in the dmz running the different services, (www, ftpd, etc). Well since I only have one computer with the possibility of running these services I placed the services in jails which act as the outside computers. What I dont understand is, with a jail being placed in this dmz, how secure are the jails themselves as far as the host is concerned? Is is difficult to secure your main host computer from these jails in case they do get compromised? That is more what I dont understand.

Last edited by neurosis; 22nd August 2008 at 06:06 PM.
Reply With Quote
  #9   (View Single Post)  
Old 22nd August 2008
ephemera's Avatar
ephemera ephemera is offline
Knuth's homeboy
 
Join Date: Apr 2008
Posts: 537
Thanked 49 Times in 43 Posts
Default

Quote:
Originally Posted by neurosis View Post
Yeah, setting "dmz" on your router is bad idea.
On a secure/real dmz setup you would have a firewall protecting the internal lan from the ftp/web servers (which are outside the firewall) in case they get compromised.
Anyway since it looks like in your case there is just one computer behind a (adsl?)router you can't do dmz but you can configure your router to selectively forward the required ports for ftp/web services.

Last edited by ephemera; 22nd August 2008 at 06:18 PM.
Reply With Quote
Old 22nd August 2008
hunteronline hunteronline is offline
Fdisk Soldier
 
Join Date: Jul 2008
Posts: 52
Thanked 6 Times in 5 Posts
Default

I guess the first questions are, how is anyone going to know the IP of the ftp jail and are you the only one that is using ftp?
Reply With Quote
Old 22nd August 2008
neurosis neurosis is offline
Fdisk Soldier
 
Join Date: Jul 2008
Posts: 69
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by hunteronline View Post
I guess the first questions are, how is anyone going to know the IP of the ftp jail and are you the only one that is using ftp?

I use it for transferring files for work. There are only a few people that use the ftpd. This isnt a necessary solution for me and the reason I set it up is mostly for learning purposes. Same as the httpd that I set up. Its not needed but im trying to give myself a simple education of networking and security.
Reply With Quote
Old 22nd August 2008
neurosis neurosis is offline
Fdisk Soldier
 
Join Date: Jul 2008
Posts: 69
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by ephemera View Post
Yeah, setting "dmz" on your router is bad idea.
On a secure/real dmz setup you would have a firewall protecting the internal lan from the ftp/web servers (which are outside the firewall) in case they get compromised.
Anyway since it looks like in your case there is just one computer behind a (adsl?)router you can't do dmz but you can configure your router to selectively forward the required ports for ftp/web services.

I understand what your saying and with my limited knowledge im trying to make myself understand this as best that I can. I wondered about what you were saying when I started all of this since I knew that I was using one computer (there are actually three compters on my LAN) to run freebsd with the two jails set up, one running httpd, and one running ftpd. They are indeed part of my internal network. I have been port forwarding the necessary ports to the jails and pretty much have only one port forwarded to the freebsd host itself and "NO" ports forwarded to the rest of the nework. One thing that the router does allow me to do, is put the ip of the jail running the ftpd in the DMZ. This is where the confusion started for me and where I may be getting myself confused. Once I put that jails ip in the DMZ on the router, I was able to port scan my external ip from my work computer and it showed that the ftpd port was open. I took that ip out of the dmz immediately until I could get a better understanding of how all of this worked together.
Reply With Quote
Old 22nd August 2008
hunteronline hunteronline is offline
Fdisk Soldier
 
Join Date: Jul 2008
Posts: 52
Thanked 6 Times in 5 Posts
Default

Okay, I see where you are now. May I make a suggestion? Let's harden the server first ..... http://www.daemonforums.org/showthread.php?t=118

In that thread there is a link to http://www.bsdguides.org/guides/free...ity/harden.php

And, Lockdown http://www.freebsd.org/cgi/ports.cgi...down&stype=all
Reply With Quote
Old 22nd August 2008
ephemera's Avatar
ephemera ephemera is offline
Knuth's homeboy
 
Join Date: Apr 2008
Posts: 537
Thanked 49 Times in 43 Posts
Default

Quote:
Originally Posted by neurosis View Post
Once I put that jails ip in the DMZ on the router, I was able to port scan my external ip from my work computer and it showed that the ftpd port was open. I took that ip out of the dmz immediately until I could get a better understanding of how all of this worked together.
Try forwarding port 21 on the router for the jails ip.

Last edited by ephemera; 22nd August 2008 at 08:29 PM.
Reply With Quote
Old 22nd August 2008
neurosis neurosis is offline
Fdisk Soldier
 
Join Date: Jul 2008
Posts: 69
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by ephemera View Post
Try forwarding port 21 on the router for the jails ip.
Thats what I do now. I forward the port that the ftpd is listening to which is not port 21. but I also have to forward a data port range and it some times causes problems for some ftp clients.

Thanks also hunter. Ive been reading a few of those threads already. They are very informative.
Reply With Quote
Old 23rd August 2008
phoenix's Avatar
phoenix phoenix is offline
Risen from the ashes
 
Join Date: May 2008
Posts: 699
Thanked 90 Times in 81 Posts
Default

If it's just for you, and for testing, I'd look into skipping FTP completely, and just using SCP/SFTP as part of OpenSSH. Only 1 port to worry about. And the data channel is encrypted.
__________________
Freddie

Help for FreeBSD: Handbook, FAQ, man pages, mailing lists.
Reply With Quote
Old 24th August 2008
anomie's Avatar
anomie anomie is offline
Local
 
Join Date: Apr 2008
Location: Texas
Posts: 446
Thanked 69 Times in 46 Posts
Default

And if you go the scp/sftp route, you can stick that service in a jail and give the user(s) scponly shells if you'd like.

Avoid ftp unless you legitimately require it. (There are still uses for it... like download mirrors.)
__________________
Kill your t.v.
Reply With Quote
Old 7th November 2008
neurosis neurosis is offline
Fdisk Soldier
 
Join Date: Jul 2008
Posts: 69
Thanked 0 Times in 0 Posts
Default

Ok, not to start this thread over but I finally have a pc to run "outside" of my router. This will be a test in patience for me for sure. Im going to set up two or three jails on this pc and only allow connections to this pc inside of the jails. I will be attempting to setup a gateway with a firewall that works basically like a router allowing only solicited traffic to and from my linksys router but also limiting connections to this pc with the firewall. This should be fun. My biggest curve will be getting the pc set up as a gateway and get port forwarding setup (very few ports) and not lock my other computers from the net. Setting up a gateway sounds like it should be easy? My first question on this, would it be easiest to setup dhcpd to assign the router an ip address? Is there a better way? Most write ups I find use dhcpd but with only one router connecting through the freebsd firewall/gateway it doesnt seem necessary to set up dhcpd? I am also finding that the writeups explain different ways to get the same results and the routing is leaving me a bit confused. some seem to use natd

Code:
  ifconfig_(WAN nic) = "DHCP" (assuming your ISP provides you with
a dynamic IP address)
        ifconfig_(LAN nic) = "inet XXX.XXX.X.XXX netmask 255.255.255.0" (I
used 192.168.1.1)
        gateway_enable="YES"
        firewall_enable="YES"
        firewall_script="/etc/rc.nat"
        firewall_type="OPEN"
        natd_enable="YES"
        natd_interface="(WAN nic)"
        natd_flags="-dynamic"
Then one explains it this way.

Code:
The NAT
Next we want to set up Network Address Translation for other devices on our internal network. NAT allows many internal clients to share one internet address.
To do this, we need to add some more lines to /etc/rc.conf:

gateway_enable="YES"
ipnat_enable="YES"
ipnat_program="/sbin/ipnat"
ipnat_rules="/etc/ipnat.rules"
ipnat_flags=""

Pretty much like the firewall stuff, but this time the rules are in /etc/ipnat.rules.
NAT is really easy to set up. We want to allow anything on 172.16.0.0/16 to use the internet, so our rule is:

map dc0 172.16.0.0/16 -> dc0/32 portmap tcp/udp auto
map dc0 172.16.0.0/16 -> dc0/32 proxy port ftp ftp/tcp

The first line maps internet access outbound on dc0 to appear from "dc0/32", which is shorthand for "the IP address currently associated with the interface dc0".
The second line will proxy outbout ftp access. This is necessary if you don't want to have to use passive ftp all the time because the ftp protocol sucks.

To get ipnat up and running, do:

# /etc/rc.d/routing start
# /etc/rc.d/ipnat start


At this point, any client on the 172.16.0.0 network which has a netmask of 255.255.0.0 or stricter and 172.16.3.200 as its router should be able to access the internet, with its packets being "mapped" by the NAT setup on the firewall machine.
The hand book makes it look less complicated but im not sure that i understand it 100% although it looks allot simpler and doesnt require natd????


Code:
If we look at the routing table for RouterA we would see something like the following:

% netstat -nr
Routing tables

Internet:
Destination        Gateway            Flags    Refs      Use  Netif  Expire
default            10.0.0.1           UGS         0    49378    xl0
127.0.0.1          127.0.0.1          UH          0        6    lo0
10.0.0/24          link#1             UC          0        0    xl0
192.168.1/24       link#2             UC          0        0    xl1

With the current routing table RouterA will not be able to reach our Internal Net 2. It does not have a route for 192.168.2.0/24. One way to alleviate this is to manually add the route. The following command would add the Internal Net 2 network to RouterA's routing table using 192.168.1.2 as the next hop:

# route add -net 192.168.2.0/24 192.168.1.2

Now RouterA can reach any hosts on the 192.168.2.0/24 network.
32.2.5.2 Persistent Configuration

The above example is perfect for configuring a static route on a running system. However, one problem is that the routing information will not persist if you reboot your FreeBSD machine. The way to handle the addition of a static route is to put it in your /etc/rc.conf file:

# Add Internal Net 2 as a static route
static_routes="internalnet2"
route_internalnet2="-net 192.168.2.0/24 192.168.1.2"

The static_routes configuration variable is a list of strings separated by a space. Each string references to a route name. In our above example we only have one string in static_routes. This string is internalnet2. We then add a configuration variable called route_internalnet2 where we put all of the configuration parameters we would give to the route(8) command. For our example above we would have used the command:

# route add -net 192.168.2.0/24 192.168.1.2

so we need "-net 192.168.2.0/24 192.168.1.2".

As said above, we can have more than one string in static_routes. This allows us to create multiple static routes. The following lines shows an example of adding static routes for the 192.168.0.0/24 and 192.168.1.0/24 networks on an imaginary router:

static_routes="net1 net2"
route_net1="-net 192.168.0.0/24 192.168.0.1"
route_net2="-net 192.168.1.0/24 192.168.1.1"
Which would be the easiest and correct way to accomplish what I am looking to do? My external ip from my isp is DHCP. My Linksys router I want to set up with a static ip behind the freebsd firewall. The network inside of the Linksys is already set up so I dont have to worry about that.

should I post this question in another area of the forum or start a new thread on it since its not 100% related to the original question?

Last edited by neurosis; 7th November 2008 at 09:26 PM.
Reply With Quote
Reply

Tags
ftp, jail

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Updating FreeBSD Jails after rebuilding world on host anomie Guides 0 10th September 2008 03:23 AM
Jails, ezjail, apache, very newbie question. neurosis FreeBSD General 15 23rd August 2008 01:38 PM
Jails - mount: /usr/home: No such file or directory chris FreeBSD General 6 6th August 2008 10:47 PM
jails "design" ? bgobs FreeBSD General 2 16th June 2008 01:29 AM
Keeping ports in multiple jails up to date cajunman4life FreeBSD Installation and Upgrading 1 9th May 2008 11:51 PM


All times are GMT. The time now is 06:00 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick