|
OpenBSD General Other questions regarding OpenBSD which do not fit in any of the categories below. |
|
Thread Tools | Display Modes |
|
||||
Quote:
For a basic home network, what you have is pretty sufficient (unless you don't trust your users at home, in which case you should control out-bound access as well...). I'm not sure about allowing icmp, either, but that's just me. You could also scrub and synproxy (might be overkill, but you are being scanned...) You can also setup a table to hold scanning ip's and block anything from said table. With your logging, you could write up a script to watch the logs for scans and add the scanning ip to the block table, or utilize a pre-written port for handling the same. Or better yet, rate limit how many half-open connections a given ip is allowed.
__________________
Linux/Network-Security Engineer by Profession. OpenBSD user by choice. |
|
|||
The presence of unwanted traffic can be annoying, but it happens to every host on the Internet.. if it's a real nuisance you can try contacting your ISP and they can usually attempt to deal with it, but really it's almost always easier to tough through it.
I agree with rocket357, that is an incredibly stupid way to deal with the problem, I would recommend replacing it.. 3com is odd, indeed OpenBSD is a good replacement for SOHO devices. As for commenting on your configuration, as long as you're aware of what that ruleset implies.. then it's fine. As you're exposing ssh to the Internet, you may wish to allow only public key authentication and disable root logins.. be aware that you're likely to see a fair amount of probes in your logs regardless of these settings, that's quite normal. And for passing in 113/ident, there is rarely a need to.. unless you're connecting to a really strict IRC network you can omit that. |
|
||||
It is disabled by default in 4.9 release I would suggest moving ssh to some higher port like 8888. That would get rid of 95% of idiots. I would most definitely control out bound traffic even if you are the only user of the computer.
|
|
||||
Quote:
Disallowing password authentication will harden it even more, as it's much more difficult to crack a key than it is to crack a typical password. For a 1024 bit rsa key, there are ~1.8e+308 possible combinations, whereas a 14 character password of upper/lower/numeric/special has ~1.0e+26 possible combinations (and most don't have perfectly random passwords, so the possible combinations is far fewer). For comparison, if you could check 1e+20 combinations per second, it'd take ~12 days to crack a perfectly random 14 character password, but ~2.8e+279 **years** to crack a 1024 bit rsa key (the universe has been around for 1e+10 years, for the record). Really, as long as your private key is safe and secure (i.e. backed up to a secure location), public key auth is the only way to go. The biggest benefit of moving the port number is that it might fool the mass of "dumb" scanners out there...but it wouldn't do much for a determined attacker. But I see your point, reducing that crazy volume of logs (vs not logging anything? yikes!) is in and of itself a valid reason.
__________________
Linux/Network-Security Engineer by Profession. OpenBSD user by choice. Last edited by rocket357; 19th June 2011 at 12:23 AM. |
|
|||
Like suggested above, man 5 pf.conf, and check out the stateful filtering section, and the max-src-conn + max-src-conn-rate variables in particular. There is a self-explanatory example there in the manual. Its awesome for when you need to run sshd (or any tcp-service really) on a "heavily targeted" ip. The brute-force spam crap in your logs will pretty much go away completly.
|
|
||||
Well I was watching a video online which was working perfectly then it stopped after about an hour. When I went to log into my BSD box via SSH I couldn't connect. When I went to log into it from the console I noticed that it was froze solid, no keyboard response at all. That box has never froze on me before, even when it ran Windows XP. Could streaming video through it while it was acting as a router cause it to freeze?
|
|
||||
Not sure what caused it to freeze but I removed the icmp and tcp_services entries from my pf.conf file as suggested and have had 2 PC's and my Wii all at the same time playing different Netflix movies today for a few hours to test and so far so good. I'd really like to know what caused it to freeze though.
|
|
|||
It's hard to diagnose the problem of inexplicable system locks, it could be a hardware problem or a driver bug.. as others have suggested you should try reproducing with the latest code as it may have been fixed after the 4.9 release.
|
|
||||
I'm trying to reproduce without changing anything major first to see if it was a one time fluke or if it is something that is recurring. Of course I did change the pf.conf file by removing these lines:
tcp_services="{ 22, 113 }" icmp_types="echoreq" pass in on egress inet proto tcp from any to (egress) port $tcp_services pass in inet proto icmp all icmp-type $icmp_types Could any one or more of those lines caused it to lock up? |
|
||||
No. But you can force the kernel debugger ddb(4) to come up on the console if interrupts from your console are still possible. You will find crash(8) and sysctl.conf(5) helpful as well
|
|
||||
I'm testing this OpenBSD router on an Athlon 64 X2 5200+ w/3GB RAM. If I make this a permanent router will an old AMD Duron 950MHz w/768MB have sufficient enough power for this? I assume it will but I'm asking to be sure as we all know assumption is the mother of all f*** ups.
|
|
||||
Quote:
And you won't see any improvement on a firewall with dual cores (unless you're running other stuff besides pf, like squid or whatever).
__________________
Linux/Network-Security Engineer by Profession. OpenBSD user by choice. |
|
||||
Here is what my network traffic consists of. There are no kids here, just me and my wife.
I run my computer sales and service business from home so I do a fair amount of remote connections via LogMeIn Central, Real VNC and SSH. I might have 7 or 8 connections going simultaneously. I download all the updates for customer PC's I work on here plus the new systems I sell and build. For personal use I use Netflix, live stream UFC PPV events through Yahoo Sports, watch some Youtube videos, web browsing, downloading various OS ISO's to experiment with and email. I work a lot at night so it isn't unusual to have a Netflix movie playing, a customer's PC downloading updates, be connected remotely to other people and a 4GB ISO downloading all at once. My full time connected gear is 2 PC's, 1 laptop (wireless), 1 Windows Home Server, Nintendo Wii (wireless), 1 network multifunction laser printer, 1 debit/credit card machine and soon to be 1 OpenBSD router. Friends and family sometimes bring their laptops and hookup to wireless which the 3Com router will still be used for as a WAP. Plus I usually have a test system running some version of Linux or BSD. The Duron 950 machine I plan to use has two 3Com 3C905-TX NIC's in it. Should I go with GB NIC on the LAN side? The test machine I’m using now has a Realtek RTL8110SC GB NIC on the LAN side and a Realtek RTL8139D on the WAN side. So in conclusion, with all the traffic I mentioned above will the Duron 950 machine with 768MB RAM and two 3Com 3C905-TX 100Mb/s NICS be sufficient enough to act as an OpenBSD 4.9 router? It will only be running SSH (for LAN side only), PF and DHCP. It will have port forwarding for port 443 to my WHS and two obscure VNC ports to access my two PC's remotely. |
|
||||
Quote:
I wouldn't worry about that just yet. The gigabit NICs usually have more cache and better performance even for 10/100, but unless you have a few lying around already I wouldn't worry about it unless you can show it's a problem. Since this machine will be a NAT gateway, you probably wouldn't see much performance boost unless you replaced both NICs...but again, you'll probably be ok as is since most home internet connections are well under 100 Mbps in speed =)
__________________
Linux/Network-Security Engineer by Profession. OpenBSD user by choice. |
|
|||
It's almost overkill, and I'm talking about the 900MHz Athlon, many people using OpenBSD use whatever they had available at the time.. I've been using a Pentium 3 for a few years now, before that it was a AMD K6-2 and before that a P1 and my first one was an i486. I only replaced them due to hardware problems usually, they could handle the network load fine.
A lot of people use OpenBSD on critical systems, you won't have a lot of problems doing so at home.. not if you're willing to put the time into it. |
|
||||
I'm basically doing this as a learning experience. I could stick a new $30.00 D-Link router on my network and be done with it but where's the fun or learning experience in that? I want a deeper understanding of the security features Linux and BSD offer.
For my customers who need simple file and print servers I've always just built them Redhat boxes and used Samba because they didn't want to pay the MS extortion fees. I've tried many other Linux flavours but always revert back to Redhat for any production use. I've been aware of BSD for quite sometime but have finally just decided to start playing around with it, and I very much like it so far. I setup a Samba server with FreeBSD and that went easily enough so then I decided to embark on my OpenBSD router project. It's a bit of a steep learning curve but sites like this make it easy to want to stick with it. I love PC-BSD as a Windows desktop replacement. After running my home computer business for 15 years now I've collected tons of old computer parts as you can imagine, which is what I've used to build both my Duron 950Mhz tower and AMD 5200+ tower. I just carted off a truck load of old 386, 486 and P1 stuff to the dump last week since it had been laying around and not touched for years. Have to make room for more future junk. ;-) My BSD router has worked beautifully today and I've hammered it with constant large downloads and streaming video all day and haven't seen one hiccup. My internet connection is noticeably faster too and doing the speed test at my ISP's speed test link confirms it. I usually get between 14-16Mbps with my 3Com router and with my BSD router I'm getting over 19Mbps every time with 19.62Mbps being my best. Now I'm going to install and run it on my Duron 950MHz box and compare. |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
3com 3c985B fiber card on openBSD | joshwade7 | OpenBSD General | 3 | 5th February 2010 09:29 PM |
OpenBSD amd64 or i386 for firewall/router | J65nko | OpenBSD General | 7 | 24th December 2009 09:06 PM |
DSL Router | Zvrk | NetBSD General | 1 | 18th June 2009 01:21 PM |
Using OpenBSD as a second router | paran0iaX | OpenBSD Security | 32 | 20th March 2009 04:51 AM |
Searching and replacing weird patterns on a file. | bigb89 | Programming | 8 | 6th December 2008 06:59 PM |