DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 10th October 2017
bsd007's Avatar
bsd007 bsd007 is offline
Always learning
 
Join Date: Sep 2014
Posts: 242
Default Using OpenBSD directly without a router

Hi,

My router is an old Dlink DIR 600L. There is no firmware released by the company and its simply pathetic in terms of WAN security.

https://www.cvedetails.com/vulnerabi...ware-2.05.html

So I am connecting OpenBSD directly without a router,

My ISP provides Internet using ethernet cable.

Is there any risk ?


Note: My router is in the unsupported list on DDWRT's page so cant use that.

Last edited by bsd007; 10th October 2017 at 05:07 PM.
Reply With Quote
  #2   (View Single Post)  
Old 10th October 2017
ibara ibara is offline
OpenBSD language porter
 
Join Date: Jan 2014
Posts: 783
Default

Any risk of what?

Getting hacked? Sure, if you misconfigure things.
Hardware failure? Sure, if you have old hardware.
Your house/apartment catching fire? Sure, if the wiring isn't up to code.
Burnt toast? Probably not, you're not using NetBSD...
Reply With Quote
  #3   (View Single Post)  
Old 10th October 2017
bsd007's Avatar
bsd007 bsd007 is offline
Always learning
 
Join Date: Sep 2014
Posts: 242
Default

Quote:
Originally Posted by ibara View Post
Any risk of what? Getting hacked? Sure, if you misconfigure things.
Yes I was asking about getting hacked. I did not configure anything. I have left everything to default.

Quote:
Burnt toast? Probably not, you're not using NetBSD...
I didnt understand this one.
Reply With Quote
  #4   (View Single Post)  
Old 10th October 2017
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

Quote:
Originally Posted by bsd007 View Post
I did not configure anything. I have left everything to default.
I think you have made changes from the default installation. But you aren't considering them to be changes.
  • You've answered questions during installation. For example, you answered questions about SSH and then asked here how to find out what you answered.
  • You've installed packages. You've installed XFCE, Nano, and other applications.
Q:Can an "unsafe" answer be given during the install process?

A: Yes. For example, the install script will permit "unsafe" SSH provisioning to be used. This can simplify remote installation procedures. The astute admin will recognize this and revise the configuration after installation steps have been completed.

Q: Does installing a package add risk?

A: Yes. How much risk depends entirely on what packages are installed and how they are provisioned and used.

Q: Can I do something that adds risk without being aware of it?

A: Of course.

Q: How can I get better at recognizing risks?

A: Take a security class. Read books on computer security. Learn what your applications (and their dependencies) do, and how they do it.
Quote:
I didnt understand this one.
NetBSD runs on a very large set of hardware architectures. It used to be said that NetBSD would run on everything except a toaster. It can't be said anymore.
Reply With Quote
  #5   (View Single Post)  
Old 10th October 2017
bsd007's Avatar
bsd007 bsd007 is offline
Always learning
 
Join Date: Sep 2014
Posts: 242
Default

Quote:
I think you have made changes from the default installation. But you aren't considering them to be changes.

You've answered questions during installation. For example, you answered questions about SSH and then asked here how to find out what you answered.
That part is solved. I got a mail with detailed report of what I chose during installation.

Quote:
You've installed packages. You've installed XFCE, Nano, and other applications.
I have installed XFCE, nano, Firefox, transmission-gtk, libreoffice, smplayer, vlc payer, ksnapshot, hexchat, thunderbird,

Quote:
Q:Can an "unsafe" answer be given during the install process?

A: Yes. For example, the install script will permit "unsafe" SSH provisioning to be used. This can simplify remote installation procedures. The astute admin will recognize this and revise the configuration after installation steps have been completed.
Kindly elaborate. As I said I chose "no" when asked if I want to start sshd on boot.
Reply With Quote
  #6   (View Single Post)  
Old 10th October 2017
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

Quote:
Originally Posted by bsd007 View Post
That part is solved. I got a mail with detailed report of what I chose during installation.
Yes, I know. The default installation actually includes sshd(8) as a running service. You are not running it.
Quote:
I have installed XFCE, nano, Firefox, transmission-gtk, libreoffice, smplayer, vlc payer, ksnapshot, hexchat, thunderbird,
In that short list there are a number of applications with a history of being successful attack vectors, or being attack vectors when configured or used used improperly. And those are just the applications you installed manually. There are probably several hundred installed packages on your workstation. The majority of your installed packages are dependencies that were installed automatically.
Quote:
Kindly elaborate. As I said I chose "no" when asked if I want to start sshd on boot.
It is *possible* to make sshd(8) provisioning choices when running the script which are considered insecure. You didn't.

But you do have applications installed which are powerful, complicated, and often difficult to operate securely. Such as Firefox, to pick one easy (and sometimes scary) example.

Even an admin trying to be "as secure as possible" can easily make a mistake, unknowingly.
Reply With Quote
  #7   (View Single Post)  
Old 10th October 2017
bsd007's Avatar
bsd007 bsd007 is offline
Always learning
 
Join Date: Sep 2014
Posts: 242
Default

@jggimi

While using Linux I was using a tool called firejail. I used to use it with Firefox and Chromium and pretty much all internet facing apps.

Firejail is a sandbox tool. IS there anything under OpenBSD ?

I don't want to install from ports.
Reply With Quote
  #8   (View Single Post)  
Old 10th October 2017
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

Firejail is a Linux-specific tool. There is no direct equivalent.

There are a number of risk mitigation technologies in OpenBSD. There is a short list of them articulated here. In addition, many applications are using the pledge(2) syscall restriction system. The Chrome browser, for example, is deployed with pledge() on OpenBSD.
Reply With Quote
  #9   (View Single Post)  
Old 10th October 2017
bsd007's Avatar
bsd007 bsd007 is offline
Always learning
 
Join Date: Sep 2014
Posts: 242
Default

I guess its a lengthy learning process. Thanks for the replies.
Reply With Quote
Old 10th October 2017
PapaParrot's Avatar
PapaParrot PapaParrot is offline
parrot
 
Join Date: Jul 2015
Location: Durango, Mx.
Posts: 472
Default

You should take a look at this thread:
Learning to pledge() an application - a story

Code:
man pf
and
Code:
man pledge
Both are all ready there in a default installation.
https://www.openbsd.org/faq/pf/config.html
-----------------------------------------------
https://man.openbsd.org/pledge.2
__________________
My best friends are parrots

Last edited by PapaParrot; 10th October 2017 at 07:57 PM.
Reply With Quote
Old 10th October 2017
gustaf gustaf is offline
Fdisk Soldier
 
Join Date: Dec 2016
Posts: 68
Default

bsd007,

Please read this.
Reply With Quote
Old 10th October 2017
bsd007's Avatar
bsd007 bsd007 is offline
Always learning
 
Join Date: Sep 2014
Posts: 242
Default

@GarryR

Thanks for the useful links.

Dont get me wrong but I was looking for something simple like for example

Code:
sandboxtool firefox
Reply With Quote
Old 10th October 2017
ibara ibara is offline
OpenBSD language porter
 
Join Date: Jan 2014
Posts: 783
Default

Quote:
Originally Posted by bsd007 View Post
Code:
sandboxtool firefox
It's never too early to write your own sandbox tool and submit it to the project!
Reply With Quote
Old 10th October 2017
gustaf gustaf is offline
Fdisk Soldier
 
Join Date: Dec 2016
Posts: 68
Default

Your original question was about how to connect to the Internet.

Quote:
Originally Posted by bsd007 View Post

My router is an old Dlink DIR 600L. There is no firmware released by the company and its simply pathetic in terms of WAN security.
..................................................
So I am connecting OpenBSD directly without a router,

My ISP provides Internet using ethernet cable.

Is there any risk ?

This new question is about third-party software.

Quote:
Originally Posted by bsd007 View Post

While using Linux I was using a tool called firejail. I used to use it with Firefox and Chromium and pretty much all internet facing apps.

Firejail is a sandbox tool. IS there anything under OpenBSD ?
In the future, please start a new thread if you change the topic.

Many of us use these forums to search for information. Mixing issues in a thread can make it more difficult and time-consuming to find what we are looking for.

Last edited by gustaf; 10th October 2017 at 11:24 PM. Reason: formatting, typos
Reply With Quote
Old 10th October 2017
bsd007's Avatar
bsd007 bsd007 is offline
Always learning
 
Join Date: Sep 2014
Posts: 242
Default

Quote:
Originally Posted by gustaf View Post
Your original question was about how to connect to the Internet.
This new question is about third-party software.
In the future, please start a new thread if you change the topic.

Many of us use these forums to search for information. Mixing issues in a thread can make it more difficult and time-consuming to find what we are looking for.
My question was not about how to connect to the Internet. I was asking about the risks(if any) of connecting directly without a router.

Okay point taken. I will create a new thread if asking about something else.
Reply With Quote
Old 10th October 2017
bsd007's Avatar
bsd007 bsd007 is offline
Always learning
 
Join Date: Sep 2014
Posts: 242
Default

@shep

At the moment I don't want to spend cash on a new router. I guess OpenBSD is secure enough to connect to the Internet. I say this coz I read many articles saying the same. i double checked my router is not supported by DDWRT

@jggimi

Its just that I developed this habit of firejailing every internet facing app. I guess I can live without it.

Thanks to both for replying.
Reply With Quote
Old 17th October 2017
ibara ibara is offline
OpenBSD language porter
 
Join Date: Jan 2014
Posts: 783
Default

Quote:
Originally Posted by bsd007 View Post
At the moment I don't want to spend cash on a new router. I guess OpenBSD is secure enough to connect to the Internet. I say this coz I read many articles saying the same. i double checked my router is not supported by DDWRT.
It is. Many of us use OpenBSD connected directly to the Internet, myself included. The key is in how you configure your OpenBSD system.

If you happen to have a spare system lying around, you can make your own OpenBSD router on the cheap. All you need is two Ethernet ports, an unmanaged switch, and this OpenBSD FAQ page: https://www.openbsd.org/faq/pf/example1.html (and you can ignore the WiFi parts if you don't want WiFi).

I've even done it with a laptop with a dead screen and a USB->Ethernet dongle.

And then you don't have to worry about bloaty impossible to not misconfigure desktop software.
Reply With Quote
Old 17th October 2017
Trihex's Avatar
Trihex Trihex is offline
Real Name: Trihexagonal
Shell Scout
 
Join Date: Jul 2017
Location: Land of the Dead
Posts: 87
Default

Quote:
Originally Posted by bsd007 View Post
My question was not about how to connect to the Internet. I was asking about the risks(if any) of connecting directly without a router.
When I changed ISP they only provided a modem and I ran my BSD machines connected directly to the internet for months without a second thought. I only got a router so I could have more than one box connected to the net at once.

I actually only had FreeBSD laptops at the time but they use the OpenBSD pf firewall and the same basic ruleset I use on my OpenBSD box right now. I ran a pfSense FreeBSD based firewall/router for several years so I felt quite at ease connected directly to the net and have great confidence in the pf firewall.
Reply With Quote
Old 10th October 2017
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

Quote:
Originally Posted by bsd007 View Post
...I was looking for something simple...
Information security and privacy is a very large field. You are only considering one small corner of that field.

These types of tools are designed to partially isolate the application's processes and resources from other processes on the same system. It is laudable, and useful.

But that is a relatively small fraction of the possible security issues any computer user may face.
Reply With Quote
Old 10th October 2017
shep shep is offline
Real Name: Scott
Arp Constable
 
Join Date: May 2008
Location: Dry and Dusty
Posts: 1,503
Default

Quote:
My router is an old Dlink DIR 600L. There is no firmware released by the company and its simply pathetic in terms of WAN security.
There is not a strong need for 11n routers in OpenBSD as support is just getting started. If your DIR 600L version is A1,B1,B2 there is opensource, upto date firmware at either DD-wrt or LEDE-project.

I use LEDE firmware which just released version 17.01.3
Quote:
Highlights In LEDE 17.01.3

The LEDE Community is proud to announce the third service release of stable LEDE 17.01 series.

LEDE 17.01.3 “Reboot” incorporates a fair number of fixes back ported from the development branch during the last sixteen weeks.

Some selected highlights of the service release are:

Linux kernel updated to version 4.4.89 (from 4.4.71 in v17.01.2)
Numerous security fixes to curl, dnsmasq, mbedtls, tcpdump and the Linux kernel
Assorted platform fixes for ar7, ar71xx, bcm53xx, brcm63xx, imx6, ipq806x, lantiq, ramips, sunxi and x86
As always, a big thank you goes to all our active package maintainers, testers, documenters, and supporters.
. If your version is C1 you can purchase a cheap, refurbished router for around $10. I'm bought a TrendNet TEW-732BR (11n) 300Mbps for $10.50USD 6 months ago - it is still available at that price. It initially used linux 2.6 based firmware but I now have LTS Kernel 4.4. LEDE firmware does not come with a gui interface out of the box while DD-wrt does. I think LEDE project is more active than DD-wrt but will take more time to build a custom firmware image. I added a Web based configuration interface (Luci), vnstat and a simple email program to LEDE. I configure with a Web interface and then use a secure shell to turn off the httpd. when done. Telnet is only available on 1st login when you set your passwords. My router now can only be accessed by a secure shell. You can also remove many services, block ports and use iptables with it. The community has an article database on securing your router and for the ultra-paranoid your can generate your own certificate for https/ssh access.

Last edited by shep; 18th October 2017 at 03:06 PM.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
User rips OpenBSD as a router jjstorm OpenBSD General 5 17th April 2016 11:27 PM
OpenBSD 5.7 Router Issues Peter_APIIT OpenBSD General 8 18th June 2015 06:31 AM
OpenBSD Router & Wireless AP setup chigurh OpenBSD General 14 7th April 2015 06:56 PM
Replacing 3Com Router with OpenBSD Dr-D OpenBSD General 55 28th June 2011 10:01 PM
Using OpenBSD as a second router paran0iaX OpenBSD Security 32 20th March 2009 04:51 AM


All times are GMT. The time now is 10:15 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick