DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD General

OpenBSD General Other questions regarding OpenBSD which do not fit in any of the categories below.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 18th June 2011
Dr-D's Avatar
Dr-D Dr-D is offline
Port Guard
 
Join Date: Jun 2011
Posts: 38
Thanked 0 Times in 0 Posts
Default Replacing 3Com Router with OpenBSD

I have an issue with my high speed cable internet where my WAN IP stays the same for extended periods of time, which is both a blessing and a curse. It only changes 2 or 3 times a year when there is an extended power outage due to lightning storms or my ISP upgrades or restarts there gear. Changing ISP's isn't an option since it's either DSL which is only 1/20th the speed of my cable or dial-up.

The problem is I am continually being port scanned and tried to break into my network which my router security logs show. My router counteracts these attacks by going offline for 30 seconds and renewing the IP address. The problem is the IP address never changes due to the way my ISP is setup and this can sometimes happen 15 or more times an hour which makes trying to watch videos or use Netflix a futile and frustrating experience. I rotate the MAC address on my router by cloning the MAC addresses from my internal PC's, printers and game consoles to get a different IP but this only helps for short periods of time, say a few days to a week before it starts all over again. These attacks started happening about 6 months ago, at least that's when I started noticing them due network interruptions, and is steadily getting worse/more frequent as time goes on. The IP's attacking me usually trace back to countries that names end in "stan". That's when I started researching for a solution to this problem which lead me to OpenBSD.

My experience with Linux/UNIX on a scale of 1 to 10 is probably about a 5. I downloaded and installed OpenBSD 4.9 for the first time a couple of days ago and setup a basic firewall which seemed to work fine when I removed my router from the network. All internal PC's were able to use the internet and it almost seemed like everything was faster but that might just all be in my head. My BSD box only has SSH, DHCP and PF running. I never installed any of the X sets. One thing that happened instantly when I switched from my 3Com router to the BSD router was my Windows Home Server (don't laugh) instantly threw out a MITM attack message. A quick search showed that this can happen when the router IP address changes but I need to look into that a bit more. I will need to port forward a few ports to various internal IP's but for now the question is was my OpenBSD router nearly as secure as my 3Com router? I want to have a very secure firewall like my 3Com router but without the network interruptions it causes trying to thwart the attacks. Any help and suggestions would be greatly appreciated.

Thanks.

In case anyone wants my router specs it's a 3Com 3CRWER200-75

I've posted the contents of my dhcpd.conf and pf.conf files below so you can all see and tell me just how bad a job I did for security on my first attempt.
Code:
##############################################
#	$OpenBSD: dhcpd.conf,v 1.2 2008/10/03 11:41:21 sthen Exp $
#
# DHCP server options.
# See dhcpd.conf(5) and dhcpd(8) for more information.
#
# Network:	192.168.1.0/255.255.255.0
# Domain name:	my.domain
# Name servers:		192.168.1.3 and 192.168.1.5
# Default router:	192.168.1.1
# Addresses:	192.168.1.32 - 192.168.1.127
#
authoritative;
option domain-name "bcs69.com";
option domain-name-servers 24.222.0.94, 24.222.0.95;
subnet 192.168.0.0 netmask 255.255.255.0 {
	option routers 192.168.0.55;
	range 192.168.0.225 192.168.0.250;
}
##############################################
Code:
##############################################
# pf.conf
# macros
int_if="re0"
tcp_services="{ 22, 113 }"
icmp_types="echoreq"
#
# options
set block-policy return
set loginterface re0
set skip on lo
#
# match rules
match out on egress inet from !(egress) to any nat-to (egress:0)
#
# filter rules
block in log
pass out quick
antispoof quick for { lo $int_if }
pass in on egress inet proto tcp from any to (egress) port $tcp_services
pass in inet proto icmp all icmp-type $icmp_types
pass in on $int_if
##############################################

Last edited by ocicat; 29th July 2011 at 02:07 AM. Reason: Please wrap code listings with [code] & [/code] tags...
Reply With Quote
  #2   (View Single Post)  
Old 18th June 2011
rocket357's Avatar
rocket357 rocket357 is offline
Real Name: Jonathon
Wannabe OpenBSD porter
 
Join Date: Jun 2010
Location: 127.0.0.1
Posts: 330
Thanked 9 Times in 9 Posts
Default

Quote:
Originally Posted by Dr-D View Post
I am continually being port scanned and tried to break into my network which my router security logs show. My router counteracts these attacks by going offline for 30 seconds and renewing the IP address.
That's the dumbest "solution" to being scanned that I've ever heard. If it implements "security" like this, I have no doubt that OpenBSD will easily meet your needs.

For a basic home network, what you have is pretty sufficient (unless you don't trust your users at home, in which case you should control out-bound access as well...). I'm not sure about allowing icmp, either, but that's just me. You could also scrub and synproxy (might be overkill, but you are being scanned...)

You can also setup a table to hold scanning ip's and block anything from said table. With your logging, you could write up a script to watch the logs for scans and add the scanning ip to the block table, or utilize a pre-written port for handling the same. Or better yet, rate limit how many half-open connections a given ip is allowed.
__________________
Linux Admin by Profession. OpenBSD user by choice.
Reply With Quote
  #3   (View Single Post)  
Old 18th June 2011
BSDfan666 BSDfan666 is offline
Real Name: N/A, this is the interweb.
Helpful companion
 
Join Date: Apr 2008
Location: Ontario, Canada
Posts: 2,223
Thanked 193 Times in 184 Posts
Default

The presence of unwanted traffic can be annoying, but it happens to every host on the Internet.. if it's a real nuisance you can try contacting your ISP and they can usually attempt to deal with it, but really it's almost always easier to tough through it.

I agree with rocket357, that is an incredibly stupid way to deal with the problem, I would recommend replacing it.. 3com is odd, indeed OpenBSD is a good replacement for SOHO devices.

As for commenting on your configuration, as long as you're aware of what that ruleset implies.. then it's fine.

As you're exposing ssh to the Internet, you may wish to allow only public key authentication and disable root logins.. be aware that you're likely to see a fair amount of probes in your logs regardless of these settings, that's quite normal.

And for passing in 113/ident, there is rarely a need to.. unless you're connecting to a really strict IRC network you can omit that.
Reply With Quote
  #4   (View Single Post)  
Old 18th June 2011
Oko's Avatar
Oko Oko is offline
Fsck Surgeon
 
Join Date: May 2008
Location: Kosovo, Serbia
Posts: 778
Thanked 36 Times in 32 Posts
Default

Quote:
Originally Posted by BSDfan666 View Post

As you're exposing ssh to the Internet, you may wish to allow only public key authentication and disable root logins..
It is disabled by default in 4.9 release I would suggest moving ssh to some higher port like 8888. That would get rid of 95% of idiots. I would most definitely control out bound traffic even if you are the only user of the computer.
Reply With Quote
  #5   (View Single Post)  
Old 19th June 2011
Dr-D's Avatar
Dr-D Dr-D is offline
Port Guard
 
Join Date: Jun 2011
Posts: 38
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by Oko View Post
It is disabled by default in 4.9 release I would suggest moving ssh to some higher port like 8888. That would get rid of 95% of idiots. I would most definitely control out bound traffic even if you are the only user of the computer.
I actually do employ security by obscurity by using odd port numbers for SSH and VNC. Some people frown upon this method but for networks that I work with I definitely do this and it works well in my opinion.
Reply With Quote
  #6   (View Single Post)  
Old 19th June 2011
rocket357's Avatar
rocket357 rocket357 is offline
Real Name: Jonathon
Wannabe OpenBSD porter
 
Join Date: Jun 2010
Location: 127.0.0.1
Posts: 330
Thanked 9 Times in 9 Posts
Default

Quote:
Originally Posted by BSDfan666 View Post
As you're exposing ssh to the Internet, you may wish to allow only public key authentication and disable root logins.
+1...this is some really excellent advice that doesn't get stated enough. If you allow root, 1/2 of the job is done for any hacker/cracker that stumbles across your ip.

Disallowing password authentication will harden it even more, as it's much more difficult to crack a key than it is to crack a typical password. For a 1024 bit rsa key, there are ~1.8e+308 possible combinations, whereas a 14 character password of upper/lower/numeric/special has ~1.0e+26 possible combinations (and most don't have perfectly random passwords, so the possible combinations is far fewer). For comparison, if you could check 1e+20 combinations per second, it'd take ~12 days to crack a perfectly random 14 character password, but ~2.8e+279 **years** to crack a 1024 bit rsa key (the universe has been around for 1e+10 years, for the record).

Really, as long as your private key is safe and secure (i.e. backed up to a secure location), public key auth is the only way to go.

Quote:
Originally Posted by Dr-D View Post
I actually do employ security by obscurity by using odd port numbers for SSH and VNC. Some people frown upon this method but for networks that I work with I definitely do this and it works well in my opinion.
The biggest benefit of moving the port number is that it might fool the mass of "dumb" scanners out there...but it wouldn't do much for a determined attacker. But I see your point, reducing that crazy volume of logs (vs not logging anything? yikes!) is in and of itself a valid reason.
__________________
Linux Admin by Profession. OpenBSD user by choice.

Last edited by rocket357; 19th June 2011 at 12:23 AM.
Reply With Quote
  #7   (View Single Post)  
Old 19th June 2011
denta denta is offline
Fdisk Soldier
 
Join Date: Nov 2009
Posts: 73
Thanked 0 Times in 0 Posts
Default

Like suggested above, man 5 pf.conf, and check out the stateful filtering section, and the max-src-conn + max-src-conn-rate variables in particular. There is a self-explanatory example there in the manual. Its awesome for when you need to run sshd (or any tcp-service really) on a "heavily targeted" ip. The brute-force spam crap in your logs will pretty much go away completly.
Reply With Quote
  #8   (View Single Post)  
Old 19th June 2011
Dr-D's Avatar
Dr-D Dr-D is offline
Port Guard
 
Join Date: Jun 2011
Posts: 38
Thanked 0 Times in 0 Posts
Default

Well I was watching a video online which was working perfectly then it stopped after about an hour. When I went to log into my BSD box via SSH I couldn't connect. When I went to log into it from the console I noticed that it was froze solid, no keyboard response at all. That box has never froze on me before, even when it ran Windows XP. Could streaming video through it while it was acting as a router cause it to freeze?
Reply With Quote
  #9   (View Single Post)  
Old 19th June 2011
rocket357's Avatar
rocket357 rocket357 is offline
Real Name: Jonathon
Wannabe OpenBSD porter
 
Join Date: Jun 2010
Location: 127.0.0.1
Posts: 330
Thanked 9 Times in 9 Posts
Default

See if you can reproduce it on a current snapshot.
__________________
Linux Admin by Profession. OpenBSD user by choice.
Reply With Quote
Old 19th June 2011
Oko's Avatar
Oko Oko is offline
Fsck Surgeon
 
Join Date: May 2008
Location: Kosovo, Serbia
Posts: 778
Thanked 36 Times in 32 Posts
Default

Quote:
Originally Posted by Dr-D View Post
Could streaming video through it while it was acting as a router cause it to freeze?
If you are using OpenBSD as a router absolutely not.
Reply With Quote
Old 19th June 2011
Dr-D's Avatar
Dr-D Dr-D is offline
Port Guard
 
Join Date: Jun 2011
Posts: 38
Thanked 0 Times in 0 Posts
Default

Not sure what caused it to freeze but I removed the icmp and tcp_services entries from my pf.conf file as suggested and have had 2 PC's and my Wii all at the same time playing different Netflix movies today for a few hours to test and so far so good. I'd really like to know what caused it to freeze though.
Reply With Quote
Old 19th June 2011
BSDfan666 BSDfan666 is offline
Real Name: N/A, this is the interweb.
Helpful companion
 
Join Date: Apr 2008
Location: Ontario, Canada
Posts: 2,223
Thanked 193 Times in 184 Posts
Default

It's hard to diagnose the problem of inexplicable system locks, it could be a hardware problem or a driver bug.. as others have suggested you should try reproducing with the latest code as it may have been fixed after the 4.9 release.
Reply With Quote
Old 19th June 2011
Dr-D's Avatar
Dr-D Dr-D is offline
Port Guard
 
Join Date: Jun 2011
Posts: 38
Thanked 0 Times in 0 Posts
Default

I'm trying to reproduce without changing anything major first to see if it was a one time fluke or if it is something that is recurring. Of course I did change the pf.conf file by removing these lines:

tcp_services="{ 22, 113 }"
icmp_types="echoreq"
pass in on egress inet proto tcp from any to (egress) port $tcp_services
pass in inet proto icmp all icmp-type $icmp_types

Could any one or more of those lines caused it to lock up?
Reply With Quote
Old 19th June 2011
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,710
Thanked 214 Times in 189 Posts
Default

No. But you can force the kernel debugger ddb(4) to come up on the console if interrupts from your console are still possible. You will find crash(8) and sysctl.conf(5) helpful as well
Reply With Quote
Old 19th June 2011
Dr-D's Avatar
Dr-D Dr-D is offline
Port Guard
 
Join Date: Jun 2011
Posts: 38
Thanked 0 Times in 0 Posts
Default

I'm testing this OpenBSD router on an Athlon 64 X2 5200+ w/3GB RAM. If I make this a permanent router will an old AMD Duron 950MHz w/768MB have sufficient enough power for this? I assume it will but I'm asking to be sure as we all know assumption is the mother of all f*** ups.
Reply With Quote
Old 19th June 2011
rocket357's Avatar
rocket357 rocket357 is offline
Real Name: Jonathon
Wannabe OpenBSD porter
 
Join Date: Jun 2010
Location: 127.0.0.1
Posts: 330
Thanked 9 Times in 9 Posts
Default

Quote:
Originally Posted by Dr-D View Post
I'm testing this OpenBSD router on an Athlon 64 X2 5200+ w/3GB RAM. If I make this a permanent router will an old AMD Duron 950MHz w/768MB have sufficient enough power for this? I assume it will but I'm asking to be sure as we all know assumption is the mother of all f*** ups.
Considering a 133 MHz AMD ELAN (i.e. Soekris net4501) usually has enough power to keep up with most home internet connections, I'd say yeah, the 950 MHz Duron would suffice...I don't know how much traffic you're trying to move, but if it's a really high volume, make sure your NICs are decent (like Intel em(4) NICs...they're usually pretty good).

And you won't see any improvement on a firewall with dual cores (unless you're running other stuff besides pf, like squid or whatever).
__________________
Linux Admin by Profession. OpenBSD user by choice.
Reply With Quote
Old 20th June 2011
Dr-D's Avatar
Dr-D Dr-D is offline
Port Guard
 
Join Date: Jun 2011
Posts: 38
Thanked 0 Times in 0 Posts
Default

Here is what my network traffic consists of. There are no kids here, just me and my wife.

I run my computer sales and service business from home so I do a fair amount of remote connections via LogMeIn Central, Real VNC and SSH. I might have 7 or 8 connections going simultaneously. I download all the updates for customer PC's I work on here plus the new systems I sell and build. For personal use I use Netflix, live stream UFC PPV events through Yahoo Sports, watch some Youtube videos, web browsing, downloading various OS ISO's to experiment with and email. I work a lot at night so it isn't unusual to have a Netflix movie playing, a customer's PC downloading updates, be connected remotely to other people and a 4GB ISO downloading all at once.

My full time connected gear is 2 PC's, 1 laptop (wireless), 1 Windows Home Server, Nintendo Wii (wireless), 1 network multifunction laser printer, 1 debit/credit card machine and soon to be 1 OpenBSD router.

Friends and family sometimes bring their laptops and hookup to wireless which the 3Com router will still be used for as a WAP. Plus I usually have a test system running some version of Linux or BSD.

The Duron 950 machine I plan to use has two 3Com 3C905-TX NIC's in it. Should I go with GB NIC on the LAN side? The test machine I’m using now has a Realtek RTL8110SC GB NIC on the LAN side and a Realtek RTL8139D on the WAN side.

So in conclusion, with all the traffic I mentioned above will the Duron 950 machine with 768MB RAM and two 3Com 3C905-TX 100Mb/s NICS be sufficient enough to act as an OpenBSD 4.9 router? It will only be running SSH (for LAN side only), PF and DHCP. It will have port forwarding for port 443 to my WHS and two obscure VNC ports to access my two PC's remotely.
Reply With Quote
Old 20th June 2011
rocket357's Avatar
rocket357 rocket357 is offline
Real Name: Jonathon
Wannabe OpenBSD porter
 
Join Date: Jun 2010
Location: 127.0.0.1
Posts: 330
Thanked 9 Times in 9 Posts
Default

Quote:
Originally Posted by Dr-D View Post
I work a lot at night so it isn't unusual to have a Netflix movie playing, a customer's PC downloading updates, be connected remotely to other people and a 4GB ISO downloading all at once.
That's a fair amount of traffic...but since you won't be doing any heavy switching (i.e. just nat and filtering), I think you're safe. 950 MHz should be more than sufficient.

Quote:
Originally Posted by Dr-D View Post
The Duron 950 machine I plan to use has two 3Com 3C905-TX NIC's in it. Should I go with GB NIC on the LAN side?
I wouldn't worry about that just yet. The gigabit NICs usually have more cache and better performance even for 10/100, but unless you have a few lying around already I wouldn't worry about it unless you can show it's a problem. Since this machine will be a NAT gateway, you probably wouldn't see much performance boost unless you replaced both NICs...but again, you'll probably be ok as is since most home internet connections are well under 100 Mbps in speed =)
__________________
Linux Admin by Profession. OpenBSD user by choice.
Reply With Quote
Old 20th June 2011
BSDfan666 BSDfan666 is offline
Real Name: N/A, this is the interweb.
Helpful companion
 
Join Date: Apr 2008
Location: Ontario, Canada
Posts: 2,223
Thanked 193 Times in 184 Posts
Default

It's almost overkill, and I'm talking about the 900MHz Athlon, many people using OpenBSD use whatever they had available at the time.. I've been using a Pentium 3 for a few years now, before that it was a AMD K6-2 and before that a P1 and my first one was an i486. I only replaced them due to hardware problems usually, they could handle the network load fine.

A lot of people use OpenBSD on critical systems, you won't have a lot of problems doing so at home.. not if you're willing to put the time into it.
Reply With Quote
Old 20th June 2011
Dr-D's Avatar
Dr-D Dr-D is offline
Port Guard
 
Join Date: Jun 2011
Posts: 38
Thanked 0 Times in 0 Posts
Default

I'm basically doing this as a learning experience. I could stick a new $30.00 D-Link router on my network and be done with it but where's the fun or learning experience in that? I want a deeper understanding of the security features Linux and BSD offer.

For my customers who need simple file and print servers I've always just built them Redhat boxes and used Samba because they didn't want to pay the MS extortion fees.

I've tried many other Linux flavours but always revert back to Redhat for any production use. I've been aware of BSD for quite sometime but have finally just decided to start playing around with it, and I very much like it so far. I setup a Samba server with FreeBSD and that went easily enough so then I decided to embark on my OpenBSD router project. It's a bit of a steep learning curve but sites like this make it easy to want to stick with it. I love PC-BSD as a Windows desktop replacement.

After running my home computer business for 15 years now I've collected tons of old computer parts as you can imagine, which is what I've used to build both my Duron 950Mhz tower and AMD 5200+ tower. I just carted off a truck load of old 386, 486 and P1 stuff to the dump last week since it had been laying around and not touched for years. Have to make room for more future junk. ;-)

My BSD router has worked beautifully today and I've hammered it with constant large downloads and streaming video all day and haven't seen one hiccup. My internet connection is noticeably faster too and doing the speed test at my ISP's speed test link confirms it. I usually get between 14-16Mbps with my 3Com router and with my BSD router I'm getting over 19Mbps every time with 19.62Mbps being my best. Now I'm going to install and run it on my Duron 950MHz box and compare.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
3com 3c985B fiber card on openBSD joshwade7 OpenBSD General 3 5th February 2010 09:29 PM
OpenBSD amd64 or i386 for firewall/router J65nko OpenBSD General 7 24th December 2009 09:06 PM
DSL Router Zvrk NetBSD General 1 18th June 2009 01:21 PM
Using OpenBSD as a second router paran0iaX OpenBSD Security 32 20th March 2009 04:51 AM
Searching and replacing weird patterns on a file. bigb89 Programming 8 6th December 2008 06:59 PM


All times are GMT. The time now is 02:51 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick