DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 16th April 2009
Oko's Avatar
Oko Oko is offline
Rc.conf Instructor
 
Join Date: May 2008
Location: Kosovo, Serbia
Posts: 1,102
Default Securing wifi networks with ipsec/ssh and openbsd

Can anyone point me out to a good tutorial on securing WiFi networks with
IPSec or possibly with SSH only.

All clients will be Unix machines.


Thanks,
Oko

P.S. I prefer IPSec over OpenVPN but I would not mind reading tutorial on
securing WiFi networks with OpenVPN.
Reply With Quote
  #2   (View Single Post)  
Old 16th April 2009
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

If memory serves correctly, there's a fairly good tutorial/how-to using authpf and a redirect to a virtual webserver to show an unauthorized host they're blocked .... in Dru Levigne's "BSD Hacks" book. Memory may not serve correctly; but as I'm currently using it or something similar, I'll post what I have here.

The client ssh configurations (putty or openssh) use dynamic tunneling with an sshd-provided SOCKS proxy, so once configured, they browse the web through the proxy for encrypted communication.

For openssh, it's a "DynamicForward <port#>" -- putty has a dynamic tunnel configuration in its GUI. The browsers just use a SOCKS proxy at 127.0.0.1:<port#>

Excerpt from pf.conf:
Code:
table <authpf_users> persist counters
.
.
.
nat-anchor "authpf/*"
.
.
.
#
# redirect unauthorized IP users to a local web page
#
no rdr proto tcp from {<authpf_users> <other_approved_users> } to any port www
rdr pass log proto tcp from $internal_net to any port www \
    -> 127.0.0.1 port 8080
.
.
.
rdr-anchor "authpf/*"
.
.
.
binat-anchor "authpf/*"
.
.
.
# Allow ssh on internal net just to the firewall, for authpf:
#
pass in log on $internal_nic proto tcp to $internal_nic port ssh
.
.
.
anchor "authpf/*"
I won't bother with /etc/authpf.rules or /etc/authpf.message, those are simple enough.

Here's an excerpt from /var/www/conf/httpd.conf:
Code:
Listen 127.0.0.1:8080
.
.
.
<VirtualHost 127.0.0.1:8080>
        ServerAdmin none
    DocumentRoot /var/www/auth
    ErrorDocument 404 /index.html
</VirtualHost>
/var/www/auth/index.html is my message to those who have not authenticated.

Last edited by jggimi; 16th April 2009 at 11:50 AM.
Reply With Quote
  #3   (View Single Post)  
Old 16th April 2009
BSDfan666 BSDfan666 is offline
Real Name: N/A, this is the interweb.
Banned
 
Join Date: Apr 2008
Location: Ontario, Canada
Posts: 2,223
Default

I presume you meant OpenSSH in that last postscript, I don't make extensive use of Wireless technology.. but tunnelling over SSH is remarkably easy and should work from anywhere that allows you to connect directly with your remote server.

One thing that most people fail to realize is OpenSSH supports several different methods of tunnelling connections.
  • The SOCKS proxy server.
  • Implicit port forwarding style tunnels.
  • Full VPN-style connection, tunnelling all network activity over an SSH tunnel.
All of these methods have their quirks, but generally they're easy to use once the learning curve and command-line syntax is de-obfuscated.

Here are some juicy examples, hopefully I can explain them without implying an existing knowledge of tunnelling.

1) Setting up a SOCKS 4 or 5 proxy for Firefox or Pidgin.. many programs can use a SOCKS proxy.

$ ssh -N -f -D 8686 oko@home.workstation
  • -N tells ssh not to execute any remote commands.
  • -f puts ssh into the background as a shell job, remove it if you want some noise.
  • -D tells ssh to start a SOCKS compatible proxy on the port specified as an argument, configure SOCKS aware programs to connect to localhost on port 8686.
  • oko@home.workstation is an imaginary account on your home workstation.

2) Implicitly port tunnelling is also pretty easy, but it is a bit more involved.. knowing the domain name of the remote server and the service port they use is important.

In this example, I'll create 2 tunnels for Yahoo Messenger service.. one for the pager service, the other for file transfers.
$ ssh -N -f -L 5051:scs.msg.yahoo.com:5050 -L 81:filetransfer.msg.yahoo.com:80 oko@home.workstation

The -N -f options have been discussed, but -L is new.. this literally means listen.. and it does, the numbers indicated by bold are local port numbers that SSH will be listening on.. whereas the text in italics refers to the remote hosts.

In this case, you'll have to go into the Account dialogue in Pidgin and configure the Advanced protocol settings for your yahoo account.. substitute scs.msg.yahoo.com and filetransfer.msg.yahoo.com with localhost and change their port numbers to 5051 and 81 respectively.

3) This last method is the most complicated, it involves setting up what is basically a genuine tunnel between your mobile system and the remote SSH server, network connectivity can flow unfettered across this one tunnel.

Unfortunately this is moderately more complicated.. a tunnel involves the tun(4) device, routing table changes and other potentially confusing configuration changes.

$ ssh -N -f -w 0:0 root@home.workstation

The -w argument specifies a point-to-point tunnel, 0 indicates that ssh should bind to tun0, whereas 0 indicates the remote SSH servers tunnel device.

As I said, one notable problem is this functionality requires that the remote gateway be configured to act as a NAT gateway, this will require pf.conf(5) rules and some subtle changes to sshd_config(5) to allow such tunnelling, look for the PermitTunnel option.. it does not work in Match blocks, this unfortunately means that you'll need to allow root authentication if you have it disabled.

Both the servers tun device and your local one will need to be configured presuming they're created and the connection establishes successfully.. once you've confirmed that it is you can assign an IP address to the tunnel devices and then start figuring out routing.

On home.workstation, configure tun0 with an IP address and a /30 subnet (2 hosts):
$ sudo ifconfig tun0 inet 172.16.0.1 netmask 255.255.255.252

On the mobile system, do the same.. except use 192.16.0.2:
$ sudo ifconfig tun0 inet 172.16.0.2 netmask 255.255.255.252

This should at least establish a working tunnel between the two systems, but it's hardly everything that needs to be done.

I admit I haven't tested this specific method of tunnelling personally, but hopefully the fundamentals are outlined successfully.

Good luck, I look forward to seeing someone correct the plethora of mistakes I made here.

EDIT: jggimi is faster then me, considerably so.
Reply With Quote
  #4   (View Single Post)  
Old 16th April 2009
TerryP's Avatar
TerryP TerryP is offline
Arp Constable
 
Join Date: May 2008
Location: USofA
Posts: 1,547
Default

There should be several guides online about setting things up with IPSec; for Windows, Linux, and various BSDs; OpenBSD also has a nice manuals that would help out in doing it: ipsec(4), ipsec.conf(5), ipsecctl(8), sasyncd(8), and isakmpd(8)


(I'm a little lacking in hardware for using such solutions, or I would add a thread to the guides forum if we don't already have one)
__________________
My Journal

Thou shalt check the array bounds of all strings (indeed, all arrays), for surely where thou typest ``foo'' someone someday shall type ``supercalifragilisticexpialidocious''.
Reply With Quote
  #5   (View Single Post)  
Old 16th April 2009
Oko's Avatar
Oko Oko is offline
Rc.conf Instructor
 
Join Date: May 2008
Location: Kosovo, Serbia
Posts: 1,102
Default

Quote:
Originally Posted by jggimi View Post
If memory serves correctly, there's a fairly good tutorial/how-to using authpf and a redirect to a virtual webserver to show an unauthorized host they're blocked .... in Dru Levigne's "BSD Hacks" book.
I looted very carefully the book. The hack #65 talks how to secure WiFi
Network with SSH but her approach is limited.

These look like good reads. I read them before but now I will try to set it up

http://www.onlamp.com/pub/a/bsd/2004...ifi_ipsec.html

http://www.section6.net/wiki/index.p...ork_with_IPSec

Last edited by Oko; 16th April 2009 at 08:26 AM.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
openBSD IPSEC gateway w/WINDOWS XP roadwarrior s2scott OpenBSD Security 7 13th January 2009 11:01 AM
Securing ftp access AlexDudko FreeBSD Security 6 12th January 2009 09:21 PM
Ipsec freebsd openbsd failure kasse OpenBSD General 3 31st December 2008 01:42 AM
IPsec on openbsd hitete OpenBSD Installation and Upgrading 1 12th July 2008 01:57 AM
DMZ for two networks users... maurobottone OpenBSD Security 6 2nd June 2008 02:57 PM


All times are GMT. The time now is 09:39 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick