DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 25th January 2012
daemonfowl daemonfowl is offline
bsdstudent
 
Join Date: Jan 2012
Location: DaemonLand
Posts: 834
Default most paranoiac pf rule set for OpenBSD desktop

Hi , Daemon Eagles !

what is the safest strategy to follow in pf rule set for an OpenBSD Desktop ?
contenting with basic services only while still being able to use p2p ?

an example to follow is much appreciated .. then I can elaborate on it depending on further needs .

Thank you so much ,
Reply With Quote
  #2   (View Single Post)  
Old 25th January 2012
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,125
Default

The one I posted in http://www.daemonforums.org/showthread.php?t=4367 is quite strict, or paranoiac. It even limits ftp to a bunch of explicitly named ftp server.

IMHO allowing p2p is incompatible with security
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #3   (View Single Post)  
Old 26th January 2012
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 3,318
Default

Quote:
Originally Posted by daemonfowl View Post
what is the safest strategy to follow in pf rule set for an OpenBSD Desktop ?
This depends upon your ultimate goals. The following ruleset is simple & very restrictive:
Code:
block in all
pass out all
However, it doesn't do any logging, but maybe logging isn't important to you.

The point here is that one size doesn't fit all situations. The question is broad, & one definitive answer doesn't exist. You can help determine the answer which best fits your needs by studying:Taking the time to digest the information in these sources will help better frame your understanding & future questions.

...& of course, the pf(4) manpage is gospel.
Reply With Quote
  #4   (View Single Post)  
Old 26th January 2012
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

One more thing to consider...

What is far more important than a "paranoid" rule set is understanding what applications you want to allow and how they use the net.

The most careful admins will only permit network use by applications desired, and map rules to expected behavior. Any pass rule should be carefully written. If you are truly concerned about the welfare of your own networks, even if you don't care about your impact on other networks, this should be your goal.

For example, an outbound "pass all" does not protect against anything using the workstation as a vector... from virii that might spew spam, to a bad actor with command and control.

Obviously, those are more likely on windows platforms... but the risk is not zero. Admin mistakes can permit attacks, and have.
Reply With Quote
  #5   (View Single Post)  
Old 26th January 2012
daemonfowl daemonfowl is offline
bsdstudent
 
Join Date: Jan 2012
Location: DaemonLand
Posts: 834
Default

Thank you so much , J65nko , Ocicat , Jggimi !!! for your support ...
I purposefully described it as a simple desktop/worksation .. not attached to any network but a router .. I guess I'd use J56nko's http://www.daemonforums.org/showthread.php?t=4367
as for p2p , at times I use amule and disable the sharing option , so that nobody can see the shared files .. with this plus obfuscation support and tor+polipo .. is p2p still a security risk ?
Reply With Quote
  #6   (View Single Post)  
Old 26th January 2012
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

Quote:
is p2p still a security risk ?
A better set of questions to ask might be:

Security:
  • How does aMule present my files and filesystem structures to the public? What metadata is made available along with the data? For instance, does it present gid/uid numbers? User names? What can be gleaned about my workstation and its configuration?
  • What can I find out about this application's development history? Have there been security related bugs reported? If so, which components of the application were affected? How were the bugs managed by the developers?
Traffic patterns:
  • What IP protocols are used? Most likely this will be TCP, UDP, or possibly both. Some applications may use other protocols (see /etc/protocols for examples).
  • For TCP or UDP, what port numbers are used for destination (listening) services? What port numbers are used for outgoing transmissions?
  • Are there Quality of Service or other IP flags used by this application's traffic? If so, how are they utilized?
Please note that questions like these are only the starting point. And, they are questions you should ask yourself, along with, "Where will I find the answer?"

As you dig, you may discover more questions to ask. And, you may like the answers, you may not. But they will help you make better decisions.

Your nearby Internet search engine may be able to provide you with some answers, for others, you may find yourself wanting to review the source code.

---

If it seems like I am advocating self-sufficiency; well, yes, I am. I also don't have any answers to these questions, because I have never used aMule. I know where to look, though, if I wanted to find out. I would start with Google.
Reply With Quote
  #7   (View Single Post)  
Old 26th January 2012
daemonfowl daemonfowl is offline
bsdstudent
 
Join Date: Jan 2012
Location: DaemonLand
Posts: 834
Default

Thank you so much Jgimmi for brainstorming daemonfowl ..
In fact I highly respect your approach and would consider it ..
sometimes a newbie looks for shortcuts to help him decide at the time of asking .. later on though , he would shift course depending on the knowledge/expertise gained ..
I remember I could not use *Nix without kde .. now I feel comfort without it .. maybe after some time I will do without X .. happily ..
Reply With Quote
  #8   (View Single Post)  
Old 26th January 2012
rocket357's Avatar
rocket357 rocket357 is offline
Real Name: Jonathon
Wannabe OpenBSD porter
 
Join Date: Jun 2010
Location: 127.0.0.1
Posts: 429
Default

Quote:
Originally Posted by daemonfowl View Post
maybe after some time I will do without X .. happily ..
That's a goal I can +1.

If it weren't for the need for firefox at my place of employment (plugins for some of our internal tools), I'd probably run tmux and a bunch of ssh sessions and leave it at that...but until that requirement goes away I'm using X with cwm and tmux.
__________________
Linux/Network-Security Engineer by Profession. OpenBSD user by choice.
Reply With Quote
  #9   (View Single Post)  
Old 26th January 2012
daemonfowl daemonfowl is offline
bsdstudent
 
Join Date: Jan 2012
Location: DaemonLand
Posts: 834
Default

Hi Rocket357 !
you've got an inspiring nick and a revealing pic !
is cwm your preference over fvwm ? maybe more minimalistic ..
Reply With Quote
Old 26th January 2012
rocket357's Avatar
rocket357 rocket357 is offline
Real Name: Jonathon
Wannabe OpenBSD porter
 
Join Date: Jun 2010
Location: 127.0.0.1
Posts: 429
Default

I've never really used fvwm seriously, so I can't really say. cwm does what I need and is minimalist so I use it. Well, it's minimalist *enough*. I went through a "let's optimize everything!" phase with Gentoo and LFS long time ago, but I gave up on that after a shootout between my l33t uber Gentoo install and stock FreeBSD didn't go the way I wanted it to. Optimization like that gains points for learning, but otherwise is a complete waste of time.
__________________
Linux/Network-Security Engineer by Profession. OpenBSD user by choice.
Reply With Quote
Old 28th January 2012
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 3,318
Default

Conversation has veered from pf(4) rules to X window managers. Unless further comments are on the original subject, please start a new thread.
Reply With Quote
Old 26th February 2012
hamster hamster is offline
New User
 
Join Date: Feb 2012
Posts: 4
Default

Hello everyone! I'm new to this forum, but I've using OpenBSD for some months now.

I wanted to present my PF configuration to the OP, but also to the members of this forum, for comments basically, if any.

I don't consider the configuration to be very paranoiac, but I believe it provides good functionality with some strict rules.
If anything seems abnormal, please give an alternative solution

You will notice I am using sshguard too, it can be found under OpenBSD packages.

Code:
services="{ 80, 443, 3689 }"

# don't filter on the loopback interface
set skip on lo0

# scrub incoming packets
match in all scrub (no-df)

# setup a default deny policy for incoming connections
block all
pass out quick modulate state

# activate spoofing protection for all interfaces
block in quick from urpf-failed

# sshguard rules
table <sshguard> persist
block in quick on egress proto tcp from <sshguard> to (egress) port ssh label "ssh bruteforce" 

# open ssh port - protect ssh server from bruteforce attacks (actual offenders will be picked up by sshguard)
pass in on egress proto tcp from any to (egress) port ssh synproxy state (max-src-conn 15, max-src-conn-rate 5/3)

# open ports for services - protect services from abusive hosts
pass in on egress proto tcp from any to (egress) port $services synproxy state (max-src-conn 100, max-src-conn-rate 15/5)

# allow IGMP traffic with ip options from rooter
pass in quick on egress proto igmp from X.X.X.X to 224.0.0.0/4 allow-opts

# by default, do not permit remote connections to X11
block in on ! lo0 proto tcp to port 6000:6010
Reply With Quote
Old 26th February 2012
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 3,318
Default

Quote:
Originally Posted by hamster View Post
I wanted to present my PF configuration to the OP, but also to the members of this forum, for comments basically, if any.
Welcome!

For the sake of archive information, can you tell us which version of OpenBSD you are using? Providing the output of the following command will provide all necessary information:

$ sysctl kern.version
Reply With Quote
Old 26th February 2012
hamster hamster is offline
New User
 
Join Date: Feb 2012
Posts: 4
Default

Quote:
Originally Posted by ocicat View Post
Welcome!

For the sake of archive information, can you tell us which version of OpenBSD you are using? Providing the output of the following command will provide all necessary information:

$ sysctl kern.version
Certainly

Code:
OpenBSD 4.9 (GENERIC.MP) #794: Wed Mar  2 07:19:02 MST 2011
...:/usr/src/sys/arch/i386/compile/GENERIC.MP
Patched. (Well there was only one patch up to now.)
Reply With Quote
Old 27th February 2012
s2scott's Avatar
s2scott s2scott is offline
Package Pilot
 
Join Date: May 2008
Location: Toronto, Ontario Canada
Posts: 198
Default

You may want to consider strengthening the following rule and its like, unless there's reasons not to.

Code:
# open ssh port - protect ssh server from bruteforce attacks (actual offenders will be picked up by sshguard) pass in on egress proto tcp \
   from any to (egress) port ssh \
      synproxy state (max-src-conn 15, max-src-conn-rate 5/3)
to

Code:
# open ssh port - protect ssh server from bruteforce attacks (actual offenders will be picked up by sshguard) pass in log quick on egress inet proto tcp \
   from !(egress:0) to (egress) port ssh \
      synproxy state (max-src-conn 15, max-src-conn-rate 5/3)
In one rule, it does all yours did PLUS prevents a type DoS attack.
__________________
Never argue with an idiot. They will bring you down to their level and beat you with experience.
Reply With Quote
Old 27th February 2012
s2scott's Avatar
s2scott s2scott is offline
Package Pilot
 
Join Date: May 2008
Location: Toronto, Ontario Canada
Posts: 198
Default

Also, I don't see any NAT rules. Is the 'egress' interface blessed with a truly global IP and, therefore, NAT is not required?

If NAT is required, then you need additional rules and NAT rules -- done well -- can prevent 'leaks.'

/S
__________________
Never argue with an idiot. They will bring you down to their level and beat you with experience.
Reply With Quote
Old 27th February 2012
s2scott's Avatar
s2scott s2scott is offline
Package Pilot
 
Join Date: May 2008
Location: Toronto, Ontario Canada
Posts: 198
Default

Additionally,

Code:
# open ssh port - protect ssh server from bruteforce attacks (actual offenders will be picked up by sshguard)
pass in on egress proto tcp \
   from any to (egress) port ssh \
      synproxy state (max-src-conn 15, max-src-conn-rate 5/3)
really needs a <table> inclusion

Code:
# open ssh port - protect ssh server from bruteforce attacks (actual offenders will be picked up by sshguard)
pass in on egress proto tcp \
   from any to (egress) port ssh \
      synproxy state (max-src-conn 15, max-src-conn-rate 5/3 overload <sshbrutes> flush global)
And the -- comprehensive -- way to write the rule goes ...

Code:
# open ssh port - protect ssh server from bruteforce attacks (actual offenders will be picked up by sshguard)

table <sshbrutes> persist {  }
#
pass in log quick on egress inet proto tcp \
   from !{ (egress:0) <sshbrutes>} to (egress:0) port ssh \
      synproxy state (max-src-conn 15, max-src-conn-rate 5/3 overload <sshbrutes> flush global)
__________________
Never argue with an idiot. They will bring you down to their level and beat you with experience.
Reply With Quote
Old 27th February 2012
hamster hamster is offline
New User
 
Join Date: Feb 2012
Posts: 4
Default

Thank you s2scott !

The interface has a truly global IP, so yes, no need for NAT there.

About the sshbrutes table, sshguard program already creates a table, named sshguard, not by any overload command, but in the background (by polling the /var/log/authlog file).

So this command blocks any IP that exists in sshguard table:
Code:
block in quick on egress proto tcp from <sshguard> to (egress) port ssh label "ssh bruteforce"
I wouldn't mind putting the offenders in a second table, but it seems rather excessive :P
Reply With Quote
Old 27th February 2012
denta denta is offline
Shell Scout
 
Join Date: Nov 2009
Location: Sweden
Posts: 95
Default

Quote:
Originally Posted by hamster View Post
I wouldn't mind putting the offenders in a second table, but it seems rather excessive :P
I think the point is, you can protect your services from bruteforce attacks with a simple overload <table> statement, which means no need for any additional software, which means less dodgy code running on your machine.

Less is more!
Reply With Quote
Old 27th February 2012
hamster hamster is offline
New User
 
Join Date: Feb 2012
Posts: 4
Default

Quote:
Originally Posted by denta View Post
I think the point is, you can protect your services from bruteforce attacks with a simple overload <table> statement, which means no need for any additional software, which means less dodgy code running on your machine.

Less is more!
Well, this is not bad advice, so I will consider it, because it actually keeps you away from having to deal with sshguard too.

Another update of mine:
Code:
pass out quick proto { tcp udp icmp } modulate state
Well I really don't use any other protocols for outgoing connections. Modulate state is going to be keep state for udp and icmp automatically.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
4.7 pf rule to block traffic from guest network mikesg OpenBSD Security 5 16th August 2015 11:04 AM
Advantages of FreeBSD over OpenBSD [Desktop] EverydayDiesel FreeBSD General 38 17th May 2013 05:18 PM
PF rule to disable icmp? cyanide_christ OpenBSD Security 6 15th October 2009 05:35 AM
pf: why is that rule not working? ivanatora FreeBSD General 14 11th December 2008 09:32 AM
pf.conf brute force rule ijk FreeBSD Security 6 11th August 2008 04:54 PM


All times are GMT. The time now is 09:41 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick