DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 13th January 2010
joostvgh joostvgh is offline
Port Guard
 
Join Date: Jan 2010
Posts: 38
Thanked 0 Times in 0 Posts
Default blocking rapidshare

hi,

i have installed openbsd 4.6.

i would like to block rapidshare by adding some DNS record..
i could also block their ip range, but this might change overtime..

so if someone want to go to rapidshare.com, they will send a dns request with rapidshare.com in it..

can i add a record somewhere so that they will be given the wrong ip?
(like 127.0.0.1)
i added this record to my /etc/hosts file already. will this do the trick?
when i ping rapidshare.com it is pinging to 127.0.0.1 but i dont know for all the users..

thx!
Reply With Quote
  #2   (View Single Post)  
Old 13th January 2010
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,135
Thanked 182 Times in 149 Posts
Default

You can add a rapidshare.com zone to your DNS server configuration with 127.0.0.1 as the address.
Of course you have to enforce that the users only can use your DNS server for name lookups.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #3   (View Single Post)  
Old 13th January 2010
joostvgh joostvgh is offline
Port Guard
 
Join Date: Jan 2010
Posts: 38
Thanked 0 Times in 0 Posts
Default

this means i should enable dhcp on the openbsd server?

and then add NAT (all to one) ?



setup: router with dhcp - openbsd - 60 clients

(internet)-(81.242.5.xxx - router - 192.168.0.1)-(192.168.0.x - openbsd - 192.168.1.1)-(192.168.1.x - clients)
Reply With Quote
  #4   (View Single Post)  
Old 13th January 2010
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,610
Thanked 214 Times in 189 Posts
Default

Quote:
Originally Posted by joostvgh View Post
...i would like to block rapidshare by adding some DNS record..
i could also block their ip range, but this might change overtime..
PF rules can use domain names in pass/block rules, but the address resolution occurs only once, at rule loading time. In order to pick up changes, the rules must be reloaded.
Quote:
so if someone want to go to rapidshare.com, they will send a dns request with rapidshare.com in it..
Perhaps. It is not an absolute requirement. Other domain names may point to the same server set, or access may be obtained without using DNS, or without using DNS servers controlled by you.
Quote:
can i add a record somewhere so that they will be given the wrong ip?
(like 127.0.0.1)
i added this record to my /etc/hosts file already. will this do the trick?
when i ping rapidshare.com it is pinging to 127.0.0.1 but i dont know for all the users..
If the users you ask about are users located on the OpenBSD system, then you can certainly set your local system resolution to use a blend of file lookup and DNS resolution. See the man page for resolv.conf(5), and read about "lookup".

This will have -no- impact on DNS configurations of other systems, such as if your OpenBSD platform is a router in a network.

Even if you were to set up your own DNS server infrastructure, someone could circumvent your DNS system. Either by directing their DNS requests elsewhere, or, if you block such traffic, by doing a lookup externally and using the resulting IP addresses.

For governing HTTP/FTP traffic by site, as you wish to do, a proxy server that controls access by examining URLs will probably work better. But a savvy user will still be able to subvert your attempts at governance.
Reply With Quote
  #5   (View Single Post)  
Old 13th January 2010
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,610
Thanked 214 Times in 189 Posts
Default

Quote:
Originally Posted by joostvgh View Post
this means i should enable dhcp on the openbsd server?

and then add NAT (all to one) ?



setup: router with dhcp - openbsd - 60 clients

(internet)-(81.242.5.xxx - router - 192.168.0.1)-(192.168.0.x - openbsd - 192.168.1.1)-(192.168.1.x - clients)
NAT and network topology have noting to do with the question of DNS or governing access by users. Nor am I sure what you are asking here.
Reply With Quote
  #6   (View Single Post)  
Old 13th January 2010
joostvgh joostvgh is offline
Port Guard
 
Join Date: Jan 2010
Posts: 38
Thanked 0 Times in 0 Posts
Default

my openbsd is not using dhcp at the time
my openbsd is not acting as dns server

can i just add the following:
block in on $if_internal inet proto tcp from "192.168.0.1/24" to "rapidshare.com"
block out on $if_external inet proto tcp from "192.168.0.1/24" to "rapidshare.com"
?

i am quite new to this by the way..
i can also block the whole rapidshare.com ip range (for savvy users :P)
Reply With Quote
  #7   (View Single Post)  
Old 13th January 2010
joostvgh joostvgh is offline
Port Guard
 
Join Date: Jan 2010
Posts: 38
Thanked 0 Times in 0 Posts
Default

above i mentioned using the openbsd as a DNS server. then i could add a new bogus rapidshare.com zone as described in this thread: daemonforums.org/showthread.php?t=3085

if i wanted to do that i thought i had to make my openbsd also run the dhcp service to set the primary dns server as itself (to the clients connecting to it). then it would just forward all dns requests to the real dns server it got provided by the router but 'filtering; the rapidshare.com zone...
Reply With Quote
  #8   (View Single Post)  
Old 13th January 2010
joostvgh joostvgh is offline
Port Guard
 
Join Date: Jan 2010
Posts: 38
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by jggimi View Post
If the users you ask about are users located on the OpenBSD system, then you can certainly set your local system resolution to use a blend of file lookup and DNS resolution. See the man page for resolv.conf(5), and read about "lookup".

This will have -no- impact on DNS configurations of other systems, such as if your OpenBSD platform is a router in a network.

Even if you were to set up your own DNS server infrastructure, someone could circumvent your DNS system. Either by directing their DNS requests elsewhere, or, if you block such traffic, by doing a lookup externally and using the resulting IP addresses.
ok i reread this post & mnanuals several times, so this is my idea of what you are saying:

- traffic from all host pc's passed through the openbsd
- in /etc/hosts i add 127.0.0.1 rapidshare.com
- in resolv.conf i change the order to file, bind so first the file and then the dns servers will be queried
- openbsd is not dhcp nor dns
- primary and secondary dns = ips dns

this should get everyone querying for rapidshare.com go to 127.0.0.1, unless they go directly via rapidshare ip? for this i could add blocking rules..
Reply With Quote
  #9   (View Single Post)  
Old 13th January 2010
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,610
Thanked 214 Times in 189 Posts
Default

Taking your quotes out of order:
Quote:
..i am quite new to this by the way..
I can tell. Don't worry, though, we were all newbies to TCP/IP networking, once.
Quote:
can i just add the following:
block in on $if_internal inet proto tcp from "192.168.0.1/24" to "rapidshare.com"
block out on $if_external inet proto tcp from "192.168.0.1/24" to "rapidshare.com"
You can add any rule with valid syntax to PF. But will the rule do what you want?

If "rapidshare.com" is in /etc/hosts as 127.0.0.1, and your /etc/resolv.conf has "lookup file bind" then when these two rules are loaded, PF will block TCP traffic originating from 192.168.0.1/24 destined to 127.0.0.1. I don't think that is what you intend.

If "rapidshare.com" is -not- in /etc/hosts, and /etc/resolv.conf resolves via an available DNS server, then the address resolution for "rapidshare.com" -at that time- will be blocked. Only for the individually resolving addresses from that one name, at the instant the rules are loaded. This will NOT block addresses of any other servers within Rapidshare's domain, such as rsdb.rapidshare.com or mail2.rapidshare.com. Nor are you blocking any other protocol traffic, just TCP. And only outbound initiated, not inbound. Your rule for $if_external will never match any traffic.
Quote:
my openbsd is not acting as dns server
Even if you set up a local DNS server that resolved all DNS names within *.rapidshare.com to a useless address, this will not prevent users from configuring external DNS resolution. If you block outbound DNS, your users can still get around that. And they can even get around your blocking the destination addresses in PF rules, merely by using an external webproxy service, including ones they may set up themselves, such as via SSH port forwarding. There are myriad ways to get around anything you devise.

Quote:
i can also block the whole rapidshare.com ip range (for savvy users :P)
Really? They are on multiple CIDRs in multiple locations around the world. You are thinking of the 21 IP addresses reflected by the single domain name "rapidshare.com" which is not, by any stretch of the imagination, their entire Internet facing environment.
Quote:
if i wanted to do that i thought i had to make my openbsd also run the dhcp service to set the primary dns server as itself (to the clients connecting to it). then it would just forward all dns requests to the real dns server it got provided by the router but 'filtering; the rapidshare.com zone...
All DHCP does is make IP configuration assignments based upon a ruleset. Such as assigning IP address, netmask, routing information, and preferred DNS server. You would still need to create your local DNS server(s), which I as a user am free to ignore. That is because DHCP is merely -negotiation- and the client can ignore any or all of the lease information. I, if I were a user of your systems, can still point to my own DNS servers. And I can tunnel DNS elsewhere if you block outbound DNS traffic, if necessary.
Quote:
ok i reread this post & mnanuals several times, so this is my idea of what you are saying...
None of that will stop a determined user. Now, I have a 35 year head start on you in regards to TCP/IP. And if I didn't, I could still ask the 14 year old script kiddie on some other forum for help getting around any blocks you devise. In this most recent example in your last post all I need to do is use my own DNS servers, and if you block the 21 addresses for "rapidshare.com", just use an external proxy. It will take me perhaps two minutes to set up, even on a Windows workstation.
Reply With Quote
Old 13th January 2010
joostvgh joostvgh is offline
Port Guard
 
Join Date: Jan 2010
Posts: 38
Thanked 0 Times in 0 Posts
Default

Ok. But I don't think there will be any pro's here who can do this..

Furthermore I can block all dns requests to other dns servers than the ones are automatically provided.
Proxy is indeed a nice solution. But since I live in Belgium, upload speeds are very low, and I can accept this workaround. Ok, they can have a proxy in any other foreign country but this is very unlikely.

What I am gonna do now:
- add rapidshare.com to my resolve.conf. Should I add *.rapidshare.com ?;
- block ALL traffic from the 21 ip's I get when I nslookup rapidshare.com;
- block all domain traffic unless to my own dns servers.

should this do the trick? (You can think of the users here to be regular people without alot of pc knowlegde.. )

ps:
Reply With Quote
Old 13th January 2010
joostvgh joostvgh is offline
Port Guard
 
Join Date: Jan 2010
Posts: 38
Thanked 0 Times in 0 Posts
Default

Too bad I can't edit my previous post;

ps1: sorry for typo's
ps2: thx for the fast reply's and help!
Reply With Quote
Old 13th January 2010
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,610
Thanked 214 Times in 189 Posts
Default

Let me give you a real-life example. My current customer has a very complex and highly secure multi-tiered network. The Internet is not directly accessible from any end-user network tier. Internet access is by proxy server only, with explicit approval granted to individuals, not to all employees. Authentication is required for access, and the access is by monitored URL only, and many URLs are blocked due to key words within them, not just domain names. (Good luck trying to read an article about Ebay's business practices or technology choices, for example. The four letters ...ebay.. -anywhere- within a URL cause it to be blocked.)

Can I get around this very strict infrastructure? Absolutely. Will I? No. I'd like to keep my customer.
Reply With Quote
Old 13th January 2010
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,610
Thanked 214 Times in 189 Posts
Default

Quote:
But I don't think there will be any pro's here who can do this..
As I stated, they don't have to be. All they need to do is post a question on a forum somewhere, and obtain a knowledgeable answer.
Reply With Quote
Old 13th January 2010
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,610
Thanked 214 Times in 189 Posts
Default

Quote:
- add rapidshare.com to my resolve.conf.
As I stated, this will only affect resolution on the OpenBSD platform itself. resolv.conf only tells OpenBSD how to resolve domain names to addresses, or addresses to names.
Quote:
Should I add *.rapidshare.com ?;
No, for that you will need to configure a DNS server.
Reply With Quote
Old 13th January 2010
joostvgh joostvgh is offline
Port Guard
 
Join Date: Jan 2010
Posts: 38
Thanked 0 Times in 0 Posts
Default

Ok. I thought openbsd would work as forwarding dns server automatically and answer dns requests itself by first looking in the file and then bind, but this is not the fact then.

So if I wanted to make it act as DNS, all clients should have it as their (only) dns. To do this I thought i had to enable DHCP too. So then I should add NAT too.

Then if opendns were the dns server I could add rapidshare.com to its hosts file and the problem would be 'solved' (ok workarounds are always possible). I would also add all 'current' (and for our dns-servers) rapidshare ip's to a blocked list, as well as all other dns servers (other than openbsd).

The 'only' way then to access rapidshare would be through another ip (which I don't know), or a proxy?



If I don't make openbsd the dns server then I can only add the 21 current rapidshare ip's to a blocking rule and all other dns servers than the 2 provided by the ISP.

Correct?
Reply With Quote
Old 13th January 2010
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,610
Thanked 214 Times in 189 Posts
Default

Quote:
Originally Posted by joostvgh View Post
Ok. I thought openbsd would work as forwarding dns server automatically and answer dns requests itself by first looking in the file and then bind, but this is not the fact then.
All resolv.conf has is a set of rules for OpenBSD's own name and address resolution. It can point to /etc/conf, and it can point to one or more DNS servers, on behalf of internal requests, such as performanced by the gethostbyname(3) library call.

OpenBSD, configured as a router, will forward IP packets without inspection. If you enable PF, only the link layer is inspected (IP addresses, protocol, port, flags...), not the internal packet payloads.

A DNS resolution request sent over a network must be handled by a DNS server. By convention (and RFC), these are sent either via UDP or TCP protocols, using destination port # 53. However, I can tunnel them another way, if you block external DNS traffic.
Quote:
So if I wanted to make it act as DNS, all clients should have it as their (only) dns. To do this I thought i had to enable DHCP too. So then I should add NAT too.
You misundertand both DHCP and NAT. Allow me to provide a small amount of level-setting:
  • DHCP is primarily used for automatic TCP/IP configuration. It has no impact on security whatsoever, and any belief that it has an impact on security is magical thinking. I will restate what I wrote above, regarding DHCP: the server can send the client IP address and other TCP/IP configuration information. The client can agree, disagree, or accept and then ignore any information provided by the server.
  • NAT is used to share a single public IP address among multiple private network users. Unlike DHCP though, NAT can indeed impact security, but not the security you have been asking for in this thread. All NAT can do is prevent unanticipated traffic from being forwarded from the NAT device inward to a destination on the private network. Outbound sessions using NAT will have traffic directed to them via state table management; inbound sessions must be configured for acceptance (such as "port forwarding" for TCP and UDP protocol). That is all.

Quote:
Then if opendns were the dns server I could add rapidshare.com to its hosts file and the problem would be 'solved' (ok workarounds are always possible).
As I have stated, several times already, anyone can defeat a DNS-based security implementation. A few minutes with Google and you can obtain a "how to" for your OS of choice, including prebuilt software solutions to install. You will only stop the person who is lazy, you will never stop someone who knows how to use a search engine, and the questions to ask.
Quote:
I would also add all 'current' (and for our dns-servers) rapidshare ip's to a blocked list, as well as all other dns servers (other than openbsd).

The 'only' way then to access rapidshare would be through another ip (which I don't know), or a proxy?
PF is started before BIND or a 3rd party DNS server daemon. If OpenBSD is both your router and your server, you will have to load your DNS-based rules after the DNS daemon is already up and running, and not have them in the pf.conf file used at start up. This requires PF's anchor subsystem.
Quote:
If I don't make openbsd the dns server then I can only add the 21 current rapidshare ip's to a blocking rule and all other dns servers than the 2 provided by the ISP.

Correct?
You will have to determine what domain names are actually used, and add them to your various block rules.

Once more -- you could hunt down and block every single IP address that is actually used by Rapidshare, and set up your own DNS servers with false addresses, but you will not stop anyone from using Rapidshare who actually wants to, and is willing to spend five minutes with Google.
Examples of only a few of the many technologies that could be used to defeat your "security theater" depending on its eventual configuration:
SSH
VPN
Tor
Corkscrew
SOCKS
Squid
IPSec
.
.
.

(The list is effectively endless. Some can be used in combination with others, or, be used by themselves.)

Last edited by jggimi; 13th January 2010 at 07:01 PM.
Reply With Quote
Old 13th January 2010
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,610
Thanked 214 Times in 189 Posts
Default

Security Theater: http://en.wikipedia.org/wiki/Security_theater
Reply With Quote
Old 13th January 2010
joostvgh joostvgh is offline
Port Guard
 
Join Date: Jan 2010
Posts: 38
Thanked 0 Times in 0 Posts
Default

I was not saying that enabling DHCP/NAT was adding any security to the network.
I was just saying that was what I had to do to enable openbsd be the DNS server, to add 'security' (block rapidshare).

If this won't work, what else do you suggest? Someone else told me to install a proxy like squidguard...
http://forums.bsdnexus.com/viewtopic.php?id=37

but it seems like I can't add any ip to the blockings, so people here could just enter the rapidshare ip.
(which I doubt they would even do, hence their low computer knowledge)
Reply With Quote
Old 13th January 2010
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,135
Thanked 182 Times in 149 Posts
Default

IMHO you or your company, whatever, have a management problem which you are trying to solve with technical means.

BTW by using DHCP you can tell the hosts which DNS server to use.
If you configure a DNS server which returns 127.0.0.1 addresses for rapidshare.com, and your DHCP server hands out this nameserver's IP address to the DHCP clients, you will have reached your initial goal. Rather easy to circumvent for smart folks, but diffucult for not-so-smart folks.

Get a book like Craig Hunt's "TCP/IP Network Administration' and you can configure such a nameserver within an hour or so.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
Old 13th January 2010
joostvgh joostvgh is offline
Port Guard
 
Join Date: Jan 2010
Posts: 38
Thanked 0 Times in 0 Posts
Default

well.. i'm an ICT student @ university of hasselt. i'm in a house with 60 students, 1 internet connection.. i'm the only one studying ict..

so 'security' is not really needed, I just want to block rapidshare so everyone can enjoy internet

what you said is what I wanted to do:
openbsd = dhcp + dns, returns 127.0.0.1 for rapidshare.
also blocking all ips from rps (when i use nslookup rapidshare.com here, everyone uses same dns server)
i even doubt anyone here knowing what dns means..

in the case that openbsd = dhcp + dns i should also enable NAT imo.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Blocking MySpace roddierod Other OS 3 12th April 2009 09:39 PM
PF Blocking VPN Traffic plexter OpenBSD Security 6 23rd January 2009 05:25 PM
pf blocking php mail ijk FreeBSD Security 7 30th October 2008 08:33 PM
FreeBSD 7 and RapidShare mfaridi FreeBSD General 9 20th October 2008 01:32 AM
PF Blocking schrodinger OpenBSD Security 6 6th October 2008 10:33 PM


All times are GMT. The time now is 08:24 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick