DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 9th November 2011
amrogers3 amrogers3 is offline
Port Guard
 
Join Date: Oct 2011
Posts: 20
Thanked 0 Times in 0 Posts
Default hosts.allow and hosts.deny

I just got SSH up and running on openBSD 4.9. My problem is that I am able to connect to SSH when I have my IP of 192.168.1.2/255.255.255.0 listed in the hosts.allow file.

When I add "ALL: ALL" to hosts.deny, I can not longer SSH into my box.

I delete the hosts.deny file I can connect again with no problems.

The error I get is as follows:
"ssh_exchange_identification: Connection closed by remote host"

Any ideas what is going on?

Last edited by amrogers3; 9th November 2011 at 04:31 AM.
Reply With Quote
  #2   (View Single Post)  
Old 9th November 2011
rocket357's Avatar
rocket357 rocket357 is offline
Real Name: Jonathon
Wannabe OpenBSD porter
 
Join Date: Jun 2010
Location: 127.0.0.1
Posts: 332
Thanked 9 Times in 9 Posts
Default

What does hosts.allow contain? Is it just the ip/subnet, or is that part of a bigger line?

Edit - check syslog:

Quote:
Originally Posted by man hosts.deny
DIAGNOSTICS
When a syntax error is found in an access control rule, the error is
reported to the syslog daemon; further options will be ignored, and
service is denied.
__________________
Linux Admin by Profession. OpenBSD user by choice.

Last edited by rocket357; 9th November 2011 at 07:23 AM.
Reply With Quote
  #3   (View Single Post)  
Old 9th November 2011
amrogers3 amrogers3 is offline
Port Guard
 
Join Date: Oct 2011
Posts: 20
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by rocket357 View Post
What does hosts.allow contain? Is it just the ip/subnet, or is that part of a bigger line?

Edit - check syslog:
hosts.allow contains only one IP address in this exact format:

192.168.1.2/255.255.255.0

I will check syslog but there is nothing in the file except the above.
Reply With Quote
  #4   (View Single Post)  
Old 9th November 2011
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,806
Thanked 214 Times in 189 Posts
Default

My opion, FWIW:
  1. You may have indeed found a bug, as the documented process is:
    Quote:
    Originally Posted by hosts_access(5)
    The access control software consults two files. The search stops at the
    first match:

    o Access will be granted when a (daemon,client) pair matches an entry
    in the /etc/hosts.allow file.

    o Otherwise, access will be denied when a (daemon,client) pair matches
    an entry in the /etc/hosts.deny file.

    o Otherwise, access will be granted.

    A non-existing access control file is treated as if it were an empty
    file. Thus, access control can be turned off by providing no access
    control files.
    You may wish to report it to the project. Use the bugs@ mailing list; the PR database is no longer operational. See http://www.openbsd.org/mail.html and http://www.openbsd.org/report.html for guidance.
  2. You should be able to circumvent this by using EXCEPT in your hosts.deny file. See the EXAMPLES section of the man page.
  3. SSH has a myriad of choices for managing both authentication and authorization, which can completely replace hosts_access(5) and tcpd(8).
SSH is designed for use on untrusted networks, including the Internet. You may notice that hosts_access(5) and related man pages are not mentioned in any of the SSH man pages. Generally, tcpd is not used with SSH.

It is a common best practice for admins to disallow password authentication and use better alternatives such as public key authentication or s/key one-time-pads for SSH services.

Reply With Quote
  #5   (View Single Post)  
Old 9th November 2011
amrogers3 amrogers3 is offline
Port Guard
 
Join Date: Oct 2011
Posts: 20
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by jggimi View Post
My opion, FWIW:
[*]You should be able to circumvent this by using EXCEPT in your hosts.deny file. See the EXAMPLES section of the man page.
Thanks for reply jggimi

I read that hosts.allow need to see a new line character. So I went in and modified the file. Still locked out. I could not SSH in from 192.168.1.2

I added the following to the hosts.deny file and worked:

Code:
ALL EXCEPT 192.168.1.2
However, now there is a new problem. I changed my IP address to 192.168.1.4 and I could SSH in.

I deleted the hosts.allow file and I can still SSH in from 192.168.1.4. This is not good.

I restarted the SSHD process just to be sure and I can still log in from 192.168.1.4.


Last edited by amrogers3; 9th November 2011 at 11:32 PM. Reason: correction
Reply With Quote
  #6   (View Single Post)  
Old 10th November 2011
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,806
Thanked 214 Times in 189 Posts
Default

Perhaps option 3 would offer a more appropriate solution?
Reply With Quote
  #7   (View Single Post)  
Old 10th November 2011
amrogers3 amrogers3 is offline
Port Guard
 
Join Date: Oct 2011
Posts: 20
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by jggimi View Post
Perhaps option 3 would offer a more appropriate solution?
Agreed. I was trying to create an IP access list first. My next step was to enable public key authentication. However, how can I allow/disallow IP addresses?

What security steps would you recommend besides enabling public key encryption, disallowing hosts/password based authentication?

Thanks again for the replies.
Reply With Quote
  #8   (View Single Post)  
Old 10th November 2011
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,806
Thanked 214 Times in 189 Posts
Default

While I don't use hosts_access myself, something you wrote above just caught my eye:
Quote:
I read that hosts.allow need to see a new line character.
Say, what!!!??!!

OK. I'm going to take a wild guess that you have done some manual edit gyrations with your hosts.* files to add control characters, and that is the root cause of your problem.

Text editors (vi, mg, emacs, vim, ... and the bazillion X-based ones) on Unix-like systems will automatically place newline bytes at the end of a line. As will echo(1), typically used with > or >> in a shell to put text in a file.

It's just a guess, of course.

------

Now, I don't use hosts_access. Never have, never will. If I want to filter any packets, in -or- out, by IP address, I use PF. That is common practice, best practice, and my recommendation.

PF is most commonly used when OpenBSD is deployed as a router/firewall, but you can use it on destination servers and on workstations. The PF User's Guide, which is part of the FAQ, starts here.

------

There are many choices for authentication. Both Pubic Key and Challenge/Response (used with s/key) are enabled by default, and I use both. I prefer PKA, because with SSH it is easy and simple to use.
As an example, with OpenSSH's PKA tools, I could give you, and only you, shell access to a server of mine by trading information in this thread, publicly. You would create a key pair on your machine. One key is public, the other, private. You post the public key in the thread. I create an account that authorizes the ssh(1) client that uses that public key (matched mathematically to the private half you keep private), and give you the domain name or IP address of the server. No passwords are shared. Nothing passed between us in private. That public key is tied to your private key, which you keep. Only someone with that private key-half is authorized to use the account, as the authentication is two-way, requiring mathematical proof you have the private key.

You can also protect the key pair with a pass phrase, which should meet any commercial security standards for authentication: two things are needed to log in: 1) something you have -- the private key, and 2) something you know -- the matching passphrase.
I also use s/key, for times where I do not have a private key available -- public computers, other people's computers, whatever. I do not fear keyloggers, even in public settings, because each login requires a unique passphrase. It's a one-time-use pad. I won't type anything private while on them, while logged in, for fear of those keyloggers. But the login? No worries.
Reply With Quote
  #9   (View Single Post)  
Old 10th November 2011
amrogers3 amrogers3 is offline
Port Guard
 
Join Date: Oct 2011
Posts: 20
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by jggimi View Post

Text editors (vi, mg, emacs, vim, ... and the bazillion X-based ones) on Unix-like systems will automatically place newline bytes at the end of a line. As will echo(1), typically used with > or >> in a shell to put text in a file.

It's just a guess, of course.
Thanks for the excellent info. That may in fact be the issue, good catch. I was using vi. What editor would you recommend to make edits to these files?

Quote:
Originally Posted by jggimi View Post
Now, I don't use hosts_access. Never have, never will. If I want to filter any packets, in -or- out, by IP address, I use PF. That is common practice, best practice, and my recommendation.
That sounds good. So PF and public key for securing SSH? Anything else I should consider?

Would you recommend PF for a Snort box? I am using my openBSD install as a Snort sensor.

I see the current package of snort 2.8.6 on my openBSD 4.9 install is about to be end-of-lifed. Not sure when the packages will be updated. If you guys think a different OS would better, let me know. OpenBSD is a steep learning curve but I am trying. I like the fact that openBSD is secure.
Reply With Quote
Old 10th November 2011
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,806
Thanked 214 Times in 189 Posts
Default

Quote:
Originally Posted by amrogers3 View Post
I was using vi.
That's what I use. Just don't try to add special characters. Since I don't use hosts.allow, don't have time to try to recreate your problem in a lab, and don't have access to your files, I don't know if you've uncovered a bug or if you've done this to yourself.
Quote:
Anything else I should consider?
I don't have enough information, yet, to make additional configuration or provisioning recommendations to you.
Quote:
Would you recommend PF for a Snort box? I am using my openBSD install as a Snort sensor.
Sure. I haven't used snort in years, myself.
Quote:
I see the current package of snort 2.8.6 on my openBSD 4.9 install is about to be end-of-lifed.
The same release of snort is packaged with 5.0, and is what is also in the -current tree.
Quote:
Not sure when the packages will be updated.
As I don't use snort, and haven't followed any of its developments, I don't know. But with OpenBSD, every third party package is built from a port, and every port has a $MAINTAINER, if one is assigned, or is supported via the ports@ mailing list, if one is not.

There is an individual who maintains this port. You could either ask on the ports@ mailing list, or Email the maintainer with the question. Here's a link to the snort port's -current Makefile in the CVS repository, where you can pull the name and Email address:

http://www.openbsd.org/cgi-bin/cvsweb/~checkout~/ports/net/snort/Makefile?rev=1.62;content-type=text%2Fplain
Reply With Quote
Old 10th November 2011
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,806
Thanked 214 Times in 189 Posts
Default

Oh, yes, just to clarify on when packages in general are updated. Not snort specifically, but all 3rd party packages.

The ports tree is synced to the flavor of OpenBSD you are using. If you use -release, that is twice per year. Updates to existing ports may occur if deemed warranted, in the -stable branch, following the same general limitations as -stable patches to the OS. No library changes, etc. Packages built from -stable ports may or may not be made available, as resources allow.

Ports development follows the same cycle of development as the OS. The -current ports tree gets continuous development for approximately 4 months, then is frozen while a -release is prepared. "Snapshot packages" are built from time to time on the major architectures for the convenience of -current users, who may be able to use them if libraries are in sync.

See FAQ 5.1 for a discussion of the flavors of OpenBSD and the development cycle.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
I need a list of websites that my isp deny undercoverdaememon Off-Topic 5 14th April 2010 04:01 AM
LLVM milestone reached - Clang compiler self-hosts J65nko News 0 5th February 2010 03:48 PM
Discovering SSH versions of compromised hosts with nc(1) J65nko General software and network 1 31st December 2009 11:01 AM


All times are GMT. The time now is 08:28 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick