DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 29th October 2012
sparky's Avatar
sparky sparky is offline
Fdisk Soldier
 
Join Date: Mar 2012
Posts: 73
Thanked 0 Times in 0 Posts
Default SSH is being blocked from WAN however public IP shown in server log

Hi,

I'm running OpenBSD 5.1 stable on an old SPARC system as a router/firewall/NAT.

The system runs PPPoE through an external DSL modem.

For some reason my log showed up with:

Code:
sshd[1990]: Invalid user voip from 70.60.152.98
on my FreeBSD server. This system is has SSH completely locked down so I'm not too worried about access that way.


However, what I am concerned about is that someone managed to SSH in???


I have a rule in place to block anyone from outside getting in via packet filter:

Code:
block return in quick on tun0 proto tcp from any to any port = 22
so I don't understand how something like this could happen?

Before that rule I have these in place:

Code:
block return in log all
block return out log all
block return in quick from urpf-failed to any
It's almost as though someone managed to sneak their way into the system by using other means though am using Stateful Packet Inspection for everything going out and coming in??

Or is the rule not properly constructed?

Should it say:

Code:
block in on tun0 proto tcp from any to any port = 22
instead?

Could someone help me out?

I need to figure out some way to lock the router and the internal network down completely so things like this don't happen again.

Thanks
Reply With Quote
  #2   (View Single Post)  
Old 29th October 2012
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,142
Thanked 182 Times in 149 Posts
Default

Without having seen the complete ruleset it is difficult to diagnose the problem

Please remember that with pf the last matching rule wins. So it could be that another rule accidentally allows in coming ssh traffic. So I would recommend to use quick to force immediate execution of the blocking rule(s).

So either

Code:
block in quick
or
Code:
block in quick on tun0 proto tcp from any to any port = 22
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #3   (View Single Post)  
Old 29th October 2012
sparky's Avatar
sparky sparky is offline
Fdisk Soldier
 
Join Date: Mar 2012
Posts: 73
Thanked 0 Times in 0 Posts
Default

Hi the rule set is this:

Code:
#macros

int_if="hme1"
ext_if="tun0"

tcp_services="{ 22,23 }"
icmp_types="echoreq"

#Port Macros

<port definitions - no SSH port here>

#Server Macros

<server IP's>



#Network Macros

<Network Ranges>

#Queueing

# The downstream is 8000kb, Voice services get 600Kb regardless,
# and can get more when nobody else wants theirs.
<inbound queues for tun0>

# The upstream is 900kb, Voice services get 600Kb regardless,
# and can get more when nobody else wants theirs.
<outbound queues for tun0>

#options

set block-policy return
set loginterface tun0
set skip on "{ lo }"

# scrub incoming packets
match in all scrub (no-df)

# Proxy rules

anchor "ftp-proxy/*" 

pass in quick on $int_if inet proto tcp to any port ftp \
    divert-to 127.0.0.1 port 8021 

#match rules

match out on tun0 from $int_net to any nat-to ($ext_if) 

#filter rules

block in log
block out log

# activate spoofing protection for all interfaces
block in quick from urpf-failed

block in quick on $ext_if proto tcp to port $tcp_services 
block out quick on $int_if proto tcp to port $tcp_services 


pass out quick log    
pass out quick on $ext_if from $int_net to any nat-to ($ext_if)

antispoof quick for { lo, hme1 }

pass in quick on $int_if inet proto tcp from $int_net to port $tcp_services queue ssh_in

pass in quick on $ext_if inet proto tcp to port $dns_ports rdr-to $<dns-server> synproxy state queue dns_in

pass in quick on $ext_if inet proto udp to port $dns_ports rdr-to $<dns-server> synproxy state queue dns_in

....

<more inbound port definitions for other services>

block in on egress inet proto icmp all icmp-type $icmp_types



pass in quick  on $int_if

Minus the few posting adjustments I made that's the ruleset.


I have chedcked the rules over with the pfctl -s(x) command to see which ones are being used and what's happening but still I'm not quite sure.

Also the QoS services haven't been activated either 100% as I really needed them for the VoIP system however, on an 8Mb DSL line it's really not going to make much difference as my bandwidth is always fully in use.


After the event and posting here I devcided to add the rule:

Code:
block out quick on $int_if proto tcp to port $tcp_services
to ensure that anything SSH or telnet coming from the OBSD box is blocked and so far seems to work.


I'm just worried that this could have been something like a trojan horse or some other form of packet manipulations style attack?


I even am considering using Snort as an IDS/IPS solution however not sure if 400MHz + 360MB RAM would be able to cope with MySQL/Apache/Snort et el.... - things like Jnettop and Nload already slow the internet speeds down to a halt I found out. ?
Reply With Quote
  #4   (View Single Post)  
Old 29th October 2012
sparky's Avatar
sparky sparky is offline
Fdisk Soldier
 
Join Date: Mar 2012
Posts: 73
Thanked 0 Times in 0 Posts
Default

Hmm.... this is interesting!

I think I figured out the issue. Logwatch sent me a message telling me that this user above had tried to get in. It turns out that Logwatch lied to me as that was last year but because it was the same month and no year printed in the logfile (not sure why newsyslog didn't role the file over for all this time), Logwatch got confused and served that up in it's recent log report nearly giving me a heart attack


Well looks like my rules are working fine then :-S
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Microsoft warns of IE flaw, turns PC into public file server J65nko News 0 4th February 2010 11:21 PM
secure ssh with public key milo974 OpenBSD Security 11 9th July 2008 04:52 PM
Apache on two servers but one public IP marco64 General software and network 2 4th June 2008 07:29 PM
OS to run in a public computer? Sunnz Off-Topic 31 23rd May 2008 05:47 PM


All times are GMT. The time now is 10:19 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick