DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 22nd June 2013
frcc frcc is offline
Don't Worry Be Happy!
 
Join Date: Jul 2011
Location: hot,dry,dusty,rainy,windy,straight winds, tornado,puts the fear of God in you-Texas
Posts: 335
Thumbs up Server Access

Hi Folks

(newbee question)

We are running OpenBsd Ver 5.0 and the Apache server that came with it.
We have our business/system running on a public static ip.
The server supports a static website with no email, sql, web finance etc,
type features. This server is not used for any other purpose than supporting
a non interactive static web-page.

That being said we still get alot of traffic from locations that simply
waste server resourses.
We do not need to service IP's from other countries, or distant geographical
arear.s.

Is it practical?, desireable, good policy to BLOCK ip addresses
from countries, or geographic arear's to utilize server resourses more
efficiently as our type of business is very local.

If SO, SHOULD it be done in "etc/pf.conf" using a <table> or Apache using
The "Order Allow,Deny directives"?

Advice and information appreciated.

thanks in advance.

Last edited by frcc; 22nd June 2013 at 09:46 PM.
Reply With Quote
  #2   (View Single Post)  
Old 22nd June 2013
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

If you elect to proceed to block/pass by IP address ranges, I would recommend using PF rather than Apache, as your concern is resource consumption and blocking addresses at the kernel would be more efficient. Apache would not receive any blocked requests.

Please be aware, OpenBSD 5.0 is no longer supported. Support ended 1 Nov 2012, when OpenBSD 5.2 was released. Only the most recent two releases are supported. The most recent release was OpenBSD 5.3, released 1 May 2013.
Reply With Quote
  #3   (View Single Post)  
Old 22nd June 2013
frcc frcc is offline
Don't Worry Be Happy!
 
Join Date: Jul 2011
Location: hot,dry,dusty,rainy,windy,straight winds, tornado,puts the fear of God in you-Texas
Posts: 335
Default Server Access

I do like supporting OpenBsd so i guess i will make a call to Canada and order
the latest...Thanks for the remind!!!!!



One more question,,,concerning the original post,,,,in this situation is it
normal practice, or good practice, or a practical justified concern of mine to want
to filter such a huge block of ip's. To me it might seeem a little overkill
to filer all ip address with the exception of US to simply reduce some
server ticks. Since the web page is simply static, with no company resourses
on it to muck with, and seperated from the other servers, am i being penny wise
and pound folish? OpenBsd pf is handling traffic easily, it is simply a nusense
to continue to id traffic from China, Singapore,E Germany, Russia, S Africa etc
in tcpdump and whois as an aggrevation in attempting to keep the system clean
and not a nusense to its neighbors.
Reply With Quote
  #4   (View Single Post)  
Old 23rd June 2013
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 3,318
Default

Quote:
Originally Posted by frcc View Post
...in this situation is it
normal practice, or good practice, or a practical justified concern of mine to want
to filter such a huge block of ip's. To me it might seeem a little overkill
to filer all ip address with the exception of US to simply reduce some
server ticks. Since the web page is simply static, with no company resourses
on it to muck with, and seperated from the other servers, am i being penny wise
and pound folish?
The answer depends upon what is your ultimate goal. If you don't care whether some countries can access your server or not, filter them out. A collateral question which only you can answer is whether you want to revisit this matter later. If you want to experiment,
  1. measure the unfiltered load
  2. tighten your access
  3. measure the filtered load
By experimenting with access, you will have hard data in which to decide whether or not you want to further filter. Your other choice is to implement access rules once, & be done with it. We cannot give you a definitive answer as to what you should do since we don't really know what is your ultimate goal.

As for whether you should hardcode IP ranges into pf.conf, that is your choice. pf(4) allows tables of IP addresses to be modified, see the following for more details:This assumes you are running OpenBSD 5.3.
Reply With Quote
  #5   (View Single Post)  
Old 23rd June 2013
frcc frcc is offline
Don't Worry Be Happy!
 
Join Date: Jul 2011
Location: hot,dry,dusty,rainy,windy,straight winds, tornado,puts the fear of God in you-Texas
Posts: 335
Default Server Access

yep got it.
thanks
Reply With Quote
  #6   (View Single Post)  
Old 23rd June 2013
frcc frcc is offline
Don't Worry Be Happy!
 
Join Date: Jul 2011
Location: hot,dry,dusty,rainy,windy,straight winds, tornado,puts the fear of God in you-Texas
Posts: 335
Default Server Access

A little feedback.....
Created a <table> for us ip's only in pf.conf (size approx 3.0M Scheez!)
Increased hard limits in pf.conf

watching the traffic!
I think limiting traffic from US ip's only, makes sense for "MY/OUR" situatioin.
We will see after the logs start to grow.....

pf handles this size table very quickly no noticeable delays
ps using Ver 5.0

Last edited by frcc; 23rd June 2013 at 03:55 AM.
Reply With Quote
  #7   (View Single Post)  
Old 15th July 2013
pttymuth's Avatar
pttymuth pttymuth is offline
Port Guard
 
Join Date: Jul 2013
Posts: 13
Default

I'm new to OpenBSD and found this post interesting. Thanks.
Reply With Quote
  #8   (View Single Post)  
Old 12th August 2013
frcc frcc is offline
Don't Worry Be Happy!
 
Join Date: Jul 2011
Location: hot,dry,dusty,rainy,windy,straight winds, tornado,puts the fear of God in you-Texas
Posts: 335
Default

Some feedback for this post.
We have been filtering foreign ip's for approx (3) weeks.
We are running (10) virtual hosts on Ver 5.3 +Apache (chrooted) All dealing with a simple sevice business
spanning several counties in our state. (no e-commerce, sql, email, nada, simply text and pics)

As a new administrator I didn't want to develope the websites all over again following a hack etc.
To make it short and sweet I have many very experienced friends and associates with far more formal
and practical knowledge with web developement and administration. I won 't bore you wth their stories.
Suffice it to say
REASON # 1 why i use OpenBSD.

Following filtering foreign ip's (pf.conf) using <table> instantly filters approx 79-80% of traffic. Table size being filtered contains 3 meg or about (who knows) how many ip address's. You don't notice any lag in webspeed. Since our business has absolutely no reason to cater to anyone outside our immediate countywide area it was a good move **[for us]** and especially me, as i can spend time learning OpenBSD instead of re-installing it.

Thankyou! OpenBSD developers!

Last edited by frcc; 12th August 2013 at 03:37 AM.
Reply With Quote
  #9   (View Single Post)  
Old 12th August 2013
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

Quote:
Originally Posted by frcc View Post
...Table size being filtered contains 3 meg or about (who knows) how many ip address's.
You can count the entries in a PF table with:

# pfctl -t mytable -T show | wc -l

If the entries include CIDR blocks, you'd have to do a little more work to count unique addresses.
Quote:
...Thankyou! OpenBSD developers!
We're just users, here. Thanks to developers can be sent to misc@, though I think less than half of them follow that mailing list.
Reply With Quote
Old 13th August 2013
frcc frcc is offline
Don't Worry Be Happy!
 
Join Date: Jul 2011
Location: hot,dry,dusty,rainy,windy,straight winds, tornado,puts the fear of God in you-Texas
Posts: 335
Default server access

looks like 169968 (usip's) using pfctl -t mytable -T show | wc -l
so in pf.conf i coded to block all, but, pass from that table (when filtering for p:80)
I wonder if the number 169968 includes (all) because the list contains
many domains with a "/"xx (yes the entries DO include CIDR blocks so yes there is much more)

----Comment-----
I'm sure the developers don't need a thankyou from me because I think they code OpenBSD for themselves first, with the rest of us riding along. I am sure some of them like to hear a "job well done" from the broader user community every now and then. Certainly when I purchase the next reeleae CD they will indirectly.

thanks all
Reply With Quote
Old 13th August 2013
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

The wc(1) program -l option just counts lines of output. If you want to count addresses you will have to parse the CIDR addresses and convert to them to address counts.

e.g: 10.10.10.0/24 is 254 addressable devices, plus two reserved addresses for network and broadcast. 0.0.0.0/0 is 4,294,967,294 addresses plus the two reserved addresses.
Reply With Quote
Old 14th August 2013
frcc frcc is offline
Don't Worry Be Happy!
 
Join Date: Jul 2011
Location: hot,dry,dusty,rainy,windy,straight winds, tornado,puts the fear of God in you-Texas
Posts: 335
Default

Yes, so that number is very much larger as almost all entries are CIDR.
thanks
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
DVD access zazen OpenBSD General 11 4th June 2009 03:28 PM
Sun Java System Web Server - Active Server Pages (yes ASP) hopla FreeBSD General 0 26th September 2008 08:22 AM
pf allow ftp access ijk FreeBSD Security 9 25th August 2008 04:12 AM
Remote Access to File Server Oko OpenBSD Security 7 23rd June 2008 05:17 PM
CD Access in KDE Scott FreeBSD General 10 13th May 2008 05:48 AM


All times are GMT. The time now is 07:47 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick